26 February 2018
The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive and comes into force on the 25th May 2018.
The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
We are committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections which have been built into our services and contracts over the years.
It is important to remember that the GDPR is only a part of the overall data protection framework. The Government has confirmed its plans to introduce a Data Protection Bill into Parliament. This should become law in 2018 replacing the current Act.
Any legislation introduced into Parliament is open to change so once the ICO [the UK's independent body set up to uphold information rights and the UK’s GDPR Supervisory Authority] have a clearer idea of its final form they will develop the structure and the content of the guidance they provide .
The ICO aims to provide a suite of data protection guidance that is as comprehensive as possible by May 2018 (see below).
Responsibility for data protection is owned by the “Data Controller” supported by the“Data Processor”.
Our customers will typically act as the Data Controller for any personal data collected and stored by the web sites and databases we create and maintain. The Data Controller decides what happens to the personal data, while the Data Processor carries out the instructions of the Data Controller.
Emperor is a Data Processor as we store personal data and can generate email alerts on behalf of the Data Controller.
Data Controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Data Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling the rights of “Data Subjects” with respect to their data.
Guidance related to the role of Data Controller under GDPR is available on the ICO website at;
Data Controllers should also seek independent legal advice relating to their status and obligations under the GDPR, specifically tailored to their situation.
As a current or future customer of Emperor, now is a great time for you to begin preparing for the GDPR.
Customers, as Data Controllers, should:
Familiarise themselves with the provisions of the GDPR, particularly how they may differ from their current data protection obligations.
Create an updated inventory of personal data that they handle.
Review their current controls, policies, and processes to assess whether they meet the requirements of the GDPR and build a plan to address any gaps.
Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to their business circumstances.
Among other things, Data Controllers are required to only use Data Processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR.
According to the GDPR, the Data Controller and the Data Processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
At Emperor we have the expert knowledge, reliability and resources to fulfil our obligations as data Processors
We only use hosting sites which have proven security/defence systems for both their physical infrastructure and hosted environment. Each provider goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy.
We are happy to make information available about these providers and to include commitments relating to them in updated customer contracts.
Processing According to Instructions: Any data that a Customer and its end-users put into the databases we create and maintain will only be processed in accordance with the Customer’s written instructions.
Personnel Confidentiality Commitments: All Emperor employees are required to sign a confidentiality agreement and our Information Security Handbook specifically addresses responsibilities and expected behaviour with respect to the protection of information. We are certified to ISO 27001, the international Information Security Management System Standard.
Data Deletion or return: When Emperor receives a written instruction from a customer to either return or delete data, we will return or delete the relevant data from all of our systems, unless overriding retention obligations apply.
Data Subject’s Rights: Emperor will fulfil its obligations to assist our Customers to respond to requests from Data Subjects to exercise their rights under the GDPR.
Incident Notifications: Emperor will promptly inform our Customers of incidents involving their data in line with the requirements of the GDPR.
Audit Rights: Under the GDPR, audit rights must be granted to Data Controllers in their contracts with Data Processors. We expect that the updated data processing contracts we will receive before the GDPR comes into force, will include audit rights for our customers and we are happy to enable our customers to exercise such rights.
Get in touch, we would love to hear from you.
PRIVACY NOTICES UNDER THE EU GENERAL DATA PROTECTION REGULATION
GOOD AND BAD EXAMPLES OF PRIVACY NOTICES