What is GDPR?
The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will impact every organisation which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.
What is personal data?
Anything that can help identify an individual is personal data. GDPR includes a broad spectrum of information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data extends beyond a person’s name or email address. Some examples include financial information, IP addresses and physical addresses.
Compliance with GDPR
We are able to confirm that we have a comprehensive GDPR Readiness Programme in place across all areas of the business which process personal data and meet our new accountability obligations for new or updated requirements of the GDPR applicable to us, such as the consent and subject right related requirements, privacy by design, a simplified right to be forgotten etc.
We are continually committed to high standards of information security, privacy and transparency, and place a high priority on protecting and managing data in accordance with accepted standards including ISO 27001 and ISO 9001 of which we are certified.
Some of the key activities in the GDPR Programme include the following:
Our standard contract terms have been amended to ensure that the data protection clause meets the requirements of the GDPR and can be viewed here.
We have conducted a comprehensive landscaping exercise across all our data processing activities and relevant systems. This exercise provides a record of what personal data we are processing and for what purpose and this will be maintained going forwards.
We are working with our third parties and uplifting our Supplier contract terms to take account of the specific obligations of the GDPR.
The privacy notice on our website has been reviewed and updated as required to ensure that we meet the GDPR transparency obligations about data collection and processing.
We have reviewed our information retention policies to ensure that we only hold personal data for the minimum time necessary and to allow us to be able to identify and meet any requirements by individuals exercising their right to be forgotten.
Over and above our employee mandatory training programme, we have a communications and awareness plan in place to ensure that all personnel engaged in processing of personal data, whether it be employee or customer data, are aware and reminded of their obligations.
Privacy Impact Assessments – we have already introduced new processes enabling new products and services to be checked for privacy compliance. The use of this tool is mandatory for business units developing new products and services.
Data Breach notification – We have operated a data breach notification process since this requirement was introduced. This is also a key contractual requirement on any third party data processors we appoint to process data on our behalf.
Data security – our IT Service Desk protects all aspects of DuoCall operations from people and buildings, networks and cyber security. We operate a process to check that our systems, networks, applications and products are built and maintained securely.
Your role as a data controller
As the data controller, you will determine the personal data we process and store on your behalf. As a controller, you will provide privacy notices to individuals who engage with your brands detailing how you collect and use information, and obtain consents, if needed. If those individuals want to know what data you maintain about them or decide they want to discontinue their relationship with you, you will respond to those requests.
Our role as a data processor
We’re acting as a data processor for the personal data you ask us to process and store as part of providing the services to you. As a data processor, we only process personal data in accordance with your company’s permission and instructions — for example, as set out in your agreement with us. Where your data is in one of DuoCall’s cloud solutions and you need our assistance with any individual consumer requests, we will partner with you through processes, products, services, and tools to help you respond.
The data we hold is used solely for the purpose of delivering our services and is not shared with any third parties for other purposes such as direct marketing.
If you have any specific questions regarding the GDPR requirements and how this may impact your use of our products and services, please email firstname.lastname@example.org and our GDPR team will respond to you.