Call: 01242 650052

Introduction

The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data. The UK Data Protection Act 1998 (DPA) will be superseded by a new DPA currently in Parliament that enacts the GDPR’s requirements.

The new law marks a wide-reaching and significant shift in the way organisations must protect personal data. It will introduce new responsibilities, including the need to demonstrate compliance and will have more stringent enforcement and substantially increased penalties. It grants data subjects a number of new rights, including the right to judicial remedy against organisations that have infringed their rights, and requires organisations to adopt “appropriate technical and organisational measures” to protect personal data. It also introduces mandatory data breach reporting to the applicable regulatory bodies such as the Financial Conduct Authority (FCA) and Information Commissioner’s Office (ICO).

Eazy Collect is committed to high standards of information security, privacy and transparency and many of the GDPR privacy and security principles have already been in place across our processes and systems for several years. Eazy Collect is both a Data Controller in its operation as a business and a Data Processor in the performance of our contracted services to its clients.

We place a high priority on protecting and managing data in accordance with internal policies and accepted standards including ISO 27001, FCA regulatory compliance as a Payment Institution and as an accredited BACS Approved Bureau. ISO 27001 is one of the most widely recognised, internationally accepted independent security standards. ISO 27001 covers certification for the systems, applications, people, technology, processes, and data centres. Eazy Collect complies with all applicable GDPR regulations and will continue to work closely with our clients, suppliers and partners to meet mutual GDPR and contractual obligations for our procedures, products and services.

1. General Approach and Compliance

Led by Eazy Collect’s Board of Directors, Matt Harris (Information Security Officer (ISO) and Data Protection Officer (DPO)) and Melanie Sutherland, Quality Management System and Compliance Officer, our experienced team has conducted a comprehensive review of our systems, processes, solutions and operations to ensure readiness for GDPR compliance. Eazy Collect had already adopted and incorporated into our processes the core privacy by design and by default principles expected of responsible Data Controllers and Data Processors. Our GDPR readiness was initiated in November 2017. This included an initial Data Protection Impact Assessment covering end to end documentation of data sourcing, handling, processing and storage. This led to dissemination of client and supplier communications, updating of legal contracts, updating of privacy policy and gap analysis to identify any additional work required.

There were four main areas of focus in preparing and delivering GDPR compliance:

  1. Building on existing security and business continuity management systems and certifications, including ISO 9001, 27001 and FCA Re-authorisation under PSD2, to ensure our own compliance.
  2. Updating of applicable company policies.
  3. Dissemination of guidelines and dedicated communications to assist clients and supplier relationships to meet GDPR.
  4. Implementation audit, delivery and full integration into systems and processes to ensure future GDPR compliance.

Eazy Collect has a robust ISO-based Management System (ISMS) which is an amalgamation and blend of its certified ISO9001:2015 QMS and ISO27001 Security Standard and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements within the ISMS using internal and external advisors. This has already led to updated security policies and procedures and will build on existing management systems, informed by gap analysis and data protection risk assessments and supported by communication and training programmes.

Eazy Collect’s ISO and DPO will inform, advise and monitor compliance together with the Board. The company will implement tools as appropriate that support the process, provide necessary security and ensure ongoing delivery of objectives.

Eazy Collect’s hosted services and products provided to our clients already meet rigid ISO 27001 data security standards and conform to GDPR. As a Data Processor contracted with clients who are designated as Data Controllers, Eazy Collect has comprehensively reviewed and updated risk assessments to include more detailed consideration of the data types we hold along with a data protection impact analysis of personal information stored and processed.

Policies covering incident response plans, backup data retention and audit recording/retrieval have been reviewed and updated. 

In the highly unlikely event of a data breach, our Security Incident Policy includes specific procedures and escalation processes for appropriate communications and reporting to the applicable regulatory bodies within FCA regulated timeframes.

Appendix 1 - Technical and Organisation Measures, provides further detail about the required security measures taken as well as brief descriptions and examples of the specific measures implemented across our systems and processes.

2. Eazy Collect Clients - Your GDPR Responsibilities as a Data Controller

It is important to recognise that GDPR compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.

The volume of data handled by organisations is growing and is captured, processed and stored on an increasing number of devices and networks. Requirements such as data protection impact assessments, active mitigation of risks and evidence of risk management measures will require organisations to develop a more disciplined approach to customer data, especially those with personal data spread across many locations and/or systems with varying levels of personal data quality and ownership. Furthermore, investing in the management of consent presents an opportunity to build trust and provide increasingly useful services with customers.

All organisations will need to be confident, for example, that personal and transactional data can be located and anonymised or erased, in order to respond to requests to delete, rectify, transfer, access or restrict the processing of data.

