Security. Privacy. Peace of mind.

Although personal data may not be the first subject matter tied to these three desirable experiences, it has steadily emerged as a controversial issue equipped with grave concerns in the digital age. In response, a newfound emphasis on user consent has emerged as the vehicle for the change in the transparency we all wish to see in our modern technological pursuits, both business and pleasure.

For far too long, the topic of user consent has been sidestepped like a luxurious buzzword, hiding its true implications in the complex terms and conditions statements very few read, let alone fully digest. In turn, this has enabled tech titans to exploit the highly-personal information of their customers for lucrative gain, often times while feigning a resemblance of innocence to the rest of the world.

Enter the General Data Protection Regulation (GDPR) – the first of what will likely be many proactive efforts ushering in a new era of digital privacy this Friday, May 25th.

What is the GDPR?
According to CSO, an online news source from IDG Communications, “GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.” This data includes basic identifiers like name, address, and ID numbers; web information, such as location, IP address, and cookie data; health, genetics, and biometrics data; racial, ethnic, and sexual orientation data; and even political views. As a result, this has launched businesses into action, enacting key changes to practices affecting personal privacy, controls and notifications, transparency of policies, information technology, and training.

Who does the GDPR affect?
Wait – this only applies to Europe, right? Wrong. And failure to comply could prove both dangerous and costly. According to Microsoft, “The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.” More specifically, this includes companies with a presence in an EU country; no EU presence, but using EU resident data; over 250 employees; and also under 250 employees, when the effect of its data-processing extends to sensitive personal information. Or in other words, everyone. For perspective, a survey conducted by PricewaterhouseCoopers found that a whopping 92% of American companies pegged GDPR compliance as a “top data protection priority.” And if it’s not now, chances are it will be very soon based on the doors it may open to other regulatory standards of the like.

How has LeaseTeam responded? 
To simplify things a bit further, the GDPR seeks to help the good guys to do right by their customers, while also protecting us from malicious cyberattacks by bad guys around the globe. This leads us to LeaseTeam’s (LTi) proactive approach to compliance – from the latest FASB Lease Accounting Standards in February, to now the GDPR in May – in which we strive to deliver maximum transparency to our customers, further building loyalty and trust. Keeping this in mind, here are the eight core GDPR requirements affecting what we do at LTi, along with the actions we’ve taken to ensure unwavering compliance ahead of Friday’s deadline.

GDPR Requirement:
International data transfers

LTi Compliance Solution:
To minimize international data transfers, we utilize our well-established hosting facility in the UK. This strategic response to business expansion across the pond falls in line with our efforts to reach GDPR compliance. We also maintain certification under the EU-US Privacy Shield Framework, and our data is encrypted at-rest and in-transit with AES-256.

GDPR Requirement:
Request consent to collect personal data

LTi Compliance Solution:
ASPIRE templates can be used to standardize best practices for privacy and consent documentation. Templates to obtain consent can be customized for web-based services at the time of collection. Additionally, LTi’s website features a checkbox for prospective customers interested in receiving marketing materials via email.

GDPR Requirement:
Retain personal data records

LTi Compliance Solution:
The ASPIRE document repository allows company controllers to maintain records of past consent and privacy notices in a clear, organized manner. ASPIRE’s transactional database simplifies tracking and processing through standard inquiry at both the contract and account level. This establishes important guidelines and provides greater transparency throughout organizations moving forward.

GDPR Requirement:
Share personal data with individuals or controllers upon request

LTi Compliance Solution:
For immediate transparency, users can quickly create ad hoc reports to electronically deliver the personal data of one or more individual in the ASPIRE database, pending administrative approval of course. This information can then be saved and exported in various formats – whatever best serves your needs.

GDPR Requirement:
Individual right to erasure

LTi Compliance Solution:
Our customers come first, and that includes their right to be forgotten. Upon request, LeaseTeam can mask personal data within the ASPIRE database. However, it is important to first consult your organization’s Data Protection Officer or a decision-maker of similar authority regarding additional regulation for financial data or legal ground for processing.

GDPR Requirement:
Additional product and service security measures

LTi Compliance Solution:
In ASPIRE, system administrators maintain exclusive control over configuration of security profiles and access to personal data within the organization. Unless a user has permission granted through his or her security profile, he or she will not be able to access the pages or the individual’s data will be concealed.

GDPR Requirement:
Data breach notification

LTi Compliance Solution:
In addition to the data encryption guidelines in LTi’s Data Security Policy, our Incident Response Policy is compliant with the GDPR’s 72-hour notification requirement for data breach reporting. Our support team frequently audits our tracking database and written agreements, and may also review employee computers at random to ensure customer data is not being misused.

GDPR Requirement:
Lawful basis for processing personal data

LTi Compliance Solution:
Finally, LTi’s Privacy Statement thoroughly details the Privacy Shield principles we abide in regards to how the visitor information gathered through our company website is collected, maintained, and utilized. For example, when visitors request additional information, LTi extends the option to include personal contact information in order to do business more effectively.

In Review
The GDPR is a European privacy law that goes into in effect this Friday, May 25th.

  • At face value, the GDPR sounds like a confusing, regulatory buzzkill created by big government. But after sorting through the technical jargon, that’s clearly not the case.
  • The GDPR has the best interest of the consumer’s individual security in mind, as it will encourage better practices for handling personal data, including transparent communication in policies, reporting, information technology, and training.
  • The GDPR will help businesses do right by their customers, while also safeguarding against malicious hackers seeking to exploit sensitive information for financial gain.

At LTi, we are steadfast in our commitment to the security, privacy, and peace of mind our customers experience when working with us. We believe the GDPR’s emphasis on consent to personal data and transparency in how it is used will only advance our mission. Going forward, this will undoubtedly pave the way for similar, progressive initiatives to make our world a better place online.

Finally, we would be remiss to overlook the tremendous amount of work this created for Data Protection Officers and others of similar rank and function at companies big and small around the globe. Please be sure to give those kind souls a big handshake, high-five, or hug (whichever best suits your workplace culture) next time you see them.

Thanks, Marci!

Request a Demo
  • Name * Required
  • Privacy Policy * Required
    By submitting this form, you agree to the data usage terms and conditions outlined in our Privacy Policy.