GDPR roles and definitions relating to Zycus:
GDPR applies to both Controllers and Processors that are established in the EU and also to any Controller and Processor not located in the EU, where the processing activities are related to either the offering of goods or services to data subjects in the EU (irrespective of whether a payment is required) or the monitoring of the behavior of individuals as far as such behavior takes place within the EU.
GDPR is quite specific about the duties of the Controller and the Processor and indeed Article 28 (3) of GDPR stipulates that there must be a contract in writing between the Controller and Processor which clearly sets out the subject matter of the processing and its duration as well as the nature and purposes of processing, the types of personal data, and the obligations and rights of both parties.
Article 4 EU GDPR defines data controllers and data processors as below:
'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
In other words, the data controller determines the purposes for which and the means by which personal data is processed and the data processor processes personal data only on behalf of the controller. The data processor is usually a third-party external to the company.
In general, the controller assumes responsibility for all personal data collected and must ensure that rights of the data subject and the controller’s own legal obligations are also covered by the processor.
The Data Processing Agreement is important, so that both parties understand their responsibilities and liabilities. When it comes to Zycus, our customers are data controllers when they use Zycus applications (Source to Pay suite of procurement performance solutions). Zycus is a data processor on behalf of the customer by means of Data Processing Addendum.
ZYCUS’ DATA PROCESSING AGREEMENT (DPA)
Zycus is committed to have such Data Processing Agreement executed with its customers. You can find Zycus’ Data Processing Agreement (DPA) here.
Zycus’ Data Processing Agreement terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR (not just those related to keeping personal data secure). By having such DPA in place with the required terms, we are ensuring that we are complying with the GDPR.
PREPARING FOR EUROPE’S BIGGEST EVER CHANGE TO DATA REGULATIONS –
How Zycus is getting ready for GDPR?
GDPR roles and definitions relating to Zycus:
At Zycus we have state-of-the-art security to ensure that data from our prospects and customers is never compromised. We know that security is crucial to you; therefore, security is our top priority and it is fundamental to successful operation of Zycus. We devote significant resources to continually improve our world-class security infrastructure. The result: unsurpassed security and privacy for our customers' information.
Standards and Specifications
Zycus rely on SSAE 16 and SOC 1 & 2 Type II audits and reports to build trust and confidence. The SOC 1 Type II report provides reasonable assurance over the effectiveness of the controls at Zycus which are directly or indirectly relevant to our customers financial reporting and SOC 2 type II report provides reasonable assurance over the controls that are relevant to the Trust Service Principals of Service Organization Control (security, availability and confidentiality). The SOC 2 Type II report also describes the operating effectiveness of these controls and it is the most comprehensive type of report. With our SOC1 & 2 audit reports, we can assure our customers that we meet the most demanding requirements for the security, availability and confidentiality of their information.”
Also, Zycus follows ISO 27001:2013 ISMS standard and we have developed our policies and procedures based on this framework. Zycus is in the process of incorporating GDPR compliance management structure in our current ISMF, which is cross-functional and represents all key areas within the business. The current ISMS risk management process is also under review to incorporate privacy risk management.
Key pointers surrounding GDPR pertaining to Zycus
Personal Data Processing
Zycus (a cloud solution provider) executes all the suitable terms of accountability and technology. This includes maintaining the records of all the activities being processed, assessments of the impact on privacy.
'Zycus abides by the Data Processing addendum (DPA) as a significant part of the customer contract. These agreements incorporate data protection assurances to the customer by including standard contractual clauses included in the contract.
Zycus employees are obligated to pass the data protection and privacy/ security awareness trainings annually. These trainings will cover privacy principles and security topics.
Zycus solutions are protecting the confidentiality, integrity and availability of their data and provide the above accountability continuously.