What is GDPR?
The General Data Protection Regulation (GDPR) is a new European data protection regulation adopted by the EU Commission. It replaces the EU Data Protection Directive, also known as Directive 95/46/EC. The GDPR becomes effective on May 25, 2018 and will strengthen security of and regulate personal data in the broadest sense. GDPR applies to both individuals and businesses and regulates the way in which personal data of citizens in the European Union should be handled.
Will the Data Protection laws/GDPR apply when Britain leaves the EU?
The U.K. legislation on data protection (Data Protection Act 1998) is derived from the EU Directive on data protection. The new General Data Protection Act, which is effective from May 2018, will replace the U.K. legislation and the U.K. Information Commissioner has confirmed that the U.K. will comply with the GDPR to enable it do business in Europe.
What are S2 Partnership doing to prepare?
We are committed to ensuring high levels of privacy and information security. Furthermore, as holders of ISO 27001 certification, we give high priority to managing data safely and protecting the data of our employees, our clients and our service partners.
The GDPR’s new focus on transparency and accountability, as well as the need to demonstrate compliance is being taken very seriously, and as a result we have formed a dedicated GDPR team. We are identifying the ways in which we must fulfil our responsibilities regarding applicable GDPR regulations across all areas of the business.
When it comes to customer data, is S2 Partnership RiskWise a Controller or a Processer?
Under the GDPR, a “Controller” determines why and how personal data is processed. A “Processor” processes personal data on behalf of the controller. Whilst the RiskWise platform is provided to clients to process data, the way in which it is used is determined in accordance with client guidelines. Therefore, S2 Partnership is a Processor of Customer Data hosted on RiskWise; the client is a Controller.
Will GDPR change the way S2 Partnership treats client data?
We continue to treat client data with the required level of sensitivity and confidentiality. We will continue to invest in the security of RiskWise to ensure it remains compliant with applicable legislation.
How do you host data and can you keep my data in the EU only?
We appoint ioMart as our managed hosting partner. All RiskWise data is held on ioMart servers, all within the UK.
Yes, and it can be found here.
How long is data retained for on RiskWise?
Data deleted within a client RiskWise system is only ‘soft-deleted’ and is still kept within the client RiskWise database. If a client requests for data to be hard deleted, we will do so, except in the event that we are required to keep it by law. If a client decides to no longer subscribe to RiskWise, we will archive that system, setting it as inactive, however we will only delete the system data upon client request. As a Processor, we will retain data as required by law, and / or as instructed by the client as Controller.
What about data held on RiskWise relating to incidents?
As with all data held in RiskWise, it is the responsibility of the client to gain the required consent and to ensure the data is controlled in an appropriate way in line with GDPR. Because incident data may contain “special category data” greater safeguards and processes may need to be considered by the client.