Enabling Compliance to the General Data Protection Regulation (GDPR)
XD Innovation (XDI) has always recognized data protection as an important topic for its stakeholders in the digital age and understands the responsibility that comes with the handling of personal data. With the introduction of the European Union (EU) General Data Protection Regulation (GDPR), XD Innovation has extended its data protection commitment by enhancing its solutions with new capabilities that will enable its stakeholders to manage their GDPR compliance programs.
What is the GDPR?
On April 27, 2016, the Parliament and Council of the European Union adopted the EU General Data Protection Regulation (GDPR). The GDPR will be directly applicable to EU member states as of May 25, 2018, thereby ensuring a harmonized data protection standard across the EU.
The GDPR standardizes personal data protection laws and imposes strict obligations on organizations that control and process personal data. The GDPR aims to strengthen the fundamental rights of EU residents by expanding privacy rights and giving individuals control over their personal data. More information about the GDPR can be found on the European Commission Website.
How has XD Innovation addressed the GDPR?
XD Innovation has appointed a Data Protection Officer and established a cross-functional GDPR Readiness Team that has taken into account both internal and stakeholder compliance requirements. The GDPR Readiness team is charged with:
– Managing XD Innovation internal compliance to the GDPR, including, but not limited to, its privacy policies
– Identifying and monitoring enhancements to XD Innovation offerings, websites and communications to specifically enable customer and other stakeholder compliance to the GDPR. These enhancements include:
- Changes to access rights and security mechanisms;
- Enhancements to user consent management;
- Reinforcement of processes to request modification or deletion of personal data;
- Improvements to product documentation and user guides regarding data privacy best practices.
What is the responsibility of a data controller versus a data processor?
Designation of a person or an entity as a data controller data processor has different obligations under the GDPR:
A data controller is defined as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. XD Innovation may be considered to have this role when processing personal data in its internal tools (e.g., financial systems). A data controller is also typically an organization that has licensed XD Innovation solutions and is responsible for the handling of personal data. Personal data handling is generally based on factors such as industry, statutory and regulatory requirements and the nature of the data stored. For example, data controllers need to determine when personal data should be manipulated (deleted or modified per the GDPR) or when it should be retained for record keeping or regulatory purposes.
A data processor is defined as the person or entity that processes personal data on behalf of the controller. When XD Innovation provides certain Cloud-based offerings, such as the 3DEXPERIENCE platform on the Cloud, and services to an enterprise, XD Innovation is acting as a data processor for the personal data it’s been asked to process and store. As a data processor, XD Innovation processes personal data in accordance with the GDPR, the agreement signed between parties, and the business rules that have been established by an enterprise in XD Innovation solutions.
What is the GDPR Responsibility of XD Innovation Stakeholders and Customers?
Customers who use XD Innovation offerings are ultimately responsible for determining how they will comply with the GDPR based on their specific business requirements. These requirements are based on factors such as industry, statutory and regulatory requirements, and the nature of the data stored by customers in XD Innovation offerings. Specifically, customers need to determine when personal data should be manipulated (deleted or modified per the GDPR) or when it should be retained for record keeping or regulatory purposes. It is the responsibility of XD Innovation to release its XD Innovation offerings with functionality that enables customers to be GDPR compliant.