General Data Protection Regulation
Grasp Technologies and GDPR
The European Union (EU) General Data Protection Regulation (GDPR), made effective May 25, 2018, provides EU residents a greater say over what, how, why, where, and when their personal data is used, processed and disposed of. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect data. Grasp Technologies is aware of its role in providing the right tools and processes to support its users and customers to help them meet their GDPR mandates.
At Grasp Technologies, we have always honored our customers' right to data privacy and protection. We have never used ads or advertising as a revenue stream. We have never served ads to our users, and never intend to, which means that we do not need to collect and process users' personal information beyond what is required for the functioning of our products and our clients' requirements.
Over the years, we have demonstrated our commitment to data privacy and protection by meeting the industry standards Safe Harbors, EU Privacy Shield, and PCI compliance. We have strong Data Processing Agreements which have been revised to meet the requirements of GDPR. Grasp Technologies participates in and has certified its compliance with the EU-US Privacy Shield Framework concerning the data transfer to the US. We recognize that the GDPR will help us move towards the highest standards of operations in protecting customer data.
Grasp Technologies consolidates travel data on behalf of TMC and corporate customers. These data sets are derived from travel agencies, credit card companies, expense management companies, GDSs, and other data sources related to travel transactions. In this capacity, Grasp Technologies does not own or control any of the information it processes on behalf of Grasp Technologies' customers, defining Grasp Technologies as a processor under GDPR guidelines. All such information is owned and controlled by Grasp Technologies' customers. In this capacity, Grasp Technologies receives information transferred from the EU to the United States merely as a processor/consolidator on behalf of Grasp Technologies' customers.
How does Grasp Technologies meet GDPR compliance?
Identifying personal data – Defining the purview of personal data for each application and data set and documenting the various data sources has provided a roadmap for compliance.
Providing visibility and transparency – The most critical aspect of GDPR is how the collected data is used. As a data processor, Grasp Technologies' role is to provide our customers (data controllers) with access to manage and protect their user data. Grasp Technologies continues to make product enhancements without compromising on performance to provide better transparency to our customers.
Enhancing data integrity and security – Data privacy and data security are two sides of the same coin. As our customers tightened their data security measures, Grasp Technologies has extended a helping hand. We’ve streamlined the processes for our GraspCLOUD application by implementing IT policies and procedures that provide end-to-end security.
Data Masking – SQL Server’s 2016 security feature dynamic data masking is applied to Grasp Technologies' sensitive fields within the Grasp Technologies databases. The GraspDATA application interface can show masked or unmasked data based upon the application user’s login role. An application user is assigned to a data masked or unmasked role within the GraspDATA application and application roles. Non-administrative SQL Server and Active directory logins with direct access to the SQL Servers are mapped to specific SQL Server security roles that will directly prevent the visibility of sensitive data fields when querying SQL Server databases.
What does this mean for our customers?
As your partner, we want to help you make your GDPR process as seamless as possible from the Grasp Technologies side so that you don’t have to worry about compliance and can focus on running your business. With the product enhancements and security protocols references instituted, Grasp Technologies clients can have confidence that Grasp Technologies is GDPR Compliant.