GDPR COMPLIANCE STATEMENT
1. PURPOSE OF THIS STATEMENT
The General Data Protection Regulation (GDPR) comes into force in the United Kingdom on 25th May 2018, and represents a significant overhaul of data protection law. It strengthens the rights of data subjects in relation to the uses that governments, businesses and other organisations can make of their personal data, and imposes new legal obligations on those organisations about how they hold and process personal data relating to their staff, customers, suppliers and other stakeholders.
Lotus & Lion Ltd takes privacy very seriously, and has undertaken an extensive GDPR-readiness programme using both GDPR-trained internal resources and specialist external advisers. The purpose of this statement is to inform our clients about the steps that we have been taking by way of preparation.
2. INFORMATION AND SECURITY AUDIT
Lotus & Lion Ltd has undertaken an internal data-mapping exercise, in order to ascertain exactly what kinds of personal data we hold, the sources from which it is obtained, and how it is used. We have also undertaken a security audit to ensure that, where we hold and process personal data, there are appropriate technical and organisational measures in place to ensure that the data is protected. Our findings have been documented in order to help us comply with the GDPR’s accountability requirement.
3. LAWFUL BASIS OF PROCESSING
The GDPR states that the processing of personal data is only lawful if it is done under one of the defined “lawful bases”: these include, for example, that the data subject has given consent to the processing, that the processing is necessary for the performance of a contract with the data subject, or that the processing is necessary for the purposes of the organisation’s “legitimate interests”.
On the basis of the output from the information audit, Lotus & Lion Ltd has identified an appropriate lawful basis for each kind of processing that we undertake, and these are documented in our privacy notices.
4. PRIVACY NOTICES
Our privacy notices have been updated to ensure that data subjects are properly informed about all the details that GDPR requires us to notify them about, such as the identity and contact details of Lotus & Lion Ltd as the controller of the personal data; the contact details for the person responsible for data protection within the organisation; the purposes of the processing, and the lawful basis for it; the “legitimate interests”, where this is the lawful basis of processing on which we are relying; and the existence of the data subject’s right (a) to request access to the personal data, (b) to request rectification or erasure of personal data, (c) to request that the processing is restricted, (d) to object to the processing and (e) to data portability.
5. INTERNAL POLICIES AND PROCEDURES
We have developed and implemented a number of new policies and procedures to ensure that we are able to respond efficiently to data protection issues. These include a new Privacy Policy which directs staff as to how personal data should be used, along with procedures for dealing with:
Subject access requests
Requests from data subjects to exercise their other rights under the GDPR, such as the “right to be forgotten” and the right to have inaccurate data rectified
Personal data breach incidents
Objections to direct marketing.
6. CLIENT AGREEMENTS
We have developed a Data Protection Addendum to our standard terms of engagement, that addresses the GDPR’s requirements about contracts between data controllers and data processors where we are handling personal data on behalf of a client. In summary, the Addendum provides that:
Lotus & Lion Ltd will only process the personal data on the client’s written instructions;
Lotus & Lion Ltd will ensure that all personnel with access to the personal data treat it in confidence;
Lotus & Lion Ltd will put in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing, and against accidental loss, destruction or damage;
Lotus & Lion Ltd will not engage a subcontractor as a third-party processor of the personal data without the client’s approval;
Lotus & Lion Ltd will assist the client in responding to requests from data subjects and in ensuring compliance with certain of the client’s other obligations under data protection law;
Lotus & Lion Ltd will delete or return personal data on termination of the relevant engagement;
Lotus & Lion Ltd will keep complete and accurate records and information to demonstrate its compliance, and allow for audits by the client or its representatives;
Lotus & Lion Ltd will inform the client if an instruction infringes data protection law; and
Lotus & Lion Ltd will not transfer any personal data outside the European Economic Area unless (a) the client’s prior written consent has been obtained, and (b) appropriate safeguards have been put in place for the personal data.
The inclusion of this Addendum means that our clients can be assured that, if Lotus & Lion Ltd processes personal data on their behalf, it is being done on the basis of a contract that meets those requirements.
8. THIRD PARTY PROCESSORS
We will do our best to ensure that with effect from 25th May 2018, our contracts with any third party companies that process personal data on our behalf include the relevant controller-processor clauses.
9. STAFF TRAINING
We have put in place data protection awareness training for all staff. This includes training about the GDPR’s data protection principles and other key aspects of data protection law as it relates to Custom Intelligence’s business, and as a minimum some essential “do’s and don’ts” in relation to the obtaining, processing and sharing of personal data. Staff need to be aware of the importance of respecting personal data, and of their own responsibilities in this regard.