Blog

Read blogs from our team of ReconArtists. We post on trends and items of interest to our user community.

GDPR and ReconArt – Our Commitment to Data Privacy

by Ivan Popov

Ivan Popov

GDPR: What is it all about?

The European Union’s General Data Protection Regulation (GDPR) officially comes into effect on May 25, 2018. The compliance deadline which was a long time coming is now only 1 short week away, and even in the final days, the affected portion of the business world has been buzzing with activities on the topic, aiming to fully understand and comply with this expansive new regulation. It’s no surprise, as the GDPR touches any and all organizations that are established in the EU and/or are processing personal data of EU-based individuals. It aims to standardize the framework for handling personal data, bringing new requirements for organizations and new rights for individuals.

To put it simply, the GDPR is about changing our collective, overall mindset about data privacy – what it is, who it belongs to, who is accountable for it, and what are the general requirements for dealing with it, plus the potential consequences for not dealing with it appropriately. The GDPR builds upon the 1995 EU Data Protection Directive, aiming to enhance that with the rapid technological expansion and change since then. It expressly introduces several new principles and concepts, ultimately aiming to motivate organizations to take more responsibility for protecting the personal data they handle.

 

ReconArt and GDPR

GDPR & ReconArt

While every organization’s path to complying with GDPR is likely to be different (driven by factors like company size, type and amount of data it processes, current security and privacy measures, etc.), all relevant parties have specific responsibilities to analyze, implement, and maintain as part of GDPR compliance.

The ReconArt team has committed focus and resources on understanding GDPR requirements, assigning a dedicated team with Legal and Technical expertise to make the solution and all applicable processes compliant and ensure Client data is protected in accordance with the ISO27001 standard and GDPR requirements.

Best practices and efforts in security and data privacy have always been a top priority at ReconArt. As an ISO27001 certified organization, ReconArt already follows some of the most widely-accepted security and privacy standards and regulations in the world. According to “IAPP-OneTrust Research: Bridging ISO 27001 to GDPR”, there is significant overlap between ISO27001 and GDPR because at their core, they both aim for “reducing risk to people and organizations caused by misuse of personal data” and thus, “ISO 27001-certifed organizations are well positioned to respond to many GDPR priorities” especially in the areas of Breach notification, Vendor management, Recordkeeping, Privacy by design, and Data subject rights.

ReconArt rolled out a GDPR compliance strategy for our worldwide operations with primary focus on our operations and Clients in European Union. Below are some of the specific initiatives that took place in order to ensure compliance with GDPR requirements:

  • Security by design: the ReconArt solution is designed in accordance with the ISO27001 standard, which mirrors many of the security and privacy requirements from GDPR
  • We are committed to implement any additional security and privacy measures required under GDPR if such appear as part of, or addition to, the regulation
  • Data transfers between Client and ReconArt environments are secured with encryption and use secured transfers.
  • Dedicated Client ReconArt systems are accessible only from whitelisted Client networks
  • Where appropriate, enterprise-class authentication tools can be integrated with ReconArt (Okta, OneLogin, Active Directory). This way even higher security standards, such as dual authentication, can be enforced
  • EU Client data is stored in a secured data center in Europe. We use two Armor datacenters located in London and Amsterdam to host those systems
  • As a processor, assisting with the security and privacy of the processing, including notifying controllers in the event of breaches
  • Providing ReconArt support personnel who has access to Client data with the appropriate training for keeping the confidentiality and security of that data
  • Holding any vendors (hosting partners) that handle personal data to the same standards as ReconArt.
  • Through a GDPR-compliant Data Processing Addendum to our standard Agreement, obtaining from customers a classification of personal data used for reconciliation (if any) and taking the relevant measures to protect this data via technical and process-related activities.
  • Carrying out data impact assessments and consulting with EU and local regulators where appropriate.

 

GDPR and ReconArt: Frequently Asked Questions

Does ReconArt process Personal Data on behalf of its customers?

By default, ReconArt uses low risk personal data like name, email and phone number to create logins for customers in the system. In case customers (Controllers) do not want to provide such personal data, they can use third party authentication method (Okta, OneLogin or Active Directory). In this case only a login will be needed in ReconArt, which does not contain personal data itself. The other details can be protected using pseudonymization in ReconArt as they are not needed for the login process. In case internal authentication is used, email is needed for system activities (e.g. password resets). All other fields are either optional or can be pseudonymized if the Client wishes to protect them.

