1. PURPOSE OF THIS STATEMENT
The General Data Protection Regulation (GDPR) comes into force in the United Kingdom on 25th May 2018, and represents a significant overhaul of data protection law. It strengthens the rights of data subjects in relation to the uses that governments, businesses and other organisations can make of their personal data, and imposes new legal obligations on those organisations about how they hold and process personal data relating to their staff, customers, suppliers and other stakeholders.
Kingpin Communications Limited (“Kingpin”) takes privacy very seriously, and has undertaken an extensive GDPR-readiness programme using both GDPR-trained internal resources and specialist external advisers. The purpose of this statement is to inform our clients about the steps that we have been taking by way of preparation.
2. INFORMATION AND SECURITY AUDIT
Kingpin has undertaken an internal data-mapping exercise, in order to ascertain exactly what kinds of personal data we hold, the sources from which it is obtained, and how it is used. We have also undertaken a security audit to ensure that, where we hold and process personal data, there are appropriate technical and organisational measures in place to ensure that the data is protected. Our findings have been documented in order to help us comply with the GDPR’s accountability requirement.
3. LAWFUL BASIS OF PROCESSING
The GDPR states that the processing of personal data is only lawful if it is done under one of the defined “lawful bases”: these include, for example, that the data subject has given consent to the processing, that the processing is necessary for the performance of a contract with the data subject, or that the processing is necessary for the purposes of the organisation’s “legitimate interests”.
On the basis of the output from the information audit, Kingpin has identified an appropriate lawful basis for each kind of processing that we undertake, and these are documented in our privacy notices.
4. PRIVACY NOTICES
Our privacy notices have been updated to ensure that data subjects are properly informed about all the details that GDPR requires us to notify them about, such as the identity and contact details of Kingpin as the controller of the personal data; the contact details for the person responsible for data protection within the organisation; the purposes of the processing, and the lawful basis for it; the “legitimate interests”, where this is the lawful basis of processing on which we are relying; and the existence of the data subject’s right (a) to request access to the personal data, (b) to request rectification or erasure of personal data, (c) to request that the processing is restricted, (d) to object to the processing and (e) to data portability.
5. INTERNAL POLICIES AND PROCEDURES
6. CLIENT AGREEMENTS
We have developed a Data Protection Addendum to our standard terms of engagement, that addresses the GDPR’s requirements about contracts between data controllers and data processors where we are handling personal data on behalf of a client. In summary, the Addendum provides that:
The inclusion of this Addendum means that our clients can be assured that, if Kingpin processes personal data on their behalf, it is being done on the basis of a contract that meets those requirements.
8. THIRD PARTY PROCESSORS
We will do our best to ensure that with effect from 25th May 2018, our contracts with any third party companies that process personal data on our behalf include the relevant controller-processor clauses.
9. STAFF TRAINING
We have put in place data protection awareness training for all staff. This includes training about the GDPR’s data protection principles and other key aspects of data protection law as it relates to Kingpin’s business, and as a minimum some essential “do’s and don’ts” in relation to the obtaining, processing and sharing of personal data. Staff need to be aware of the importance of respecting personal data, and of their own responsibilities in this regard.