GDPR Policy

We are GDPR compliant

The General Data Protection Regulation (GDPR) came into full effect on May 25, 2018. The legislation affects both companies in the EU and organizations that process or track, in any way, EU/EEA residents’ data. The current version of the regulation (the official pdf file) can be found here .

The law is aimed at securing EU citizens’ personal data in a standardized way. It enforces companies - small businesses and enterprises alike - to comply with a comprehensive set of protection rules. It obligates them (every firm working with EU personal data, irrespective of its location) to audit regularly their data processing system and report, promptly, every failure and data breach. AlignTogether supports completely the EU parliament's decision to strengthen data security. We have always been committed to protecting client's records, we consider this new regulation a force for good, and we will go out of our way to comply fully with every aspect of this landmark piece of legislation.

What exactly does GDPR entail?

It puts an obligation on companies to be introspective and review carefully each procedure they have in place that concerns clients’ data. CEOs must reassess the way information is being collected and unveil to the public how each piece of data flows through their organization.

Transparency lies at the heart of GDPR and so does a user’s authority.

Companies can no longer assume consent when, for example, they want to send an email to a potential client. They can only use personal addresses (and other sensitive data) after explicitly being permissioned to do so: a user must actively opt-in to receive notifications and website disclaimers, no matter how detailed, will not suffice.

Besides, EU residents have a right to have their personal information deleted permanently from all company's databases.

As a data controller, here's what you must do for GDPR compliance

  1. Raise a company-wide awareness of the GDPR, inform colleagues about rules and implications of the new law;
  2. Convey the severity of legislation’s impacts to the board; convince directors that resources must be put into transforming data processing activities;
  3. Seek legal advice to figure out precisely your firm’s obligations according to the GDPR;
  4. Check if you are required to appoint a Data Protection Officer;
  5. Set up procedures that enable detecting, investigating and reporting data breaches within 72 hours;
  6. Keep yourself (and your employees) updated on the amendments in the regulatory guidance (once it is available);
  7. Only work with software vendors (and other data processors) that provide an adequate level of data security.

What happens if I don’t comply?

Those failing to meet GDPR requirements might face substantial penalties. Namely, they might be forced to pay:

  1. 2% of their annual gross revenue or €10m (whichever is greater)
  2. 4% of their annual gross revenue or €20m (whichever is greater)

The severity of the penalty will depend on the nature of infringement.

The regulators might levy a fine in an amount that is the higher of 2% of company's annual turnover or €10m when a non-compliance has to do with technical measures such as breach notifications, etc.

If there’s a non-compliance with the core GDPR principles, say an infringement of clients’ rights or inadequate data processing, the fine amount will be the greater of 4% of a firm’s annual gross revenue or €20m.

How does AlignTogether protect your data?

  1. We ensure the security of our office data infrastructure by implementing data protection frameworks;
  2. We use the anonymization and pseudo-anonymization techniques to de-identify data;
  3. We’ve updated company policies so that we’re capable of handling subject requests within the time frames introduced by the GDPR;
  4. We’ve assumed the Privacy By Design stance; our data processing activities, including re-engineering, are fully compliant with the GDPR
  5. We’ve set up new breach notification procedures and adopted the tools necessary to investigate data compromises within a 72-hour notification period.