General Data Protection Regulation

Grasp’s GDPR Readiness

Introduction

The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. Simply put, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data. Grasp is well aware of its role in providing the right tools and processes to support its users and customers meet their GDPR mandates.

 

Grasp’s Commitment

At GRASP Technologies, we have always honored our customers’ right to data privacy and protection. We have never relied on ads or advertising as a revenue stream. We have never served ads to our users, and never intend to. This means that we have no necessity to collect and process users’ personal information beyond what is required for the functioning of our products and the requirement of you, our client.

Over the years, we have demonstrated our commitment to data privacy and protection by meeting the industry standards Safe Harbors, EU Privacy Shield and PCI compliance. We already have strong Data Processing Agreements, and we are revising them to meet the requirements of the GDPR. GRASP Technologies participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework with respect to transfer of data to the US. We recognize that the GDPR will help us move towards the highest standards of operations in protecting customer data.

GRASP consolidates travel data on behalf of TMC and corporate customers. These data sets are derived from travel agencies, credit card companies, expense management companies, GDSs and other data sources related to travel transactions. In this capacity, GRASP does not own or control any of the information it processes on behalf of Grasp’s clients, defining Grasp as a processor under GDPR guidelines. All such information is owned and controlled by Grasp’s clients. In this capacity GRASP receives information transferred from the EU to the United States merely as a processor/consolidator on behalf of our clients.

 

How has GRASP Technologies prepared for GDPR?

Identifying personal data – Defining the purview of personal data for each application and data set and documenting the various sources of data will go a long way in providing a roadmap for compliance in the days leading up to implementation.

Providing visibility and transparency – The most important aspect of GDPR is how the collected data is used. As a data processor, GRASP’s key role is to provide our customers (the data controllers) with the access to effectively manage and protect their user data. Grasp is exploring and providing ways to make optimal product enhancements without compromising on performance so that we can provide better transparency to our customers.

Enhancing data integrity and security – Data privacy and data security are two sides of the same coin. As our customers tighten their data security measures, Grasp would like to extend a helping hand. We’ve streamlined the processes for our cloud applications by implementing IT policies and procedures that provide end-to-end security.

Data Masking – SQL Server’s 2016 security feature dynamic data masking is applied to Grasp identified sensitive fields within the Grasp databases.  The Grasp Data application interface has the ability to show masked or unmasked data based upon the application user’s login role.  An application user is assigned to a data masked or unmasked role within the Grasp Data application as well as the application roles.  Non administrative SQL Server and Active directory logins that have direct access to the SQL Servers are mapped to specific SQL Server security roles that will prevent the visibility of sensitive data fields when querying SQL Server databases directly.

 

What Does This Mean for Our Customers?

We understand that meeting the GDPR requirements will take a lot of time and effort, especially for our clients that are defined as “Controllers” by GDPR. As your partner, we want to help you make your process as seamless as possible from the Grasp side, so that you don’t have to worry about compliance and can focus on running your business. With the product enhancements and security protocols references above instituted, Grasp clients can have confidence that Grasp is one top of it’s requirements for GDPR.