This article sets out the steps that we are taking to ensure our company complies with the European Union’s new General Data Protection Regulation (GDPR). This regulation is designed to protect an individual’s personal data. In addition to giving citizens control of their personal data, the GDPR also aims to unify data protection laws across the European Union.
To comply with the GDPR principles, organisations will need to ensure that all personal data is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes
- Accurate and kept up-to-date
- Kept for no longer than necessary
- Processed in a manner that ensures appropriate security.
In this article we explain how we will comply with these requirements.
Existing data audit
We need to demonstrate that we are processing and storing data according to the principles listed above. This includes the data we currently hold in our systems.
We have carried out an audit of our current data to:
- Identify the personal data our company currently holds;
- Identify where the data is stored, the purpose for which it is used, how it is processed and who has access to it;
- Establish the original source of the data;
- Clarify the legal basis for storing and processing the data;
- Establish how long the data has been stored and whether or not we need to continue to hold the data.
As data management specialists, we take compliance with the GDPR very seriously. In most of our work we are classified as a ‘Data Processor’. As a Data Processor, we have audited the projects we carry out for each of our clients to:
- Identify which data is classed as personal data and which, if any, is classed as sensitive personal data;
- Ensure that all data is transmitted to and from our servers according to the GDPR’s security requirements;
- Ensure that all data is processed securely and appropriately, according to the wishes of the client (the ‘Data Controller’) and the GDPR’s requirements;
- Keep records of the processing activities we undertake;
- Assist the Data Controller in allowing data subjects to exercise their rights under the GDPR;
- Assist the Data Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
Melbourne Server Hosting Ltd is the host for our servers. Melbourne is a Tier 3 data centre, ensuring compliance with GDPR data security requirements. Physical security controls at the Melbourne data centre include 24×7 monitoring, visitor logs, vetting of all entrants and dedicated cages for our hardware using anonymous labelling.
MailChimp, owned by The Rocket Science Group LLC, is the Data Processor for our email newsletter activity. We have audited MailChimp’s compliance with the GDPR and established that:
- Although MailChimp is situated in the United States, transfers of data to the United States will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the European Commission;
- MailChimp has updated its Data Processing Agreement to meet the requirements of the GDPR in order to permit us to continue to lawfully transfer EU personal data to MailChimp and permit MailChimp to continue to lawfully receive and process that data;
- MailChimp has updated its third-party vendor contracts to meet the requirements of the GDPR in order to permit MailChimp to continue to lawfully transfer EU personal data to those third parties and permit those third parties to continue to lawfully receive and process that data;
- MailChimp has self-certified to both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield regimes, and lawfully transfers EU/EEA personal data to the U.S. pursuant to our Privacy Shield Certification;
- MailChimp has completed a SOC II Type 2 examination on an annual basis for the Trust Principal Criteria of Security, Processing Integrity, Confidentiality, and Availability.
The website also includes information on how individuals can enforce their rights under the GDPR, such as the right to erasure.
We have reviewed our security procedures to ensure that our systems are robust and personal data is safeguarded. We have a policy in place for reporting a data breach. Our employees are instructed that if anyone becomes aware of a data breach, it should be reported to the Chief Technical Officer immediately.
As we have fewer than 250 employees, we are not required to appoint a Data Protection Officer. Instead, the management of our data protection procedures and policies is the responsibility of the Chief Technical Officer, who is a board-level director.