On May 25th 2018, the General Data Protection Regulation (GDPR) comes into force. This significant piece of legislation imposes more stringent rules on companies that offer goods and services to people in the European Union (EU), or that collect and analyse data relating to European residents.
SICL believes that the GDPR is an important step forward in protecting individual privacy rights.
At SICL we take the privacy and security of our customers’ data seriously. We understand that customers may have questions about how we handle their data and the impact of these significant ongoing regulatory changes. Therefore, we have prepared this statement to answer some of the key questions around how we are dealing with the GDPR.
Our primary considerations are to ensure that:
-The protection of our customers’ data is not compromised.
-We are fully compliant with our legal and regulatory responsibilities.
-We continue to provide the highest standard of service to our customers.
In response to the new requirements of GDPR, we have taken the following key steps:
-Expanded our internal compliance team to include key stakeholders from all parts of the business.
-Carried out a data audit to better understand the data we hold, the format it is held in and how long it is kept for.
-Enhanced our existing risk assessments and mitigations as required under GDPR. Updated existing, and implementing new, policies and procedures to comply with the enhanced and new rights and obligations.
-Introduced new and improved training for our employees on top of the security training we already undertake as part of our ISO27001 commitment.
In addition, SICL also intends to:
-Audit our supply chain to ensure our suppliers are capable of complying with the GDPR and are subject to compliant contract terms and conditions.
-Continuously review and improve processes in line with GDPR to reflect guidance from the ICO.
What personal data does SICL process?
What personal data SICL processes will depend on the products and services that you purchase from us. In most cases, SICL will process only very limited (non-sensitive) personal data of customers such as telephone numbers and email addresses. For normal transactional business (being the provisioning and supply of standard third-party products and services), the data is likely to be limited to the contact details of customers employees as necessary to receive, fulfil and deliver your services and for normal account management and reporting purposes (where required).
It is important to point out that SICL does not always have a link in the data processing chain in respect of all products and services purchased by customers. An example is where a customer purchases third party Cloud or other standard services (e.g. software support and maintenance) which are performed by the third party under a direct agreement with the customers. In this instance, SICL only transacts the services, and would normally only process data as described under the normal transactional business paragraph above. Any data processed by the third-party service provider as part of the products or services will be subject to the terms agreed directly between the customers and the service provider, which is often contained in the End User License Agreement or similar terms.
An exception may be where SICL has access to some personal data to provide direct services such as support, in which case SICL would be processing only the data it has access to in order to perform those services. SICL would only access, amend or transfer data on the instruction of the customer.