GDPR Compliance Assurance: Statement for Our Customers
Purpose of this Statement
The General Data Protection regulation (GDPR), coming into force on the 25th May 2018, will be one of the strictest pieces of privacy legislation globally. EDM Group believes that privacy is a very important right for citizens and wishes to assure all the company’s customers that we are working hard on ensuring compliance in all areas of our business.
Within this statement we wanted to highlight to our customers the measures we have put in place to ensure compliance with the GDPR where we hold or process personal data on your behalf.
Data Protection Officer
EDM Group has designated a Data Protection Officer
(DPO), who is taking full responsibility for all matters relating to data protection and GDPR compliance. The DPO will ensure that we are accountable and transparent to the supervisory authorities, including the creation and maintenance of “Records of processing activities” as per Article 30 of the GDPR.
To adhere to the GDPR requirement that a data controller (our customer) must appoint the processor (EDM Group) in the form of binding written agreement, with the personal data processed (including the activities of any sub- processors) only on documented instructions from the controller or the requirements of EU law or the national laws of Member States, we will be reviewing with our customer all our agreements to ensure compliance. This will ensure that relevant wordings are in place to cover aspects such as cover the duration, nature and purpose of the processing, the types of data processed and the obligations and rights of the controller. It will also, where applicable, cover cross border transfers and the use of any sub processors.
Security and Business Continuity Measures
EDM Group continually seeks to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
In demonstration of this, we have processes compliant with the following standards:
- ISO 9001:2015 certification for Quality Management Systems
ISO27001:2013 certification for Information Security Management Systems
- BS10008:2014 compliance for the Evidential Weight & Legal Admissibility of Electronic Information
PCI-DSS Version 3 certification for handling payment card data
- ISO22301:2012 Requirements & ISO22313:2012 Guidance compliance for Business Continuity Management
BS 7858:2012 compliance for Security screening of individuals employed in a security environment
- BS EN 15713:2009 compliance for Secure destruction of confidential material
BS6498:2012 & BS1153:1992 compliance for handling microform
- ISO15489-1:2001 compliance for Information, Documentation & Records management standard ISO19005-2:2011 compliance for Electronic document file format for long-term preservation
- BS5454:2012 compliance for the storage of archival documents
- AES-256 compliance for encryption
- IR76 2000 compliance with HMRC guidance on processing personal pension records
Under the GDPR, we must notify any data breach to the controller without undue delay. EDM Group therefore has processes and procedures in place for identifying, reviewing and promptly reporting data breaches to the relevant controller.
We would provide the controller with:
- A description of the nature of the breach
- Contact details of the responsible data protection officer or any other contact person
- Likely consequences of the breach
- Proposed and imposed measures that were taken to limit harmful effects
We would stress again that we have comprehensive technical and organisational security measures in place to mitigate against a data breach.
Data Subject Rights
Under the GDPR there are significant enhancements to the rights that individuals enjoy with regards their personal data. EDM Group can work with customers for whom we hold or process personal data in order to determine how best to facilitate:
- Handling Data Subject Access Requests Rectification of personal data
- The application of retention periods and the secure erasure / destruction of personal data
- Responding to data portability requests, providing it in a structured, commonly used and machine-readable format