ASI & GDPR

ASI’s Commitment to Data Protection, Privacy, and GDPR Compliance

Since 2013, ASI has devoted significant resources to enhance our products, processes, policies, documentation, training and infrastructure to comply with global requirements, including the European Union’s General Data Protection Regulation (the “GDPR”), for handling and protecting data and personally identifiable information of our clients and employees.

Outlined below are the key steps that ASI has already taken and will continue to take as part of our commitment to the data protection and privacy of our client’s data.

ASI Data Protection Plan

ASI maintains commercially reasonable technical and organizational measures to ensure a level of security in the iMIS software product and the ASI Hosting and Cloud Services environments. Our Data Protection Plan, first created in 2015, is an integrated, organization-wide approach to managing cybersecurity risk based on the US National Institute of Standards and Technology (NIST) cybersecurity framework. A summary of the Data Protection Plan can be found at the link below.

Data Security and Privacy Initiative

ASI’s Senior Director of Technology and Information Security leads an active Data Security and Privacy Initiative team, comprising senior management-level representatives from Legal, IT, Human Resources, Cloud Services, Customer Support, Marketing, Consulting Services, and Product Development. The Initiative team meets monthly to monitor regulatory developments, discuss progress, and report status on tasks and workstreams assigned to accountable departments. As part of this Initiative, ASI has achieved compliance with the Payment Card Industry Data Security Standards (PCI-DSS) in ASI’s regional data centres around the world, and achieved certified compliance with the European Union-United States Privacy Shield Framework.

Annual Security and Privacy Awareness Training

All ASI employees and contractors are required to participate in annual security and privacy awareness training. The content of this training is updated periodically to address the ever-evolving threat landscape and changing data protection and privacy regulatory requirements around the world.

Data Inventory and Mapping

In 2017, ASI launched its first data mapping exercise to inventory all personal data controlled or processed by ASI. As part of this data inventory and mapping exercise, ASI conducted an information audit of each department to answer the following questions:

  • What type of data is collected? (Categories of data processed)
  • Who is collecting or using that data? (Identity of data controller and processor)
  • When (and for how long) is that data being collected and used? (Data retention period)
  • Where is that data being collected and used and where does it go? (Storage locations and internal and third-party data transfers)
  • How is that data being collected and used? (Applications and programs and security measures in place)
  • Why is it being collected and used? (Purposes of processing)

 

This data mapping exercise resulted in a corporate data map of all personal data touched by ASI staff and systems and serves as a record of personal data processing activities. It is updated regularly to reflect the realities of current business processes and workflows.

Key Compliance Actions

In conjunction with the information audit and data mapping workstream described above, ASI has undertaken several key compliance actions, including the following:

  • ensuring that only data strictly necessary for our business purposes is collected and processed;
  • identifying the legal basis for the processing;
  • revising privacy policies and notices to make them compliant with the GDPR and other privacy laws;
  • ensuring that any data processors or sub-processors know their new obligations and responsibilities and that data processing agreements contain appropriate provisions with respect to security, confidentiality and protection of personal data;
  • deciding how data subjects will be able to grant consent and exercise their individual rights;
  • determining effective means and methods for honoring data subject access rights; and
  • verifying that appropriate security measures are in place for incident response and proper data breach notification.

 

ASI has also reviewed its iMIS application to identify product features that help enable organisations to meet their GDPR obligations as data controller of their constituents’ personal data.

Privacy by Design and Privacy Impact Assessments

ASI has adopted a privacy by design approach, using policies and procedures that take privacy principles into account in the initial design stages of a new project or service and throughout the processing lifecycle. In a situation where data processing for a new product or service is likely to result in high risk to individuals, ASI commits to conducting a Privacy Impact Assessment (PIA) to demonstrate compliance with the GDPR’s fundamental principles and mitigate risks to data subjects.

Compliance Documentation.

To demonstrate GDPR compliance, ASI enters into a written data processing agreement with all clients for whom we act as a processor under the GDPR and retains documentation regarding the processing of personal data and our Data Protection Plan (including our data breach incident response plan).

*The information contained in this website (the “Content”) is provided for informational purposes only, and should not be construed as legal advice on any subject matter. You should not act or refrain from acting on the basis of the Content without seeking legal or other professional advice. The Content is general information only and may not reflect current legal developments or address your situation. We disclaim all liability for actions you take or fail to take based on any Content.