For customers resident in the European Union (EU), the EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the UK Data Protection Act 1998.
ADDENDUM: STATEMENT FROM ICONTACT - dated May 2018 and reproduced by permission as below:
“STATEMENT OF GDPR PREPAREDNESS
Introduction At iContact we are very aware of the importance of managing the personal data that we hold, whether that be from a customer, an influencer, an employee or anyone else we interact with through the products and services we provide. We take our privacy and data protection obligations very seriously, and a key part of that right now is ensuring that we align all our data practices with the new requirements of General Data Protection Regulation (GDPR) by May 2018. We are fully committed to doing so and working hard to make this happen. We’re also very conscious that things don’t stop in May 2018. This is an ongoing process and we will be looking to ensure that privacy concerns continue to be built into our products and services, and in our practices and procedures. This note responds to a number of the most frequently asked questions that we have been receiving from our customers about what iContact is doing with respect to GDPR and in particular questions related to data that is provided to us by our customers. This document addresses the following areas: • GDPR Awareness at iContact • Data Inventory – what data do we hold? • How We Handle Customer Data • The Rights of Individuals • Data Retention • Notices and Consent • iContact Suppliers • Breach Notification • Protection of IT Assets We are conscious that this may not answer all of your questions, but we hope this helps to answer many of them, and of course we are happy to respond to any particular concerns you may have. Rest assured that iContact is committed to a program of full GDPR compliance and has a long-term commitment to privacy. GDPR Awareness at iContact GDPR represents a significant change in the European data protection regime but, as the UK regulator (the ICO) has said, in many respects it is an evolution not a revolution. iContact has been subject to and respectful of its data protection obligations under existing law, and will continue to be so leading up to and beyond May 2018. The protection of our customer and employee data has always been a priority for our leadership. We established a GDPR transformation program in 2017 with, at its heart, a cross disciplinary team including representatives from product design, sales, marketing, research, IT, HR and legal all overseen by management. This team includes a designated data protection officer who will liaise closely with our internal and external advisers. Each of our businesses has had internal data protection and privacy awareness programs for many years, and a number of our employees have undergone specific GDPR training. We are introducing a range of GDPR awareness sessions as we move towards May 2018 and beyond. As part of our GDPR transformation program, we have been undertaking a thorough audit of all the personal data we hold throughout the organization and have been conducting a ‘gap analysis’ of GDPR requirements against an assurance framework and mapping this against all activities in the group. We are investing in the creation of robust and sustainable processes to support a strong, long-term GDPR compliance framework. iContact is based in the US but does have customers worldwide. Where we are engaged in cross border data transfers from customers located in the European Economic Area (EEA), we will ensure that we continue to follow appropriate practices and follow one or more of the approved means of protecting personal data that leaves the EEA. This is not something that we can do on our own. The products and services that we provide typically mean that we will be a data processor for data provided to us by our customers which our customers then use through our products and services. As a general rule we do not act as a joint data controller in respect of information provided by our customers. Our customers have their own compliance obligations, and where we can we will work with them to help them comply. Data Inventory The main category of personal data that we process as a data processor is data belonging to our customer. We are enhancing our data protection impact assessment processes and supporting governance frameworks to ensure that privacy issues are considered appropriately in all new product developments that may impact privacy rights. What iContact Does With Customer Data The personal data that we process which is provided by our customers falls into two broad categories: first, personal data of our customers (i.e. the representatives that we interact with in order to provide our products and services); and, second, personal data of recipients that our customers provide to us. Personal information about our customers is usually limited to the contact and other details we need in order to fulfill our obligations to you. Personal information on our customers recipients may be much broader, depending on what our customers provide to us. Typically it will include name and email addresses. With our customers’ subscriber lists, we will act as a data processor, and we only process the information in accordance with our customers’ instructions. We do not typically store or process any special categories of personal data (for example, data regarding mental or physical health, sexual orientation, criminal convictions, and religious or political beliefs). iContact Suppliers Where we engage third party service providers, we do so in accordance with best practice to ensure that those providers are obliged to only process such data in accordance with our instructions, to keep it secure, and not to transfer it outside the EEA other than with our consent or in accordance with the appropriate frameworks. Under GDPR we are obliged to impose certain additional obligations on our data processors, and we are enhancing our framework of controls around such third parties suppliers and sub-processors. We will be updating our suppler contracts and seeking confirmation of GDPR readiness across all of our suppliers’ data processing facilities and security controls surrounding the processing and management of data. We will expect all our data processors to comply with their contractual obligations and more widely with their own obligations under GDPR. Communicating Breaches Data breach notification is one of the key new requirements under GDPR. We are reviewing our controls and processes around data breach detection, investigation and reporting to ensure we can comply with our obligations as data controller and as a data processor, by May 2018. This includes our obligations as a controller to report to the appropriate data protection regulator within 72 hours of discovery, to the data subjects where appropriate, and our obligations as a data processor (e.g. of customer data) to report to the data controller (in this case our customer) without undue delay after becoming aware of a breach. This review also includes assessing the adequacy of present information security assessment programs. IT Protection We have reviewed current IT services and systems and are carrying out remedial actions, where required, to strengthen our IT controls around personal data. We are also reviewing our encryption, anonymization and pseudonymizing controls across customer and supplier data, and on all of our databases. Summary This statement is intended to provide responses to the most common inquiries we have received from our customers. As part of ongoing transformation, iContact will be communicating regularly with its customer base in 2018 about what it is doing on its journey to achieve compliance and how we are protecting customer data, retraining staff and upgrading systems, processes and governance as we move towards compliance with GDPR by May 2018 and onwards, and to ensuring privacy issues continue to sit at the heart of our product and service development plans in the future. If you have more detailed questions that are not covered by this document, please contact firstname.lastname@example.org and we will respond to you as soon as possible.” -----------------