ASI Data Protection Plan
ASI maintains commercially reasonable technical and organizational measures to ensure a level of security in the iMIS software product and the ASI Hosting and Cloud Services environments. Our Data Protection Plan, first created in 2015, is an integrated, organization-wide approach to managing cybersecurity risk based on the US National Institute of Standards and Technology (NIST) cybersecurity framework. A summary of the Data Protection Plan can be found at the link below.
Data Security and Privacy Initiative
ASI’s Senior Director of Technology and Information Security leads an active Data Security and Privacy Initiative team, comprising senior management-level representatives from Legal, IT, Human Resources, Cloud Services, Customer Support, Marketing, Consulting Services, and Product Development. The Initiative team meets monthly to monitor regulatory developments, discuss progress, and report status on tasks and workstreams assigned to accountable departments. As part of this Initiative, ASI has achieved compliance with the Payment Card Industry Data Security Standards (PCI-DSS) in ASI’s regional data centres around the world, and achieved certified compliance with the European Union-United States Privacy Shield Framework.
Annual Security and Privacy Awareness Training
All ASI employees and contractors are required to participate in annual security and privacy awareness training. The content of this training is updated periodically to address the ever-evolving threat landscape and changing data protection and privacy regulatory requirements around the world.
Data Inventory and Mapping
In 2017, ASI launched its first data mapping exercise to inventory all personal data controlled or processed by ASI. As part of this data inventory and mapping exercise, ASI conducted an information audit of each department to answer the following questions:
- What type of data is collected? (Categories of data processed)
- Who is collecting or using that data? (Identity of data controller and processor)
- When (and for how long) is that data being collected and used? (Data retention period)
- Where is that data being collected and used and where does it go? (Storage locations and internal and third-party data transfers)
- How is that data being collected and used? (Applications and programs and security measures in place)
- Why is it being collected and used? (Purposes of processing)
This data mapping exercise resulted in a corporate data map of all personal data touched by ASI staff and systems and serves as a record of personal data processing activities. It is updated regularly to reflect the realities of current business processes and workflows.
Key Compliance Actions
In conjunction with the information audit and data mapping workstream described above, ASI has undertaken several key compliance actions, including the following:
- ensuring that only data strictly necessary for our business purposes is collected and processed;
- identifying the legal basis for the processing;
- revising privacy policies and notices to make them compliant with the GDPR and other privacy laws;
- ensuring that any data processors or sub-processors know their new obligations and responsibilities and that data processing agreements contain appropriate provisions with respect to security, confidentiality and protection of personal data;
- deciding how data subjects will be able to grant consent and exercise their individual rights;
- determining effective means and methods for honoring data subject access rights; and
- verifying that appropriate security measures are in place for incident response and proper data breach notification.
ASI has also reviewed its iMIS application to identify product features that help enable organisations to meet their GDPR obligations as data controller of their constituents’ personal data.
Privacy by Design and Privacy Impact Assessments
ASI has adopted a privacy by design approach, using policies and procedures that take privacy principles into account in the initial design stages of a new project or service and throughout the processing lifecycle. In a situation where data processing for a new product or service is likely to result in high risk to individuals, ASI commits to conducting a Privacy Impact Assessment (PIA) to demonstrate compliance with the GDPR’s fundamental principles and mitigate risks to data subjects.
To demonstrate GDPR compliance, ASI enters into a written data processing agreement with all clients for whom we act as a processor under the GDPR and retains documentation regarding the processing of personal data and our Data Protection Plan (including our data breach incident response plan).