The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data. The UK Data Protection Act 1998 (DPA) will be superseded by a new DPA currently in Parliament that enacts the GDPR’s requirements.
The new law marks a wide-reaching and significant shift in the way organisations must protect personal data. It will introduce new responsibilities, including the need to demonstrate compliance and will have more stringent enforcement and substantially increased penalties. It grants data subjects a number of new rights, including the right to judicial remedy against organisations that have infringed their rights, and requires organisations to adopt “appropriate technical and organisational measures” to protect personal data. It also introduces mandatory data breach reporting to the applicable regulatory bodies such as the Financial Conduct Authority (FCA) and Information Commissioner’s Office (ICO).
Eazy Collect is committed to high standards of information security, privacy and transparency and many of the GDPR privacy and security principles have already been in place across our processes and systems for several years. Eazy Collect is both a Data Controller in its operation as a business and a Data Processor in the performance of our contracted services to its clients.
We place a high priority on protecting and managing data in accordance with internal policies and accepted standards including ISO 27001, FCA regulatory compliance as a Payment Institution and as an accredited BACS Approved Bureau. ISO 27001 is one of the most widely recognised, internationally accepted independent security standards. ISO 27001 covers certification for the systems, applications, people, technology, processes, and data centres. Eazy Collect complies with all applicable GDPR regulations and will continue to work closely with our clients, suppliers and partners to meet mutual GDPR and contractual obligations for our procedures, products and services.
1. General Approach and Compliance
There were four main areas of focus in preparing and delivering GDPR compliance:
- Building on existing security and business continuity management systems and certifications, including ISO 9001, 27001 and FCA Re-authorisation under PSD2, to ensure our own compliance.
- Updating of applicable company policies.
- Dissemination of guidelines and dedicated communications to assist clients and supplier relationships to meet GDPR.
- Implementation audit, delivery and full integration into systems and processes to ensure future GDPR compliance.
Eazy Collect has a robust ISO-based Management System (ISMS) which is an amalgamation and blend of its certified ISO9001:2015 QMS and ISO27001 Security Standard and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements within the ISMS using internal and external advisors. This has already led to updated security policies and procedures and will build on existing management systems, informed by gap analysis and data protection risk assessments and supported by communication and training programmes.
Eazy Collect’s ISO and DPO will inform, advise and monitor compliance together with the Board. The company will implement tools as appropriate that support the process, provide necessary security and ensure ongoing delivery of objectives.
Eazy Collect’s hosted services and products provided to our clients already meet rigid ISO 27001 data security standards and conform to GDPR. As a Data Processor contracted with clients who are designated as Data Controllers, Eazy Collect has comprehensively reviewed and updated risk assessments to include more detailed consideration of the data types we hold along with a data protection impact analysis of personal information stored and processed.
Policies covering incident response plans, backup data retention and audit recording/retrieval have been reviewed and updated.
In the highly unlikely event of a data breach, our Security Incident Policy includes specific procedures and escalation processes for appropriate communications and reporting to the applicable regulatory bodies within FCA regulated timeframes.
Appendix 1 - Technical and Organisation Measures, provides further detail about the required security measures taken as well as brief descriptions and examples of the specific measures implemented across our systems and processes.
2. Eazy Collect Clients - Your GDPR Responsibilities as a Data Controller
It is important to recognise that GDPR compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.
The volume of data handled by organisations is growing and is captured, processed and stored on an increasing number of devices and networks. Requirements such as data protection impact assessments, active mitigation of risks and evidence of risk management measures will require organisations to develop a more disciplined approach to customer data, especially those with personal data spread across many locations and/or systems with varying levels of personal data quality and ownership. Furthermore, investing in the management of consent presents an opportunity to build trust and provide increasingly useful services with customers.
All organisations will need to be confident, for example, that personal and transactional data can be located and anonymised or erased, in order to respond to requests to delete, rectify, transfer, access or restrict the processing of data.
Eazy Collect is committed to developing technology solutions to support clients’ GDPR obligations, whether through standard features or added value solutions or toolkits. Currently, Eazy Collect has adapted its own systems and internal data management to meet GDPR requirements in its role as either a Data Controller or Data Processor; however, our current Eazy Customer Manager ® solution made available to clients in the provision of our core delivery of contracted direct debit and other payment processing services does not itself meet a client’s own GDPR compliance as a Data Controller.
Article 5 of the GDPR outlines the six principles that should be applied to any collection or processing of Personal Data. Eazy Collect complies with all principles.
- Personal Data must be processed lawfully, fairly and transparently
- Personal Data can only be collected for specified, explicit and legitimate purposes
- Personal Data must be adequate, relevant and limited to what is necessary for processing
- Personal Data must be accurate and kept up-to-date
- Personal Data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
- Personal Data must be processed in a manner that ensures its security
As a Data Controller, clients are contractually obligated and must implement and ensure GDPR compliance is met fully across your own company processes and managed accordingly within your in-house billing and CRM systems.
