General Data Protection Regulation
Enabling Compliance to the General Data Protection Regulation (GDPR)
Dassault Systèmes (3DS) has always recognized data protection as an important topic for its stakeholders in the digital age and understands the responsibility that comes with the handling of personal data. With the introduction of the European Union (EU) General Data Protection Regulation (GDPR), 3DS has extended its data protection commitment by enhancing its solutions with new capabilities that will enable its stakeholders to manage their GDPR compliance programs.
What is the GDPR?
On April 27, 2016, the Parliament and Council of the European Union adopted the EU General Data Protection Regulation (GDPR). The GDPR will be directly applicable to EU member states as of May 25, 2018, thereby ensuring a harmonized data protection standard across the EU.
The GDPR standardizes personal data protection laws and imposes strict obligations on organizations that control and process personal data. The GDPR aims to strengthen the fundamental rights of EU residents by expanding privacy rights and giving individuals control over their personal data. More information about the GDPR can be found on the European Commission Website.
How has 3DS addressed the GDPR?
3DS has appointed a Data Protection Officer and established a cross-functional GDPR Readiness Team that has taken into account both internal and stakeholder compliance requirements. The GDPR Readiness team is charged with:
- Managing 3DS internal compliance to the GDPR, including, but not limited to, its privacy policies
- Identifying and monitoring enhancements to 3DS offerings, websites and communications to specifically enable customer and other stakeholder compliance to the GDPR. These enhancements include:
- Changes to access rights and security mechanisms;
- Enhancements to user consent management;
- Reinforcement of processes to request modification or deletion of personal data;
- Improvements to product documentation and user guides regarding data privacy best practices.
What is the responsibility of a data controller versus a data processor?
Designation of a person or an entity as a data controller or data processor has different obligations under the GDPR:
A data controller is defined as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. 3DS may be considered to have this role when processing personal data in its internal tools (e.g., financial systems). A data controller is also typically an organization that has licensed 3DS solutions and is responsible for the handling of personal data. Personal data handling is generally based on factors such as industry, statutory and regulatory requirements and the nature of the data stored. For example, data controllers need to determine when personal data should be manipulated (deleted or modified per the GDPR) or when it should be retained for record keeping or regulatory purposes.
A data processor is defined as the person or entity that processes personal data on behalf of the controller. When 3DS provides certain Cloud-based offerings, such as the 3DEXPERIENCE platform on the Cloud, and services to an enterprise, 3DS is acting as a data processor for the personal data it’s been asked to process and store. As a data processor, 3DS processes personal data in accordance with the GDPR, the agreement signed between parties, and the business rules that have been established by an enterprise in 3DS solutions.
What is the GDPR Responsibility of 3DS Stakeholders and Customers?
Customers who use 3DS offerings are ultimately responsible for determining how they will comply with the GDPR based on their specific business requirements. These requirements are based on factors such as industry, statutory and regulatory requirements, and the nature of the data stored by customers in 3DS offerings. Specifically, customers need to determine when personal data should be manipulated (deleted or modified per the GDPR) or when it should be retained for record keeping or regulatory purposes. It is the responsibility of 3DS to release its 3DS offerings with functionality that enables customers to be GDPR compliant.