The EU’s General Data Protection Regulation (“GDPR”) automatically comes into force on the 25th of May 2018. On this date businesses must comply with the new data protection rules that apply to the collection, storage, processing and use of personal data.
Quotevine does not offer advice on GDPR and this statement must not be construed as advice.
Who does the GDPR apply to
Any business that offers goods or services to individuals (“data subjects”) within the EU and/or monitors the behaviour of data subjects in the EU must comply with the GDPR. Even if a business is physically located outside of the EU it will be obliged to comply with the GDPR, if it targets the EU market or EU residents (for example: companies in the US selling services to EU companies).
There are no exemptions for small businesses. There is no grace period for ensuring compliance. Businesses must be fully compliant from the 25th of May 2018.
The GDPR applies to both data processors and data controllers, although they do have different obligations.
Brexit will take place after the 25th of May 2018, therefore UK businesses must comply with the GDPR. Even after Brexit, UK businesses still need to comply with the GDPR if they target the EU market or EU residents with their goods and services.
What is Personal Data
Personal data is defined under the GDPR as:
“any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.“
Personal data therefore includes, but is not limited to: a name, email address, IP address, photos, location data, bank details, social networking posts, medical information, device IDs, genetic data and biometric data.
A data protection impact assessment (“DPIA”) is a privacy-related impact assessment whose objective is to identify and analyse how data privacy might be affected by certain actions or activities. DPIAs are mandatory in certain cases (for example: where profiling is carried out using personal data).
Contracts and Policies
All existing contracts and privacy policies will need to be reviewed and updated to include the mandatory obligations and information set out in the GDPR. (for example: having a written data processing agreement between the data processor and data controller).
Data Subject Rights
Data subjects have the right to request: access to all personal data held on them, rectify inaccurate data, object to processing (for example: for marketing purposes), export of data and erasure of data. Appropriate processes and templates should be put in place to allow data subjects to exercise their data subject rights within the statutory time limit (of 1 month).
There are new obligations to report a personal data breach to a data protection supervisory authority where the breach is likely to result in a risk to the rights and freedoms of individuals (for example: damage to reputation or financial loss), and in some circumstance to data subjects. A personal data breach is defined as “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data” and includes paper data, not just electronic data. Breaches must be reported within 72 hours, providing the specific information set out in the GDPR.
Appointing a Data Protection Officer (“DPO”)
Most businesses with fewer than 250 employees will be exempt. However, if a core activity of a business involves large-scale monitoring or processing of sensitive personal data a DPO must be appointed. “sensitive personal data” includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life. Examples of large-scale monitoring provided by the EU are: patient data processed by a hospital, or customer data processed by a bank or insurance company. A CTO/head of IT cannot be a DPO as they are not independent of, the team undertaking the processing, nor from the management.
International Data Transfers
Where businesses or their subcontractors, affiliates or suppliers, store or process personal data outside the European Union data subjects must be made aware of this and in most circumstances must consent to this. Where personal data is transferred to a country which does not have adequate protection the methods adapted for protecting the personal data must be specified (for example: the use of contract model clauses).
Fines for Breaches of the GDPR
Businesses can be fined the higher of up to 4% of their global turnover or 20 million Euros for serious breaches of the GDPR, or 2% of global turnover or 10 million Euros for breaches that are administrative.
Preparing for Change
Businesses must know what personal data they hold, how it is collected, how it is stored and used and where and to whom it is being transferred. All such processes and information must be documented.
Businesses must implement technical and organisational measures that show they have considered and integrated data protection into their processing activities.
To achieve the above objectives, businesses should:
- audit their processing activities and security measures;
- have in place GDPR compliant privacy and security policies;
- review and amend existing contracts with customers, suppliers and subcontractors;
- create a written data processing agreement for use between data processors and data controllers.
Quotevine Specific Data Protection Information
Quotevine has always taken the safety of your data very seriously and we will continue to do so after GDPR.
Company Registration Details
Quotevine is a private company limited by shares, registered in England and Wales under number 07877335. We are registered with the Information Commissioner’s Office under number ZA158659.
Data Protection Officer
Quotevine has fewer than 250 employees and does not engage in large-scale monitoring of sensitive personal data. As such we consider that we are not obligated to appoint a Data Protection Officer.
Quotevine’s Data Centres are operated and managed by our infrastructure partner, Vooservers Limited, a private company limited by shares registered in England and Wales under number 05598156. Vooservers is an ISO27001 registered, ITIL compliant hosting specialist.
The primary Quotevine data centre is located in Kent. Our backup data centre for multi-tenant clients is located in New York State, USA. Dedicated service clients will be aware of the location of their secondary data centre. All data centres are protected by perimeter fencing, electric gate entry and a gate house which is manned 24x7x365 by security personnel. Strict access controls are operational within the data centre building including proximity access card readers and secure lockable racks to prevent unauthorised access to the data centre and equipment.
In transit all communication between the web browser and our data centres is protected by 256-bit SSL encryption.
At rest, all data is encrypted using hardware TPM.
Data Breach Notification
Our responsibility to notify all customers of a data breach within 72 hours is contained in our revised Terms and Conditions.
Personnel and Procedures
All Quotevine staff are resident in the UK and we do not use overseas contractors when building or maintaining our core systems. We may use overseas contractors to work on new projects that have no data contained within them.
We operate strict access controls to our production databases. Only technical staff have logons which enable access to production databases. Only senior technical staff have permanent access to update production databases. All other staff can only access data through our own internal tools, which restrict data access to a need-to-know basis. Access dates and times by non-technical staff to customer data through internal tools is permanently logged.
Quotevine continually strives to improve the functionality of our products in all regards, and GDPR is no exception. The existing and upcoming functionality related to GDPR is detailed below.
Marketing Permissions (existing)
Enables you to record, at Relationship level, individual marketing permissions at channel (Email, SMS etc.) level. Includes the ability to read and write via API.
All existing Relationships will have no permissions by default. If you require a bulk update we will happy to discuss and quote this with you.
Exclude Auto Contact (existing)
Enables you to mark a Relationship to be excluded from all email and SMS contact triggered by your workflow actions.
Segregated Email (existing)
Removes your email flow from the shared environment and gives you your own, dedicated transactional email service. This removes and risk of other customer actions affecting your email sending reputation and gives you fine-grained control over your email traffic, including the ability for compliance functions to monitor and control email traffic.
Right to be Forgotten (existing)
Enables the hard deletion of specified Relationship record(s), including provision of a certificate of deletion.
Customer Access Control (upcoming)
Enables you to securely identify customers when calling in or out over telephone, the challenges and responses being securely audited for the lifetime of the Relationship record.
Data Expiry Dates (upcoming)
Provides the ability to categorise uploaded documents and specify a lifetime for each document category. Documents will be automatically deleted at the expiry of their lifetime.
Also provides the ability to specify a lifetime for Relationship records. Relationships will be automatically deleted at the expiry of their lifetime.
All customers will be notified of the upcoming functionality as it becomes available.