Copyright © 2018 Pronto Software Limited. All Rights Reserved.
What your business needs to know about compliance with the General Data Protection Regulation
The European Union (EU) has taken steps to protect the fundamental right to privacy of every EU resident with the introduction of the General Data Protection Regulation (GDPR) on 25 May, 2018.
Any organisation that works with EU residents’ personal data – irrespective of the organisation’s location – has to meet these obligations.
Key definitions in GDPR
EU residents will now have greater say over their personal data; how it is used, processed or deleted.
GDPR applies to the processing of EU citizens’ personal data by the data controller and data processor, regardless of where the data controller or data processor are located.
To review more detailed definitions and articles, please visit the European Union’s website.
> What is personal data?
Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
> Who is a data controller?
A controller is the entity that determines the purposes, conditions and means of processing the personal data.
> Who is a data processor?
The processor is an entity that processes personal data on behalf of the controller. Pronto Software is addressing GDPR requirements as a data processor on our customers’ behalf who are the data controllers.
GDPR – 5 tips for data controllers:
- Familiarise yourself with the regulation
- Assess whether your business needs to appoint a Data Protection Officer (DPO)
- Review and enhance your current processes for storage and use of personal data
- Establish procedures to respond to data subjects when they exercise their rights Establish procedures for data breach notification
- Raise employee awareness on GDPR compliance
How will Pronto Software help your organisation comply with GDPR?
> Commitment to data security and Compliance
As an organisation, Pronto Software and all subsidiaries are contractually obligated to observe the principles of the Australian Privacy Act including the recent changes via the Notifiable Data Breach (NDB) scheme. The introduction of GDPR however extends the European Union’s reach to Australian organisations who hold the personal information of EU residents.
Pronto Software is investing heavily in the area of security, risk and compliance through a formal “Security, Risk and Compliance” governance structure that reports directly to the Pronto Software board.
Pronto Software will continue to be committed to safeguarding the security of its customer solutions to ensure it remains compliant with applicable legislations.
> Pronto Cloud
Pronto Cloud undertakes ASAE3402 audits with a Type II audit report produced on an annual basis. This provides independent assurance on Pronto Cloud’s controls as a service organisation.
The ASAE3402 audit is extensive and covers a broad range of information security controls to protect customer data. This includes policies and procedures, user awareness, access management, password security, physical access security, antivirus, firewall, encryption, secure data destruction and third-party management.Pronto Cloud has also achieved the ISO 27001:2013 Certification in 2019.
As part of the compliance program, a set of minimum baseline IT general controls have been established which covers the protection and security of customer data. The key components of our ASAE3402 controls are information security awareness, logical and physical access security, security measures to counter malicious electronic attacks, encryption, backup and recovery, change management, as well as sub-processor/third-party management.
In addition, Pronto Cloud undertakes annual penetration testing which is conducted by a third party security specialist to specifically undertake both internal and external network testing. The main aim of this testing it to stress test the environment to discover any potential vulnerabilities that may need to be remediated and to implement improvements to our overall security posture.
We also have an ongoing project in relation to aligning Pronto Software to the ISO 22301 standard for “Business Continuity” to ensure that we have managed our risk effectively and have all relevant procedures and documentation in place to recover our systems and customers within Pronto Software, in the event of a breach or disaster.
> Breach notification
Pronto Software already has an established Incident Management system in place and we have updated our policies and procedure as a data processor, to comply with GDPR. As part of that procedure, we will promptly notify relevant regulators and the customer, the data controller, after becoming aware of a data breach.
> Right to access
As a data processor, we will assist customers with responding to individual rights requests that they receive under the GDPR. In many cases, customers may be able address these types of requests by performing their own data management within the applicable Pronto Software application(s) and tools.
> Data portability
GDPR gives end users the right to either receive all of the data provided and processed by the controller or transfer it to another controller depending on technical feasibility. As a data processor, we will further enhance the robustness of our capabilities to export data at an individual level.
> Privacy by design
At Pronto Software, we employ a least-privilege-access principle. Only a limited number of roles within Pronto Software are authorised to access customer environments and only when necessary, according to guidelines. As a data processor, we only process customer data according to the customer’s instructions.
For Pronto Cloud customers,
we require any Pronto Cloud sub-processor that handles personal data, including our data centre partners, to follow the same security and privacy standards we adhere to.
We store data in data centres located in Australia that are in SCEC (Security Construction and Equipment Committee) Zone 3 or higher, ISO 27001 (Information Security Management Systems), ISAE 3402 / SOC 2, and PCI DSS (Payment Card Industry Data Security Standard) certified.
Pronto Cloud employs various security measures to protect customer data such as multifactor authentication, firewall, antivirus, patching, encryption in transit and encryption at rest, vulnerability scanning, Intrusion Detection (IDS), Intrusion Prevention (IPS) and log Security Event Management (SEM).
We have various monitoring systems in place that pulse check our entire environment covering our network, physical hardware and our virtualised platform. Our systems are monitored 24/7/365 with automated alert notifications to engineers.
> Data Protection Officer
Pronto Software Limited
Level 3, 353 Burwood Hwy,
Forest Hill, VIC 3131