Proactivity and organisation, the driving force for GDPR compliance
In order to comply with the General Data Protection Regulation (GDPR) requirements and deadlines, the board of directors at Traveldoo have been redesigning the structure and working practices of the organisation over the past year.
The first step was to recruit someone to manage all processes and procedures and then identify a processes and procedures change manager from within the IT management structure. This role is responsible for leading and defining the technical aspects of both the GDPR and the new Statement on Standards for Attestation Engagements 18 (SSAE 18 or ISAE 3402) which Traveldoo will implement by next March.
Published within the framework of the “Auditing Standards Board”, the SSAE 18 aims to clarify and simplify the existing service provider attestation standards.
Traveldoo is fortunate to have held the industry security certification for payment cards, PCI-DSS (Payment Card Industry Data Security Standard) for the last five years. This has helped us with our GDPR compliance as many of the issues are common to both.
Finally, the board of directors bought in the services of one of the five certified international accounting & consultancy firms to support Traveldoo in its SSAE 18 certification programme and to advise on the legal aspects of the GDPR.
All Traveldoo commercial contracts have been reviewed in order to meet the legal requirements of the GDPR. It was important to ensure that they complied with all of the rules set out by the new European directive, and where they didn’t, to make changes. Any amended contracts will be first sent to customers for approval.
The most complicated part of the GDPR directive is to bring user data protection, back to the heart of all business processes, whether within the company, in the use of the solution or even when exchanging data with customers or partners. It is essential to only collect, share or process the data necessary for the use of the service. No sensitive data can be collected without the explicit consent of the user and must be stored with the same level of criticality as bank data. This applies to customers as well as to employees and we will apply the transformation with the same rigor on our internal processes as on those of our customers.