1. Which steps is Acerta taking in the context of the GDPR?

2. Which technical measures has Acerta taken as part of the protection of personal data?

3. Which organisational measures has Acerta taken as part of the protection of personal data?

4. Which measures does Acerta take to guarantee the rights of the person involved?

5. Which measures does Acerta take to detect data leaks?

6. Which measures does Acerta take to report data leaks?

The GDPR applies to all employees within Acerta and all personal data processing operations within Acerta. We therefore elected to address Acerta’s compliance as a company-wide project. In doing so, we engage in different areas and work with the aid of a road map developed in collaboration with an external party that supports us. This road map is based on the thirteen-step plan as developed by the Privacy commission and is intended to assist organisations with their GDPR compliance.

This road map contains items like:

• increasing the awareness of Acerta employees with respect to privacy;
• developing the processing and data registers;
• correcting and expanding the privacy programme through adjustments to the privacy strategy as well as the expansion and, if needed, complete revision of the policies;
• appointing a Data Protection Officer for the entire Acerta group;
• developing procedures for recognition of the rights of the involved party;
• adjusting incident management as a result of the reporting requirement;
• evaluating our suppliers and making changes to the collaboration, if needed;
• developing a privacy impact analysis framework;
• monitoring the technical and organisational measures and correcting them where needed.

At Acerta, we frequently use information that falls within the category of personal privacy. We are fully aware of the sensitive nature of this information.

In the past, we have always implemented the best possible technical measures to protect the privacy of people associated with us (customers, employees, suppliers, …) as carefully as possible and in accordance with the law.

• Acerta has regular audits of its information security, that are carried out by an external party. These audits are based on the ISO standards and used as a guideline for potential improvements to our IT environments.
• Via a so-called pen test, Acerta ensures the inspection of all new software for cyber-attack safety and vulnerability. External independent organisations perform the pen testing. This approach guarantees the quality and safety of the software we use.
• The access to our systems is screened by an advanced, rational mechanism for access management.

We remain continuously focused on improving our systems. This was already the case before the GDPR became effective. In response to the GDPR, we are performing additional research for potential improvements.

At Acerta, we frequently use information that falls within the category of personal privacy. We are fully aware of the sensitive nature of this information.

In the past, our organisation has always made every effort to protect the privacy of people we offer our services to (customers, employees, suppliers, …), as efficiently as possible and in accordance with the law.

The introduction of the General Data Protection Regulation (GDPR) motivates us to further refine our approach.

We have taken the following measures:

• Acerta has appointed a Data Protection Officer (DPO) for the entire Acerta group. This DPO monitors the correct implementation of the applicable laws and regulation with the execution of the processes within Acerta.
  DPO: Sarah Peeters 
  e-mail: dpo@acerta.be
• We have upgraded the organisational structure for risk and privacy management.
• We incorporated additional checkpoints in our production processes. These additional checkpoints are specifically aimed at the privacy aspect and the necessary coordination guarantees.
• Our privacy programme and its relevant associated guidelines are adjusted in accordance with the GDPR. This privacy programme contains, among others, Acerta’s privacy strategy, our policy regarding data privacy, information security, rational access control to our systems, …
• We have developed an advanced awareness campaign for our employees to bring extra attention to the privacy aspect and the GDPR.

Acerta recognises that the right to privacy is a fundamental right for each individual and therefore undertakes the necessary measures to guarantee this right, in accordance with the applicable laws and regulation and Acerta’s capacity. Acerta will operate in full compliance with the law and therefore set up the required procedures and processes.

• As processor of personal data, Acerta will immediately forward any question directly addressed to Acerta by an involved party, whose data are being processed by Acerta, to the data controller.
• As processor of personal data, Acerta will provide the required means and support to respond to the questions of the involved party that are asked via the data controller, in accordance with the applicable laws and regulation.
• As processor of personal data, Acerta will respond to the questions of the involved party in accordance with the applicable laws and regulation.

All activity on our systems and network is extensively logged. In addition, we have implemented several control mechanisms that monitor our IT environments and issue an alert in the event of a breach.

In the future, Acerta will expand its resources to detect potential data leaks. For this purpose, we rely on the best techniques available in the area of data loss prevention, security information and event management (SIEM), behaviour analysis, ...

Acerta has an incident management process with built-in escalation channel for the reporting and limiting of incidents that involve the loss of data and other security leaks. This process will accommodate the reporting requirement as well, in accordance with the applicable laws and regulation.

• All incidents involving the loss of data will be reported to Acerta’s Data Protection Officer and logged in a register.
• As processor of personal data, Acerta will report all incidents involving the loss of data to the data controller, within the specified time frame and in accordance with the applicable laws and regulation.
• As processor of personal data, Acerta will report all substantial incidents involving the loss of data to the supervisor, in accordance with the applicable laws and regulation, with the required information.