We at Posti Messaging understand the importance of compliance with the General Data Protection Regulations (GDPR) and are fully committed to ensure that we meet the GDPR law in our operations. We see this as both a challenge and an opportunity to showcase our commitment to the secure operation of our business and to safeguard the rights of individual data subjects in Europe.
The Posti Messaging Team, together with parent company, Posti Oy, have developed a strategy to ensure compliance with the GDPR, and have created a special program to implement the changes required by the EU Data Protection Regulation (679/2016) before the regulation comes into force in May. Currently Posti Messaging services are compliant with the EU member state legislations that were implemented by Directive 95/46/EC.
The key elements of our GDPR compliance and privacy strategy include the following:
• The appointment of a Data Protection Officer as head of privacy with sole responsibility for data privacy and protection. Support will be provided by other elements of the business and local country leaders with responsibility for data privacy.
• Posti Messaging created GDPR deployment framework covering all required aspects from inventory of personal data repositories, establishment of data flows of systems, processes and partners, through risk assessment and treatment plans till a full set of records describing security controls and processing.
• As part of the program, Posti Messaging has commenced company-wide active training, including compulsory training on all personnel on data protection and data security plus specifically tailored privacy trainings for key roles, e.g. IT, HR, and business areas responsible for certain aspects of the GDPR.
• Existing data protection and privacy policies, procedures and guidelines are being reviewed to ensure that they are aligned with the GDPR.
• Posti Messaging has also commenced making the necessary changes to internal processes (e.g. relating to record keeping on processing activities and data lifecycle management), as well as undertaken very detailed data mapping activities aiming to complete data privacy impact assessments on all of its products and services in good time before GDPR comes into force.
• Certain updates have already been made to customer terms and conditions, supplier agreements processes and data processing agreements (DPA) and other internal and external legal and compliance materials, and further updates are planned to take place in the course of the following months.
• Because many operation tasks are outsourced to partners, Posti Messaging is updating the DPA contracts and verifying subcontractors’ security controls and GDPR readiness.
• Existing IT Service Management processes, like incident management, change management or service requests are being updated to implement mandatory data subject services and proper handling of the data privacy incident/breach response plan.
Majid Ali, Head of MESE Platform
Mirosław Błaszczak, Head of Information Security
We are happy to help you with any questions related to GDPR.
Posted by Majid Ali ja Miroslaw Blaszczak - 28 February, 2018