ReconArt does not have information whether Clients use personal data as part of the data they choose to upload and reconcile in the system. To provide protection of this data, all personal data that is uploaded in the system has to be described by the customer with the appropriate classification. In this case, ReconArt will take the necessary measures to protect this data according to the GDPR requirements.

Where does ReconArt process my data?

Our hosted environments are hosted on a carefully selected third party data center – Armor (https://www.armor.com/) that holds a number of security certifications, including SSAE16, PCI, HIPAA, GDPR (https://www.armor.com/compliance/). For European customers, we use London and Amsterdam Armor locations to host the production environments. Test environments are hosted either on Armor as well, or within ReconArt’s own datacenter in Bulgaria.

How does ReconArt protect my data?

Production environments are protected via the following measures, addressing critical areas of GDPR compliance:

  • Network :
    • Intrusion Detection: detects malicious traffic that could result in data breaches
    • Vulnerability Scanning: reduces attack surface by identifying improper configurations and missing patches/updates
    • IP Reputation Management: effective first-line-of-defense in blocking IP addresses associated with threat actors
    • Web Application Firewall: provide effective detection and blocking of traffic associated with malicious application behavior such as cross-site scripts, SQL injection.
  • Server
    • File Integrity Monitoring: monitors unauthorized changes to critical files
    • O/S Patching: addresses O/S vulnerabilities
    • Malware Protection: protects systems from viruses and malware
    • O/S Log Management: records history of important O/S events for response and forensics investigations
  • Administration
    • Security Dashboard: facilitates documentation of security posture and incident communication
    • Incident Response: provides quick and prioritized response to incident
  • Data security
    • All backups are encrypted with enterprise class 256bit security algorithm.

Is it possible to anonymize or pseudonymize all personal data I am reconciling in ReconArt?

Yes, but this has to be done on the Controller (Client) side. ReconArt itself does not require any personal data at all for reconciliation purposes and to the best of our knowledge, only in rare cases low risk personal data can be used (e.g. partial names and addresses). The Client has full control to decide what data to load and in what form.

Is it possible to encrypt all personal data I am reconciling in ReconArt?

Yes, it’s technologically possible, however there are two aspects to consider:

  • All data that is classified as personal has to be described and provided from the Client to ReconArt. After appropriate measures for data protection are agreed, ReconArt will implement them.
  • Some methods for encryption on database level may limit some of the ReconArt functionality – for example, if string data is encrypted, then substring functions may not work as part of the reconciliation rules.

Can you guarantee that my data will stay in a certain location (e.g., Europe)?

Yes, ReconArt will place the production and test environments according to the location of the customer and data protection requirements. Customers from United States will have their data located in the US and our customers outside US and EU will have systems located in Armor data center that will provide best performance, unless otherwise required.

What security related certifications does ReconArt have?

ReconArt is ISO27001 certified within the European subsidiary. The same processes are rolled out and implemented in the US office where the certification process is in progress and will be completed by the end of 2018.

 

ReconArt recommendations for our Clients (Controllers)

It is important that our Clients, as Data Controllers, are aware of their own obligations under GDPR – these tend to be more expansive than those for entities considered “Processors”. Due to the nature of ReconArt’s offering and the fact that, for the most part, our Clients manage their ReconArt systems independently, mutual efforts are needed to ensure GDPR compliance in the event private data will be used. This includes the Client’s proper outlining and classifying of the personal data so that ReconArt can ensure the proper GDPR compliance measures are taken to protect it.

No provider can figure out GDPR compliance on your behalf

It’s important to treat GDPR not purely as a legal issue that can be solved by an appropriate Data Processing Agreement, but as a comprehensive matter that touches many aspects of the business. Every organization needs to complete its own legal, technical, and operational analysis to fully understand GDPR and its own role in it, and to implement it comprehensively. It is recommended that this analysis include internal resources as well as independent expertise, and that ultimately it produces a compliance strategy.

Understand your data

As a Data Controller, it is solely your responsibility to fully understand and document the nature, purpose, and risk level of the private data you are collecting. Ultimately, the GDPR is all about understanding your data and designing your approach to security around it – and only you are in a position to do this. For starters, this is a great opportunity to eliminate or minimize the use of personal data in processes that do not actually require it, such as reconciliation. Consider all the tools at your disposal to accomplish this. If private data must be used, there should be a good reason, which will be documented in the DPA.

