This statement has been prepared by 9 Spokes UK Limited on behalf of our group (collectively referred to in this statement as the “9 Spokes”, “we”, or “our”), to outline the steps that we are taking to try to ensure that any processing of personal data we undertake in the course of our business is secure, lawful and in compliance with the EU General Data Protection Regulation (“GDPR”) when this comes into force on 25 May 2018.
What is the GDPR?
The GDPR is the European Union’s new legislative framework to protect the personal data and privacy of EU citizens in the digital age.
The core purpose and emphasis of this legislation is entirely centred upon the rights of individuals to prevent the unlawful misuse, accidental loss, damage or destruction of their personal data.
The GDPR aims to put control of personal data into the hands of individuals (data subjects), who will be able to request access to their data, ask for their data to be erased, and require their data to be ported to another organisation.
Our policies and commitment to data protection
At 9 Spokes, we put trust at the foundation of our client relationships and are committed to protecting the privacy of individuals whose information is in our custody. We take the security of the personal data very seriously and understand that privacy is not just an essential part of what we do, but also a core concern for our business.
9 Spokes’ policy is to comply with local laws that apply to our business related to the use of personal data and to ensure that we meet the applicable standards set out in such laws.
We have existing processes and procedures in place to meet the requirements of the current privacy regulatory regime, and we are in the process of developing these to attain GDPR compliance in advance of its implementation in May.
Our plans for GDPR compliance
In order for 9 Spokes to prepare for the introduction of the GDPR and achieve our compliance, we have taken expert legal advice and established an overarching business strategy that is designed to allow every part of our business to understand the scope of our privacy obligations, the rules applicable to personal data, and the steps that need to be taken to avoid a privacy breach under the GDPR.
Core to our strategy are the GDPR’s six data processing principles, which set out that personal data must be:
1. processed lawfully, fairly and in a transparent manner;
2. collected for specified, explicit and legitimate purposes;
3. adequate, relevant and limited to what is necessary;
4. accurate and, where necessary, kept up to date;
5. retained only for as long as necessary; and
6. processed in an appropriate manner to maintain security.
Our compliance strategy consists of various separate and overlapping parts that we have summarised below.
Internal audit, data mapping and gap analysis
We have carried out audits of all personal data processed by 9 Spokes and from this mapped the route from acquisition through all aspects of its processing to verify where data is located, why we gather it, and how we process it.
We have recorded instances where data is transferred, or stored outside of the European Economic Area, and have also undertaken Data Privacy Impacts Assessments (DPIAs) of all of our existing core business functions where a high risk to the rights of data subjects has been identified.
From our audit and mapping exercises, we have been able to identify all processing activity across our business and used this to compile an inventory of processed personal data, which we have assessed against the standards of the GDPR, both from a data controller and data processor perspectives, to inform areas of strength and those that required development to allow 9 Spokes to provide an evolving and enhanced service to our clients.
Governance, documentation and accountability
In order for 9 Spokes to demonstrate our compliance with GDPR, the following action points have been or will be implemented:
- We have adopted and will maintain internal policies and measures which embrace data protection by design and data protection by default.
- 9 Spokes will publish a revised privacy statement (Privacy Notice) that will clearly and transparently set out the purpose/s for which we intend to process personal data and the information that we may need to be provided to enable 9 Spokes to process that personal data fairly and in accordance with the GDPR.
- Updated Terms and Conditions of Use will be issued to our clients in respect of the 9 Spokes services provided in order to ensure that appropriate contractual arrangements are in place governing the flow of personal data as required under the GDPR.
- Technical and organisational measures have already been implemented to protect all personal data that we process from unauthorised or unlawful processing and against accidental loss, destruction or damage, including encryption of data in transit and at rest, physical protection of data as well as educating teams about how to handle personal data.
- 9 Spokes contracts the IBM Softlayer cloud infrastructure and relies on IBM information security practices for aspects of GDPR compliance, including robust physical data centre security and secure infrastructure management.
- 9 Spokes will engage with our product development, customer support and infrastructure teams to review our systems, processes and products, and to make appropriate changes in compliance with GDPR requirements.
- Consent notices will be distributed where necessary, to ensure that personal information is processed fairly and lawfully by 9 Spokes.
- We are committed to the education and training of our employees, officers and other individuals who work for 9 Spokes, about GDPR.
- We will also be establishing clear communication channels to allow our personnel, clients and other relevant third parties to report breaches or violations of the GDPR.
The GDPR is not a static process, and 9 Spokes will continue to implement and improve our data protection practices on an ongoing and evolving basis.
9 Spokes is committed to ensure a sustained culture of privacy by design within our business by using appropriate technical and organisational measures to ensure that personal data (and any new processes we use to process such data) is secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage through continued training, testing, document review and risk screening at every level.
What to do if you have further questions
If you would like any additional information regarding our procedures and commitment in becoming GDPR compliant, or any further information regarding your legal rights, please contact our customer service team by email at firstname.lastname@example.org or you may also contact 9 Spokes at email@example.com
For more information on GDPR Please visit the UK Commissions Information Office website.
Current as at May 1 2018