1- GDPR and PGSSI
We don’t need to introduce the well-known General Data Protection Regulation (GDPR). Since May 2018, every organization that processes personal data on the territory of the European Union must be compliant with it. That same year, ESII therefore adopted a General Information System Security Policy (PGSSI) which stands as a reference document concerning the Personal Data Management System within the company.
ESII has taken the necessary steps to comply with data processing and security. To go into more detail on this topic, we will take a concrete and critical example of our SaaS Orion solution. First, we will show how the software allows our customer users to comply with this European regulation. In a second step, we will focus on seeing the level of security of the hosting of the data collected by this solution.
2- Orion and GDPR
When making an appointment, a company using our Orion module collects a certain amount of information to facilitate the work of its teams.
Based on an article of the CNIL, we will see how our solution provides all the means to be compliant with the GDPR.
* Collect only the data necessary to achieve the goal
* Be transparent about the use of this data
For these two assertions, we specify that the Orion solution makes it possible to customize the fields of the registration form in order to collect the personal data necessary to make the appointment and to inform the people who fill it out.
* Set the duration of data retention
Within the meaning of the GDPR, personal data should only be kept for as long as the objective is achieved during their collection (in our case, the appointment). It seems normal to keep this data to identify the person upon arrival and to personalize their reception. But, once the appointment is over, what happens to this information?
First, the CNIL tells us that personal data can be anonymized to be able to “use personal data while respecting the rights and freedoms of individuals”. Therefore, the Orion solution has a setting to anonymize the data collected automatically within 1 to 12 months after the appointment. In the meantime, if a user requests it, the deletion can be done manually. Only the information allowing statistical processing is kept, duration of the interview, waiting time, number of purposes for visit, etc. These data can be useful for a company, in particular as part of a quality approach to improving reception.
To go further, the Orion solution also offers to configure an automatic and complete purge after the appointment within 1 and 60 months.
3- Data hosting
While Orion leaves all the freedom for the professionals to comply with the GDPR, there is a subject in which ESII keeps the leadership. This is, the hosting, since this solution works in SaaS mode, hosted in the cloud. So, we are going to show the prerequisites of the GDPR in this matter and the elements of compliance of our solution.
Let’s start by saying that the Orion solution is hosted by the Ecritel company on servers located in France. This is important because since the end of 2020 the European judge has questioned the Privacy Shield suggesting that the legislation of a country outside the EU, in this case the USA, can allow the recovery of personal data, in particular by a government organization.
* Secure data and identify risks
The second point concerns the level of security defined for this data from an IT and physical point of view (access to the company, to offices, etc.). Ecritel has received the ISO27001 certification for information security management and insists on its compatibility with the GDPR. On the ESII side, the PGSSI specifies the security rules for our information system, based on this same standard.
Finally, we should now talk about more sensitive data that requires special treatment, health data. Indeed, ESII can equip hospitals or clinics, pharmacies, or doctors with its solutions. In this case, data security is reinforced by Ecritel with a Health Data Hosting service (HDS), a special certification framed by law.