Commitment to the General Data Protection Regulation (GDPR)
Version: December 2017
IntroductionThe new EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years, introducing new responsibilities on 25th May 2018, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.
Point Progress is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards including ISO 27001. We will comply with applicable GDPR regulations when they take effect, as both a data processor and data controller, while also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.
Our experienced team are exploring opportunities within our services offerings to assist our customers to meet their GDPR obligations.
Where Do We Stand?We are committed to address EU data protection requirements applicable to us as a data processor. These efforts have been critical in our ongoing preparations for the GDPR.
ComplianceOur ability to fulfil our commitments as a data processor to our customers, the data controllers, is a part of our compliance with GDPR where data controllers are using a third-party like us to process personal data. Compliance will be supported by a review of existing contracts with data controllers and related agreements contain appropriate provisions for any personal data that we may store, balancing the risks and responsibilities between data controllers and data processors.
We are reviewing our already robust systems and will implement additional or augmented company-wide controls to ensure that we meet GDPR requirements. Updated information security policies and procedures will build on existing management systems.
In many areas the hosted services we provide already conform. As data processor, we are undertaking risk assessments to include more detailed consideration of the data types we hold, and a data protection impact analysis of personal information stored and processed. Policies such as incident response plans and backup data retention are being reviewed and updated.
Third-party AuditsAs all customers are concerned with their data and its security, we have integrated ISO-27001 into our operating procedures and have undertaken to achieve certification during 2018.
We additionally have Cyber Essentials certification in place and will keep this valid into the future, as well as an undertaking to commission Penetration Tests annually or when there are any major modifications to our system infrastructure or code.
What's Next?At Point Progress, we strive to deliver an incredible customer experience, learning the trust of hundreds of thousands of users globally. We will continue to make additional required operational changes resulting from the new legislation, and will keep our clients, partners and regulatory authorities informed throughout this process. We have an internal team who will continue to monitor GDPR as it moves to become more clearly defined over the next few months and continue to inform our GDPR strategy into the future.
You may find that you have some data maintenance to conduct to be compliant with GDPR, and some processes to implement to maintain onward compliance. Watch out for some exciting products from us to help you manage this need, both in advance of 25th May 2018 and beyond.
This document is provided as of December 2017, for informational purposes only and not to be relied on for any reason. It is subject to change or removal without notice.