Educate employees

According to this GDPR:REPORT article from June 2017, “whilst cyber-attacks resulting in data breaches dominate the headlines, the majority of data breaches occur due to human error – be it a dropped memory stick, sending something to the wrong e-mail address, not following a firm wide policy on encrypting data or not taking care of paper files whilst out of the office”. It’s very important to prioritize comprehensive employee education on GDPR concepts and best practices around data privacy and security. There are so many easily accessible resources out there in the form of online courses, webinars, and other materials that can assist you with this – consider making employee training an on-going concept with monthly recurrence rather than a once-off thing.

 

 

Contact: If you have any questions, please contact us at info@reconart.com

Disclaimer: The purpose of this write-up is to share ReconArt’s measures for GDPR compliance and provide helpful guidance to interested parties. It is not a comprehensive solution or legal advice for GDPR. Each organization should undertake their own steps to ensure compliance.

 

Tags/Topics in this article: Compliance

Share this post


Card Transactions in the e-Commerce World

by Mariya Salabashyan

Mariya Salabashyan
The way payments are made nowadays is radically changing. People are using all kinds of devices (e.g. via smartphones and tablets) to shop, pay the rent, book a trip or make any other types of transactions. Thousands of companies are competing and cooperating at the same time to enable and simplify the flow of transactions and the transfer of related information from one party ...
Tags/Topics in this article: Payment Services

Share this post


Enabling Enterprise-class Security in ReconArt

by Ivan Popov

Ivan Popov
As designers of a world-class enterprise system, ReconArt has always had significant focus on application security. We have purposefully integrated enterprise security best practices in the application to keep access and data secured, while simultaneously keeping configuration and management as simple as possible. To achieve this capability, our application implements several m...
Tags/Topics in this article: Compliance

Share this post


Trends for Travel & Hospitality

by Geri Davies

Geri Davies
The travel industry is one of today’s most exciting and rapidly growing business sectors. Web-based companies like Expedia, Booking.com and Hotels.com have made booking and buying travel easier than ever before. For travel companies, 2016 was an exciting year with dynamic changes, aggressive growth, and continuous success. To put it simply, travel is on the rise globally. ...
Tags/Topics in this article: Travel & Leisure

Share this post


The Benefits of Automating Employee Expense Reconciliation

by Denitsa Krachunova

Denitsa Krachunova
Employee expense management is better than ever, but full control over the process requires reconciliation, too. Employee expenses, or the costs related with tasks performed by an employee for an employer, are nothing new in the business world. These common expenses are employee-generated transactions associated with business travel, accommodation and meals,...
Tags/Topics in this article:

Share this post


How to Own Self-Sufficient Reconciliation Processes For Your Business

by Jeremy Shanahan

Jeremy Shanahan
Self-sufficiency, the ability to supply one’s own needs without external assistance, is essential for any business team which strives to maintain control of its operations, without being overly dependent on external parties. This is especially true for businesses that have to process a large volume of transactions from multiple internal and external accounts....
Tags/Topics in this article: Customer Trends, Operational Efficiencies

Share this post


It’s not too late to automate

by Nicolo Nisbett

Nicolo Nisbett
It’s been a great and beautiful year so far here at ReconArt. This has even been true of the weather. As a native Englishman I naturally think and speak often (often meaning daily) about the weather. So I have felt blessed to be able to walk the two miles each morning in just shirtsleeves to our corporate office just outside of Washington DC. That was until this week. For the...
Tags/Topics in this article:

Share this post


The Struggles with Credit Card Recs Solved

by Geri Davies

Geri Davies
These days it seems like we are receiving more and more requests to help with the automation and streamlining of credit card reconciliation. As a platform historically rooted in principles such as the ability to handle large data volumes, various and complex data sources, and mu...
Tags/Topics in this article: Reconciliation Solution

Share this post


Fastest Growers Leverage SaaS

by Jeremy Shanahan

Jeremy Shanahan
Although it has been touted for many years as a pending revolution in how IT and business services are delivered, only recently has “the cloud” been embraced broadly as part of business strategy. Initially, adoption of Software-as-a-Service (SaaS) was focused on front office functions such as sales, marketing, and customer service (e.g. SalesForce CRM and Zendesk). The adop...
Tags/Topics in this article: Customer Trends

Share this post