What are we doing about the GDPR?
Trust is at the heart of each transaction between Resolver, its customers and clients. It is important to us, and crucial to the success of our business, that Resolver is trusted to look after the information our customers and clients give us, and to do everything we can to process it safely and securely.
The General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, is putting even more of a focus on this. Like many companies, we are making a whole host of technical, organisational, contractual and process-led changes to ensure we are meeting the requirements of the new Regulation.
What is Resolver doing to prepare for the GDPR?
As part of our GDPR Readiness Programme, we have commissioned an independent, external assessment of our whole organisation. This has identified a set of recommendations, which we are now in the process of implementing across our business. For example:
- Continuing to invest in our security infrastructure;
- Reviewing, formalising and updating our processes, policies and other documentation;
- Conducting assessments of our suppliers and third parties and ensuring we have the contractual terms and technical / organisational measures in place to allow them to process data on behalf of us, which may include international transfer;
- As the GDPR is a new Regulation we are also abreast of any updates to the guidance issued by the likes of the Information Commissioner’s Office, and will update our plans accordingly.
Below is some more information on some of these areas:
- We send and receive emails through two encrypted methods – opportunistic TLS encryption and, where requested, Forced TLS encryption.
- Our database is encrypted on disk.
- Our system runs inside a Virtual Private Cloud on Amazon Web Services (AWS). There is only a single-entry point requiring an SSH tunnel based on public/private encrypted keypairs. When not in use the gateway is shut down rendering the VPC inaccessible.
- We carry out regular penetration tests and have undergone various security audits as part of our client obligations.
Data Collection, Storage, Retention
- The personal data we collect from our users when they use Resolver is their contact information and details on the complaint itself.
- We process this data so that the user is able to resolve their problem with the relevant company. Our lawful basis for processing is Legitimate Interest under Article 6 – Lawfulness of Processing Data and Article 7 – Conditions for Consent.
- The Resolver platform is hosted by AWS in Ireland. Back-ups are on AWS in Frankfurt.
International Data Transfer
Although Resolver itself does not process data outside of the EEA, we use Third Party sub-processors that do. The GDPR is very clear that the Data Controller is responsible for the entire value chain and therefore we are implementing the following measures so that personal data is processed safely and securely:
- Auditing our Third Parties for use of EU-US Privacy Shields;
- Data Processing Addendums with our data processors/sub-processors as required; and
- GDPR compliance assessments to assess the readiness of our Third Parties.
Governance, Policies and Processes
We are reviewing and formalising our processes to account for the much greater emphasis on accountability, demonstrability and transparency; that organisations are accountable for the personal data they process, that they must be able to demonstrate they comply with all the regulations and they must be completely clear with their customers how personal data is collected and used.
In the run up to May 2018, we are raising awareness of the GDPR throughout our business. All of our staff will be going through GDPR training sessions, tailored to their roles within the business. This will include training on our new data protection policies and processes including the 7 Rights of the Data Subject, and data retention.
From 25 May 2018 our Data Protection Officer will be formally taking on the new GDPR accountabilities.
What are we doing to help our clients prepare for GDPR?
As part of your own preparations for the GDPR, you will be looking to us to not only provide assurance of our readiness in general terms, but to, where required, work with you to ensure we have the appropriate data protection terms in our contract.
Data Processing Addendum
To that end, our Legal team is creating a Data Processing Addendum, which will include the appropriate data protection terms needed for us to process personal data on your behalf. Where this is applicable, we will be in touch separately to progress this with you.