Eazy Collect is committed to developing technology solutions to support clients’ GDPR obligations, whether through standard features or added value solutions or toolkits. Currently, Eazy Collect has adapted its own systems and internal data management to meet GDPR requirements in its role as either a Data Controller or Data Processor; however, our current Eazy Customer Manager ® solution made available to clients in the provision of our core delivery of contracted direct debit and other payment processing services does not itself meet a client’s own GDPR compliance as a Data Controller.

Article 5 of the GDPR outlines the six principles that should be applied to any collection or processing of Personal Data. Eazy Collect complies with all principles.

  • Personal Data must be processed lawfully, fairly and transparently
  • Personal Data can only be collected for specified, explicit and legitimate purposes
  • Personal Data must be adequate, relevant and limited to what is necessary for processing
  • Personal Data must be accurate and kept up-to-date
  • Personal Data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
  • Personal Data must be processed in a manner that ensures its security 

As a Data Controller, clients are contractually obligated and must implement and ensure GDPR compliance is met fully across your own company processes and managed accordingly within your in-house billing and CRM systems.

Data Controllers need to identify lawful processing condition(s) (how you’re using Personal Data) in relation to Personal Data being sent to Eazy Collect for processing. These are:

  • Compliance with a legal obligation
  • Performance of a contract
  • Legitimate Interest
  • Public Interest
  • Vital Interest
  • Consent

The GDPR imposes restrictions on the transfer of Personal Data outside the EU, to third countries or international organisations. Such restrictions are in place to ensure that the level of protection afforded by the GDPR on the processing or storage of Personal Data is not undermined. Eazy Collect handle, process and store all Personal Data inside the EU in accordance with strict ISO 27001 security standards.

3. Key Policies and Documentation

Available Eazy Collect Policies and GDPR related documentation can be found on the links below:

Eazy Collect – GDPR Data Processing

Privacy Policy

Data Protection – GDPR Addendum 

4. Further Useful Resource Materials

Becoming GDPR Compliant – Eazy Collect’s Brief Overview 

ICO’s Guide to GDPR 

Appendix 1 – Technical and Organisation Measures

Eazy Collect shall or has already implemented the following controls, technical and organisation measures along with several others in adherence to ISO27001 and FCA compliance under the second Payment Service Directive (PSD2).

# Required Measure and General Description

Description of Measures Taken
EXAMPLES

1

Access controls to premises and facilities 
Preventing unauthorised persons from gaining access to data processing systems with which personal data are processed or used


  • Secure door locking and entry code system
  • Restricted staff access during non-business hours
  • Lockable cabinets (servers, storage media)
  • Any outside services (i.e. cleaning or PAT inspections) only on site during business hours
  • Surveillance facilities (alarm system, CCTV and alarms are not in place within office spaces, but across windows/entry/exit points)
  • Staff are all known and recognisable
  • Protocol of visitors
2 Access controls to systems 
Preventing data processing systems from being used without authorisation
  • Differentiated access rights (profiles, roles, transactions and objects)
  • Password policy
  • Automatic blocking of access (e.g. password or timeout)
  • Encryption of external devices (smart-phones, tablet etc.)
  • Blocking or other control of interfaces (e.g. USB)
  • Protocol of failed log-ons
3 Access controls to data
Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorisation in the course of processing or use and after storage
  • Differentiated access rights (profiles, roles, transactions and objects)
  • Approval process for access rights
  • Anti-virus programs
  • Signed confidentiality undertakings 
  • Secure retention of storage media
  • Secure and certifiable disposal of data
4 Distribution control
Ensuring that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged All payment processing data is encrypted at rest and during transmission
  • Organising retention of storage media
  • Encryption, tunnelling, VPN
  • Electronic signature (i.e. use of SSL/TLS technologies where data signing is inherent in transfer protocol)
  • Use of HSM
  • Controls over the use of private devices (such as USB flash drives)
  • Logging and audit trail
  • Transport security measures (such as transport of storage media in locked boxes or recording of handover of storage media)
5

Input and Audit control
Ensuring that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed

