GDPR applies to controllers who are established in the EU, as well as those organisations who are not established in the EU but offer goods or services to or monitor the behaviour of data subjects within the EU. Therefore, it substantially extends the territorial scope of organisations who must comply with data protection laws (in comparison to the UK Data Protection Act 1998 (DPA).
The focus is no longer on the use of equipment located within an EU member state; instead, the focus is on those who are targeting EU citizens. This means that non-EU organisations not previously caught under the DPA for targeting an EU market or EU citizens, will now be caught by the GDPR, despite lack of presence or use of equipment in the EU.
GDPR also introduces statutory obligations for processors. Under current data protection laws, the controller party has statutory responsibility for the processing of the personal data. However, GDPR introduces statutory obligations for processors.
The ‘controller’ is the party who determines ‘why’ the personal data will be processed (i.e. the purpose of the processing) and, where the controller appoints a processor, the processor determines ‘how’ the personal data will be processed (i.e. the method of the processing). Typically, an IT services provider (like us) will be a processor and its customer will be the controller.
The new processor obligations relate to the requirement to put in place GDPR compliant processing clauses (see section 2.6), security measures, security breach notification (see section 3), international transfers, data protection impact assessments (see section 2.8), data protection officers (see section 2.9) and record-keeping. Fines may be imposed on processors (see section 4). Other enhanced supervisory authority powers such as auditing also apply to processors.
PERSONAL DATA AND DATA PROCESSOR STATEMENT
GDPR defines ‘personal data’ as: ‘…any information relating to an identified or identifiable nature person or organisation (‘data subject)’; and identifiable natural person/organisation is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person/organisation’.
The GDPR definition of ‘personal data’ is broader than under the DPA and includes IP addresses, device IDs, location data and genetic and biometric data.
Thereby complying with all elements relating to us within the GDPR. We have also been through the DPIA screening check list and although we are a data processor we are not on a large enough (or sensitive enough) scale to warrant a DPIA check.
DPIA SCREENING ASSESSMENT
We are not subject to a DPIA based on the criteria check below – we do not:
Use systematic and extensive profiling or automated decision-making to make significant decisions about people.
Process special category data or criminal offence data on a large scale.
Systematically monitor a publicly accessible place on a large scale.
Use new technologies.
Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit.
Carry out profiling on a large scale.
Process biometric or genetic data.
Combine, compare or match data from multiple sources.
Process personal data without providing a privacy notice directly to the individual.
Process personal data in a way which involves tracking individuals’ online or offline location or behaviour.
Process children’s personal data for profiling or automated decision-making or for marketing purposes or offer online services directly to them.
Process personal data which could result in a risk of physical harm in the event of a security breach.
The ‘controller’ is the party who determines ‘why’ the personal data will be processed (i.e. the purpose of the processing) and, where the controller appoints a processor, the processor determines ‘how’ the personal data will be processed (i.e. the method of the processing). Typically, an IT services provider will be a ‘processor’ and its customer will be the ‘controller’.
Just to be clear, Sundown Solutions are a Data Processor of the information that the person/organisation has authorised
WHO ACCESSES THE DATA?
Our internal employees and contractors only used when absolutely necessary as a resource have access to the IT systems that hold the data, as do all IT companies in a similar scenario. Our employees and contractors are fully UK resident and DBS checked.
All access to all records is logged, audited and monitored – at no time can any authorised (or unauthorised) individual access the data with full auditing taking place.
HOW IS THE DATA STORED?
The data is stored in our two main data centres in the United Kingdom. At no time does any part of the data (or backup data) leave the United Kingdom.
All data is fully encrypted in-flight and at rest as is all backups and backup repositories.
DATA BREACH PROCEDURE
The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. This means that a personal data breach is more than just being hacked or losing personal data.
Breaches will be reported to the ICO unless they are unlikely to result in a risk to the rights and freedoms of individuals. The examples of notifiable breaches provided by the ICO are where breaches may result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage.
Many people also don’t consider that simply emailing details to somebody outside the chain of communication by accident also constitutes a breach.
In any case if a data breach does occur the corresponding employee will report this to their Tower Lead and they will inform the effected party by email, phone or letter based and if necessary inform the ICO within 72 hours of initial detection.
The nature of the personal data breach including, where possible, the categories and approximate number of both the individuals and personal data records concerned the name and contact details of our representative and where more information can be obtained, a description of the likely consequences of the ‘personal data breach’ a description of the measures – proposed or taken – to deal with the ‘personal data breach’ and where appropriate, of the measures taken to mitigate any possible adverse effects.
SUBJECT ACCESS REQUEST
As a provider you will have the right the understand what data we hold about you and how this is processed. To do this you can send us a Subject Access Request (SAR) at any time by emailing us at [email protected] with the Subject of SAR and the details of your request.
The information that should be supplied includes:
the purposes for which we’re processing the personal data as well as the legal basis for the processing (e.g. consent, legitimate interests, contractual requirement etc.) the recipient or categories of recipients you may be sending the personal data to
the retention period or criteria used to determine the retention period
the existence of each of the data subject’s rights
Our ICO registration certificate is available upon request.