Drinx.com T/A Bottled and Boxed
GDPR COMPLIANCE STATEMENT
Introduction to GDPR
The General Data Protection Regulation will come into effect on the 25th of May 2018 and will replace the existing Data Protection Act (1998). GDPR is designed to protect personal data and the privacy of citizens across Europe. The UK’s decision to leave the EU will not affect the Regulation.
We are committed to ensuring the security and protection of the personal information that we process and to achieving compliance with GDPR prior to the implementation deadline in May. We have an effective data protection programme in place however we recognise our obligations in updating and expanding this programme to meet the demands of the GDPR.
Our preparation and objectives for GDPR compliance include the development and implementation of new data protection policies, procedures and controls to ensure maximum compliance.
Overview of the steps we are taking
• We are carrying out a company audit to identify what personal information we hold, where it comes from, why we hold it, how it is processed, how long we keep it and where it is stored.
• We are updating our policies and procedures for data protection to meet the standards of the GDPR. We have identified the changes required to our systems and procedures and will implement these in order to achieve and maintain GDPR compliance.
• We have ensured that we understand and will adequately record our obligations and responsibilities with privacy by design and the right of individuals at the core of our working, policies and practices.
• We understand our responsibility to protect the individual’s interests and the security and rights of customer data is at the forefront of everything we do.
• We have updated our retention policy to ensure that personal information is not retained for longer than can be justified under our Legitimate Interest or longer than required under the Legal System or Statute of Limitations.
• Our data breach procedures ensure we have safe guards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. All employees are aware of the reporting lines and steps to follow.
GDPR DATA BREACH POLICY
The GDPR defines personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (Article 4(12)).
The data Controller provides the data records, then determines the purposes and means of processing personal data.
A Processor is responsible for processing personal data on behalf of a Controller.
Typically for Drinx.Com Ltd this will involve receiving the relevant data, uploading to our sales ordering system for the sole purpose of dispatching the goods via a courier.
The data required by Drinx.Com Ltd as a Processor is both billing title, full name and address, postcode plus e-mail and contact telephone number and delivery title, full name and address, postcode with the additional option of providing a telephone number purely to be used in the event of a delivery query.
Who should Drinx.Com Ltd notify a data breach to and when?
Within its role as a data Processor, Drinx.Com Ltd shall notify the Controller without undue delay after becoming aware of a data breach. Both organisations will maintain documentation on data breaches, their nature and the remedial actions taken.
As per article 33 of the GDPR: In the case of a personal data breach, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The breach resulting in a risk to the rights and freedoms of individuals also has to be communicated to the individuals affected. The notification has to be made without undue delay and within 72 hours after the Controller becomes aware of it.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Should it not be possible to provide the information at the same time, the information may be provided in phases without undue further delay.
What should the notification include?
The GDPR specifies that the notification to the ICO, and therefore communicated between the Processor and Controller, must include:
• The nature of the data breach (including the categories of data, number of data records or number of data subjects affected.
• Name and contact details of the Controller’s contact
• Likely consequences of the breach
• Measures taken to address the breach
Steps taken by Drinx.Com Ltd to avoid a data breach
To avoid a data breach occurring Drinx.Com Ltd have taken the following steps:
• We have carried out a full, in depth data audit including what and how data is held, managed, accessed and the relevant procedures
• We have considered the risks that our data processing tasks may pose to the data subjects and have concluded that these are minimal.
• Although any risks to our data security are minimal we have taken additional steps to improve organisational security both with regards to IT, physical documents and employees as well as introducing an annual review.
• Staff training procedures and documents are in the process of being updated to ensure all staff will be aware of our GDPR obligations and commitment to data security and are also aware of the relevant notification procedure for a data breach.