On May 25, 2018, the General Data Protection Regulation (“GDPR”) will become effective in the European Economic Area (“EEA”). This new regulation builds on the strong data privacy regulations that have already been in place in the EEA since 1995. The GDPR provides important new and strengthened protections for those residing in the EEA and whose data may be collected, moved, stored and processed from and to anywhere in the world.
As a global company, TRG is committed to enhancing our privacy safeguards as necessary to comply with the GDPR as well as the many other laws related to protecting this important individual right throughout the world.
As expected, many of our customers have enquired as to what our plans are and whether we intend to make any changes that will impact our customers. In an effort to update our customers on our commitment and progress, we have put together this document to confirm our commitment to GDPR and the security of our customers in the EEA and around the world and to provide an understanding of what we are doing to achieve this goal.
TRG’s approach to GDPR compliance and readiness is broken down into 3 areas as outlined below.
In August 2017, TRG began assessing our business. The purpose of this exercise was to catalogue all of the business’ current storage and processing of personal data. This activity also included a review of GDPR compliance for all third-parties that are a part of TRG’s supply chain. At the conclusion of that assessment, our Governance and Risk Committee put together a set of recommendations for improvements to our policies and processes to ensure our compliance to GDPR.
A key step in the enhanced compliance requirements is making sure we have documented each place where we are processing personal data and recording our justification for such processing (i.e., consumer consent, performance of a contract, etc.). TRG has completed this phase with a full inventory of all personally identifiable information (“PII”) along with documented justifications for its use.
We also work with all identified third-parties (sub-processors) that are a part of our supply chain to ensure proper controls and contractual commitments are in place.
The final step in our preparation is to verify proper controls are in place to ensure the protection of PII in all phases of its lifecycle and that TRG has mechanisms in place to comply with the various GDPR requirements. TRG maintains a mature Information Security Management System (“ISMS”) based on the ISO/IEC 27001:2013 standard which has been certified compliant by an independent certification body.
TRG is currently working to ensure that processes are in place to be able to respond to information requests on what specific information is stored on behalf of EEA citizens and that we are able to comply with requests for corrections or to be forgotten (or that we as “processors” are able to support such requests made to our clients as “controllers”) .
If you have any questions regarding Information Security or GDPR at TRG, please email firstname.lastname@example.org.