GDPR and the steps we’re taking towards compliance
GDPR is legislation which supersedes the original Data Protection Act. It’s being brought about because personal data is now used in more ways than ever before. The core principle is that data can only be gathered “legally, under strict conditions, for a legitimate purpose”. This gives people more say on how companies collect and handle their personal data. Above all, it normalises data protection rules across Europe. Be aware, it introduces tougher fines for non-compliance and breaches, and comes into effect on 25th May 2018.
What is the purpose of GDPR?
The current legislation is outdated, having been enacted in 1998 – when the world wide web was fairly new. GDPR aims to improve trust in how personal data is used and to strengthen the digital economy. It also gives organisations a simpler, clearer idea of how they can use personal data.
Will Browser London Ltd be compliant with GDPR when it comes into effect?
As an organisation that controls and processes data, we are continuing our work to ensure we are compliant. Maintaining compliance is an ongoing process, we will continue to update our customers of changes.
What are the steps Browser London Ltd have taken to ensure compliance?
To date we have:
- Briefed all staff members on the GDPR act and the responsibilities that are associated with it.
- Designed, and documented the processes we use to provide services.
- Undertaken data-mapping exercises that highlight all of our data controllers and data processors.
- Designed, and documented the processes to deal with data subject rights, this includes; individuals’ requests to access, amend or delete their personal data or object to data processing within the new timeframes.
- Put in place a data breach notification procedure to detect report and investigate a personal data breach.
- Put in place a Data Protection Impact Assessment process.
- Scheduled regular compliance audits or reviews in order to identify and rectify issues
What type of personal data do we process?
This depends on the services that have been provided to a customer. It may include what the data is (such as name, email address, postal address, telephone number and financial details), where they received the data from, when they received the data, and who they share the data with. To ensure that the data is constantly up-to-date, we actively monitor the data and update our records when necessary.
What type of personal data do we control?
Again, this depends on the services that have been provided to a customer. It may include what the data is e.g. name, email address, address, telephone number, financial details, where they received the data, when they received the data, and who they share the data with. To ensure that the data is constantly up-to-date, we actively monitor the data and update our records when necessary.
Can customers access the data we process or control?
We have created a support line for all customers should they wish to access their personal data at [email protected], requests will be administered via our vetting service to ensure that the request is legitimate. Data will be supplied within 28 days of a request and supplied in a common format such as a CSV to allow for transit and accessibility.
What do you do with the data that is collected?
The data we collect allows our customers’ services to operate. Both custom and 3rd party components may be used as part of the services provided. These services may include; communication, document sharing, support, payments, marketing, and analytics. In order to operate and provide a service to our customers we may use the following 3rd party software:
To provide a service
- Amazon Web Services, for hosting and storage of data
- Pusher, to provide chat services
- Sendgrid, to send emails
- Google Analytics and Hotjar, to track user behaviour
- BugSnag, to monitor bugs in our software
To operate our business
- Xero, for accounting and billing
- Nutshell, for Customer Relationship Management
- Google, for email, and contractual or planning information
- Slack, for internal communications
- Freshdesk and Intercom, for Customer Support
- Hiscox insurance
We do not provide data to advertising agencies, or to other parties for similar, unconnected purposes. More information about the data we collect can be found on our Policies page.
Are we audited or certified to the required standard?
We continually review and improve our security processes which are led by a select committee of managers from within Browser London Ltd. Processes, assessments, and policies are audited, tested and date stamped by our Technical Director and a supporting team. The hosting we provide is ISO27001 certified, the expiry date is November 7th, 2019.
Where is the data you collect processed?
We use Amazon Web Services (AWS) and a number of component services and providers in order for some of our customer’s services to operate. The majority of our processing is carried out on servers that are located in the European Economic Area (EEA). At the request of a customer, we may use other carefully chosen suppliers and providers to perform other discrete tasks which may result in data being transferred outside of the EEA.
In handling data, we follow best practices which include:
- Using encryption to communicate between users and ourselves.
- Restricting and logging those who have access to the data we hold.
- Not moving data from production to test environments.
How long do we retain personal data?
The data we process and control on behalf of our customers are retained for as long as it is required for a service to be provided, as the data allows our customers’ services to operate.
The data we collect on behalf of Browser London Ltd is held up to a maximum of six years from the date it was submitted. The data is reviewed on an annual basis and action is taken should it be required. In order to operate and provide a service to our customers we may use the following 3rd party software:
For marketing purposes:
- Nutshell, for Customer Relationship Management.
- MailChimp, for newsletter services.
- Google Analytics, for campaign tracking.
- Hotjar, for campaign tracking.
Do I need to put new measures in place with my customers in advance of GDPR coming into effect?
If you collect or process data then yes, you will need to take action. The ICO’s Guide to the General Data Protection Regulation (GDPR) guide will help to inform you and your decision-making.
Do you have an appointed GDPR representative I can contact regarding any additional queries I have?
Yes, we have an appointed GDPR representative that can assist with your queries, please contact your account manager for more information. For general questions about Browser London Ltd’s GDPR policy please contact [email protected]
Please note that we are not able to comment or advise on the position of entities that we do not have legal ownership of.