  • Hardware, software and procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements
  • Differentiated access rights (profiles, roles, transactions and objects)
6 Job control
Ensuring that personal data is processed in accordance with the instructions only for the performance of Services pursuant to applicable Agreements
  • Rigid and strict process for selection of processors and other service providers
  • Documenting selection procedures (privacy and security policies, audit reports, certifications)
  • Standardised policies and procedures (including clear segregation of responsibilities) and documentation of instructions
  • Technical measures to identify the individuals who are involved in the particular process of the instruction
  • Obtaining prior information about the reliability of the data processor and monitoring of the contract performance
  • Signed confidentiality undertakings
7 Availability control and Testing
Ensuring that personal data are protected from accidental destruction or loss
  • Backup procedures
  • Uninterruptible power supply (UPS)
  • Remote storage
  • Anti-virus/firewall systems
  • Intrusion prevention (including test-running)
  • Disaster-proof housing of central IT systems (protection from fire, flooding, severe weather conditions)
  • Disaster recovery plan
  • Test-running data recovery
  • Fire and smoke alarm
8 Segregation control
Ensuring that data collected for different purposes can be processed separately
  • Different Client data separated by software
  • Data logically separated by a system of logical and physical access controls in the network
  • Separation between production and test data
9 Data Integrity
Ensuring that personal data is protected
  • Policies and procedures in place to protect the integrity, confidentiality and availability of Personal Data and protect it from disclosure, improper alteration or destruction
10  Secure Disposal
  • Policies and procedures regarding the disposal of tangible property containing Personal Data
11 Monitoring
Monitoring of network and production systems during operations and security events
  • Reviewing changes affecting systems handling authentication, authorisation and auditing
  • Reviewing privileged access to production systems
  • Performance of network vulnerability testing monthly and annual penetration testing
12 Security Incident Procedures
Documented Security Incident response plan in accordance to ISO27001 standard
  • Roles and responsibilities: formation of an internal incident response team with response leader
  • Investigation: assessing the risk the incident poses and determining who may be affected
  • Communication: internal reporting as well as a notification process and escalation to regulatory bodies in the event of unauthorised disclosure of Personal Data
  • Record-keeping: keeping a permanent record of what was done and by whom to help in later analysis and possible legal action
  • Audit: conducting and documenting root cause analysis and remediation plan

Appendix 2 - Approved Contractors, Sub-processors and Suppliers

Accountis Europe Limited (Finastra) (BACS Approved Software): Four Kingdom Street, Paddington, London, England W2 6BD

Geeks Limited,(Software Application Developer): 2nd Floor, Apollo House, 66A London Road, Morden, England SM4 5BE

VTiger (Client CRM): 22028 Lindy Lane, Cupertino, California, USA

KashFlow Software Limited (Accounting): Ivybridge House, 1 Adam Street, London, England WC2N 6LE

Amazon Web Services (Cloud Infrastructure hosted in London and Dublin): 410 Terry Ave North, Seattle, Washington, USA 98109-5210

BACS Payment Schemes Limited (Regulatory body for Direct Debit Scheme): 2 Thomas More Square, London E1W 1YN

Voca Link Limited (BACS Data Processor and Infrastructure Provider): Drake House, Homestead Road, Rickmansworth, WD3 1FX

 

Good Principles of Being GDPR Compliant

  • Capture Personal Data at Registration

    Capture Personal Data at Registration

  • Verify data upfront with an audit trail

    Verify data upfront with an audit trail

  • Use the right data across all processes

    Use the right data across all processes

  • Regularly cleanse your data and become compliant

    Regularly cleanse your data and become compliant

 

Process Your Data Fairly, Lawfully and Transparently

Process Your Data Fairly, Lawfully and Transparently

The requirement to process personal data fairly and lawfully is extensive. It includes, for example, an obligation to tell individuals what their personal data will be used for. 

Process Your Data for the Right Purpose

Process Your Data for the Right Purpose

The purpose limitation principle states that personal data collected for one purpose shouldn't be used for a new, incompatible purpose. Eazy Collect only processes personal data for the original purpose that the data was lawfully obtained.

Only Process the Data You Need

Only Process the Data You Need

The principle of data minimisation states that organisations should only process the personal data that is needed to achieve its processing purposes. Personal data must be adequate, relevant and limited to what is necessary. This obligation rests with you.

Ensure Your Data is Accurate

Ensure Your Data is Accurate

The risks to individuals if inaccurate data is processed is obvious. Personal data must be kept accurate, and where necessary, kept up to date. You need to take every reasonable step to ensure that personal data that's inaccurate is erased or rectified immediately.

Store Your Data Appropriately

Store Your Data Appropriately

Personal data shouldn't be kept for longer than necessary and all Data Controllers have data retention obligations. Under GDPR, individuals have the right to erase their personal data although as a result of Direct Debit Scheme Rules, transaction data can be stored indefinitely due to the requirement to reconcile potential future direct debit indemnity claims.

Keep Your Data Secure

Keep Your Data Secure

You need to ensure that personal data you collect is kept secure against external threats such as hackers, and internal threats such as poorly trained employees. Personal data must be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

Stay Responsible

Stay Responsible

The principle of accountability seeks to guarantee the enforcement of the Data Protection Principles. This principle goes hand in hand with the growing powers of DPAs. You need to be able to demonstrate compliance with the Data Protection Principles. By using Eazy Collect's solutions, this will help you meet your accountability principles.