EU: General Data Protection Regulation
The IRP services have been prepared for this new regulation for some time. Nevertheless, we are making a few small changes to fully comply with the new legislation.
1. Where this was not yet foreseen, all interfaces (API) will be provided with a stricter security. This can have consequences for the organizations we exchange information with. The IRP serices are prepared to provide all interfaces with encryption.
2. We put an end to the possibilities of creating new, unsecured, data bases based on, for example, CSV or Excel files. Where it really can not be done otherwise, these files are provided with strong encryption. In all our applications it is possible to give (external) officers (limited) access, so there must be a good reason to supply separate files.
3. Important changes: reporting obligation for data leaks. If there is even a suspicion of the loss of personal data, this is immediately reported to the customer who can forward the report to the Dutch Data Protection Authority.
4. Right to be forgotten. Anyone who is registered in one of our services may ask to delete all personal data. Whether this can be done, depends on the role of that person in the system and legal provisions. If data no longer needs to be stored, the data is anonymised (already) by cleaning scripts.
Necessary funtionality that has been in our services for a long time are:
1. All persons have a login, that shows at least one's own data. In a applications, personal data of third parties are still being entered by administrators. We will not ban that procedure, but we will make sure that these persons will also receive a login. The registration of a personal e-mail address is therefore mandatory (where that is not yet the case).
2. The security of all our applications is strict, the use of a strong password is enforced and the number of log-in attempts is always limited.
3. In many cases hosting takes place at an ISO27001 certified hosting provider.
4. Many of one services are audited by third parties, any defects are dealt with immediately.
5. There is no testing with actual personal data; unless this is explicitly agreed on
IRP bases all of its web development on the ISO 19650 standard for the development and full lifecycle of buildings. Formerly known as the BSI 1192-X. This standard has now been almost fully implemented in BIMkeeper.