Data Controllers need to identify lawful processing condition(s) (how you’re using Personal Data) in relation to Personal Data being sent to Eazy Collect for processing. These are:
- Compliance with a legal obligation
- Performance of a contract
- Legitimate Interest
- Public Interest
- Vital Interest
The GDPR imposes restrictions on the transfer of Personal Data outside the EU, to third countries or international organisations. Such restrictions are in place to ensure that the level of protection afforded by the GDPR on the processing or storage of Personal Data is not undermined. Eazy Collect handle, process and store all Personal Data inside the EU in accordance with strict ISO 27001 security standards.
3. Key Policies and Documentation
Available Eazy Collect Policies and GDPR related documentation can be found on the links below:
4. Further Useful Resource Materials
Appendix 1 – Technical and Organisation Measures
Eazy Collect shall or has already implemented the following controls, technical and organisation measures along with several others in adherence to ISO27001 and FCA compliance under the second Payment Service Directive (PSD2).
|#||Required Measure and General Description|| |
Description of Measures Taken
Access controls to premises and facilities
|2||Access controls to systems |
Preventing data processing systems from being used without authorisation
|3||Access controls to data |
Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorisation in the course of processing or use and after storage
|4||Distribution control |
Ensuring that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged All payment processing data is encrypted at rest and during transmission
Input and Audit control
|6||Job control |
Ensuring that personal data is processed in accordance with the instructions only for the performance of Services pursuant to applicable Agreements
|7||Availability control and Testing |
Ensuring that personal data are protected from accidental destruction or loss
|8||Segregation control |
Ensuring that data collected for different purposes can be processed separately
|9||Data Integrity |
Ensuring that personal data is protected
|10||Secure Disposal|| |
Monitoring of network and production systems during operations and security events
|12||Security Incident Procedures |
Documented Security Incident response plan in accordance to ISO27001 standard
Appendix 2 - Approved Contractors, Sub-processors and Suppliers
Accountis Europe Limited (Finastra) (BACS Approved Software): Four Kingdom Street, Paddington, London, England W2 6BD
Geeks Limited,(Software Application Developer): 2nd Floor, Apollo House, 66A London Road, Morden, England SM4 5BE
VTiger (Client CRM): 22028 Lindy Lane, Cupertino, California, USA
KashFlow Software Limited (Accounting): Ivybridge House, 1 Adam Street, London, England WC2N 6LE
Amazon Web Services (Cloud Infrastructure hosted in London and Dublin): 410 Terry Ave North, Seattle, Washington, USA 98109-5210
BACS Payment Schemes Limited (Regulatory body for Direct Debit Scheme): 2 Thomas More Square, London E1W 1YN
Voca Link Limited (BACS Data Processor and Infrastructure Provider): Drake House, Homestead Road, Rickmansworth, WD3 1FX
Good Principles of Being GDPR Compliant
Capture Personal Data at Registration
Verify data upfront with an audit trail
Use the right data across all processes
Regularly cleanse your data and become compliant
Process Your Data Fairly, Lawfully and Transparently
The requirement to process personal data fairly and lawfully is extensive. It includes, for example, an obligation to tell individuals what their personal data will be used for.
Process Your Data for the Right Purpose
The purpose limitation principle states that personal data collected for one purpose shouldn't be used for a new, incompatible purpose. Eazy Collect only processes personal data for the original purpose that the data was lawfully obtained.
Only Process the Data You Need
The principle of data minimisation states that organisations should only process the personal data that is needed to achieve its processing purposes. Personal data must be adequate, relevant and limited to what is necessary. This obligation rests with you.
Ensure Your Data is Accurate
The risks to individuals if inaccurate data is processed is obvious. Personal data must be kept accurate, and where necessary, kept up to date. You need to take every reasonable step to ensure that personal data that's inaccurate is erased or rectified immediately.
Store Your Data Appropriately
Personal data shouldn't be kept for longer than necessary and all Data Controllers have data retention obligations. Under GDPR, individuals have the right to erase their personal data although as a result of Direct Debit Scheme Rules, transaction data can be stored indefinitely due to the requirement to reconcile potential future direct debit indemnity claims.
Keep Your Data Secure
You need to ensure that personal data you collect is kept secure against external threats such as hackers, and internal threats such as poorly trained employees. Personal data must be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The principle of accountability seeks to guarantee the enforcement of the Data Protection Principles. This principle goes hand in hand with the growing powers of DPAs. You need to be able to demonstrate compliance with the Data Protection Principles. By using Eazy Collect's solutions, this will help you meet your accountability principles.