Here at Sungard Availability Services we take our legal responsibilities and duty of care to you as a customer seriously. For some time, we have been busy making preparations to ensure we will be ready to fulfil our obligations under the EU’s General Data Protection Regulation (GDPR) as a ‘processor’ of customer data when it comes into force in May. Additionally, like your own business, Sungard AS also has ‘controller’ obligations relating to the handling of our employees’ personal data.
Some time ago, we established a dedicated GDPR taskforce to identify what action needed to be taken. As you would expect, Sungard AS already complies with EU data privacy laws but we recognised the need to enhance some components of the compliance programme to meet GDPR requirements.
For example, one key obligation as a data ‘controller’ is to identify all the systems that store and process personal data and maintain an up-to-date registry. This sounds simple but it’s a considerable undertaking for a forty-year-old business with numerous legacy systems that are used globally with regional variations. Complicating matters further, our business operations in Costa Rica and India mean personal data is shared outside of the EU. Consequently, we are engaging with both internal and external advisors to keep our process on track and on time.
GDPR training and monitoring
We have been running tailormade GDPR training courses to raise awareness among Sungard AS staff about the impact of the legislation on our business. Our staff have already undergone extensive training, including a course specifically relating to privacy to ensure a consistent level of understanding across Sungard AS’ business, with further training to be carried out in January. Additionally, all employees will be required to undertake a compulsory online course.
After this, we will carry out role-based training for specific business functions such as sales, HR, recruitment, marketing, procurement and the contracts team.
Ongoing monitoring and enforcement is vital, and our GDPR taskforce is working with the internal audit team to identify key metrics that can be regularly assessed to demonstrate compliance.
We are constantly improving our security programme to address the increasingly sophisticated threat landscape and prevent data breaches. Furthermore, in line with business continuity best practice, we have well-rehearsed incident response plans in place, which would be activated in the unlikely event of an identified personal data breach. We are planning to conduct a table top exercise of our Data Breach Response Plan in the first quarter of the year that will put forth a variety of scenarios specific to compliance with the Notice obligations under GDPR, as well as other Global Data Privacy laws relevant to our business.
Changes you will see
There will be some changes to contract wording, but we do not anticipate needing to make any changes to our service delivery model. You may notice greater transparency about the way we fulfil our contract obligations as a processor. As well as explaining the details of our service offerings, Sungard AS is committed to explaining how we discharge our responsibilities as a processor so you can evaluate how well we do this in order to determine whether the measures we have taken to comply with GDPR are appropriate for the Personal Data processing contemplated by using our services.
Patricia Boujoukos, global chief compliance officer for Sungard AS, assures customers, “Our dedicated project team is working diligently to achieve full GDPR compliance by May 2018. We are open to any questions or requests by customers, so please get in touch if you’d like more information.”
If you have a query about Sungard AS’ GDPR compliance, please contact your account manager in the first instance or email firstname.lastname@example.org.