The new ‘General Data Protection Regulation’ (GDPR) will come into effect on 25 May 2018, providing a unified data protection legislation across all EU member states. The GDPR imposes increased protections for the handling of data and restrictions on the transfer of personal data outside the EU, to third countries or international organizations. The GDPR will change the way organizations collect, use, and manage personal data from the EU and companies processing personal data will need to take a measured approach on how they process and protect personal data moving forward. At Taulia, we are committed to GDPR compliance when it comes into force on May 25. This is how we’re getting ready.
We are dedicated to providing transparency, maintaining security, and building trust. Team members from across the entire Taulia organization have worked together to develop and implement GDPR compliance plan to get the organization and product ready to meet new security and privacy requirements. This includes:
- verifying that our privacy practices are appropriate through initial data mapping exercises and further conducting Privacy Impact Assessments (PIA) to assess how we collect, process and store personal data and determine potential privacy impacts
- receiving certification to the EU-U.S. Privacy Shield framework for customer-related personal data processed by Taulia. This provides customers with the option of relying on the framework for the transfer of data from the EU to the U.S.
- conducting security and privacy reviews of our vendors contracts and entering into a GDPR-ready Data Processing Agreements (DPA) with vendors who process personal data to provide EU-compliant contractual protections
- providing continuous training to our employees, especially our engineer and product teams, on privacy and security requirements
We understand that our customers in the EU and beyond are affected by this change in law, and we are building on the measures already put in place for our certification under the EU-U.S. Privacy Shield. Data is core to our business and we place a high priority on protecting and managing such data according to the law. Taulia already possesses dedicated data processing instances and environments located in the European Union. We are putting into place the processes required to ensure that the rights of data subjects under the GDPR will be fully respected. Processing of personal data in the Taulia eInvoicing and working capital management solutions is very limited, and always within the B2B context. For the vast majority of data subjects, Taulia will hold only their name and business email address. The GDPR requirements for this, and any other personal data that is processed by Taulia, have been analyzed and a data inventory compiled, with efforts continuing to ensure that each processing step has been documented in compliance with the GDPR.
Taulia is backed by security controls designed to protect your data, and we undergo an annual SSAE16 audit, resulting in SOC1/SOC2 Type 2 audit reports.