On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect. GDPR addresses the rights that individuals have regarding personal data related to them and seeks to unify data protection laws across Europe, regardless of where data is processed. There are various requirements under GDPR, including requirements around consent, data transfer, data security and breach notification. GDPR will help ensure that individuals have provided consent on how their data is being used, held and transferred to other locations or parties, as well as how they are notified when companies breach the rules.
Data Subjects, Data Controllers, Data Processors
Under GDPR, there are stronger responsibilities for handling personal data of EU individuals (“data subjects”). Organizations who collect and process personal data from individuals are “data controllers”. Service providers who process personal data on behalf of the data controller are “data processors”. When we collect and process personal data on behalf of our clients, we take the roll of “data processor” while our clients who collect and process personal data from EU individuals are “data controllers”. Both data controllers and data processors have shared GDPR responsibilities to data subjects. Epiq, as a data processor, has undertaken the following compliance measures to ensure Epiq meets its GDPR requirements:
- Privacy Shield certification imposes appropriate safeguards for data transfers from the EU to the US. In addition, for all non-US, non-EU affiliates, Epiq has standard model contractual clauses between each EU affiliate and each non-EU affiliate to ensure that appropriate safeguards are in place for the transfer of data across borders.
- Standard security questionnaire and a data processing addendum are included in all client services agreements to define responsibilities and expectations;
- Security measures are maintained as outlined in the data processing addendum provided by Epiq which meet or exceed the GDPR and other requirements;
- Robust organization-wide privacy program helps to protect the privacy of all client data it receives;
- Data Privacy Impact Assessment process for new processing activities;
- Breach communication plan to notify clients of an information breach within the adequate and required GDPR breach notification timeline;
- Data encryption and anonymization measures are documented and implemented where feasible to ensure personal information is not processed unlawfully or in excess of what is requested by the data controller;
- Data subject rights processes have been implemented to meet access, rectification and erasure requests by integrating the customer care function required by GDPR.
Since inception, Epiq has been proactive in designing and building security into our products, networks and services. Epiq seeks to lead in defining and implementing best practices for cybersecurity. The GDPR coming into effect allows us to reiterate our mission to remaining secure and providing our customers with the privacy they deserve.
For more information, please review our Privacy Statement.