MMRIT Limited recognises the significance of its compliance obligations in respect of both Data Protection and Information Security in relation to General Data Protection Regulation (GDPR). We have always taken data security and privacy extremely seriously, and believe that the GDPR is an important step forward for clarifying and enabling individual privacy rights. As such we are committed to GDPR compliance when enforcement begins on May 25th 2018. Our aim has always been to provide you with the highest level of data security, and as such we constantly review and reinforce our data protection and information security practices.
This definition document defines how MMRIT Limited have addressed GDPR Compliance.
Where Client Personal Data resides within MMRIT Limited software/solutions
MMRIT Limited understands that our clients are defined as the Data Controllers as they decide: –
- To collect the personal data in the first place and the legal basis for doing so;
- Which items of personal data to collect, i.e. the content of the data;
- The purpose or purposes the data are to be used for;
- Which individuals to collect data about;
- Whether to disclose the data, and if so, who to;
- Whether subject access and other individuals’ rights apply i.e. the application of exemptions; and
- How long to retain the data or whether to make non-routine amendments to the data.
These are all decisions that can only be taken by the data controller as part of its overall control of the data processing operation.
We recognise that data controllers are liable for their compliance with the GDPR, and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. This definition document is set out to clarify the GDPR position of MMRIT Limited.
Under the GDPR, when a controller uses a processor it needs to have a written contract (or other legal act) in place to evidence and govern their working relationship. MMRIT Limited will only act as a data processor where a contract and/or supplementary agreement is in place that meets the requirements of GDPR.
MMRIT Limited understand they are data processors for client data residing in their products as they decide: –
- What IT systems or other methods to use to store personal data;
- How to store the personal data;
- The detail of the security surrounding the personal data;
- The means used to transfer the personal data from one organisation to another;
- The means used to retrieve personal data about certain individuals;
- The method for ensuring a retention schedule is adhered to; and
- The means used to delete or dispose of the data.
This illustrates that a processor has the freedom to use its technical knowledge to decide how to carry out certain activities on the data controller’s behalf. However, it cannot take any of the over-arching decisions, for example what the personal data will be used for or what the content of the data is. Such decisions must only be taken by the data controller.
MMRIT Limited Business Operations
MMRIT Limited has its own data controller responsibilities for its employees’ records and those of its clients and suppliers for the purposes of payment and invoicing, and Contract/Service provision, but not for the data processing it carries out when it is storing personal data for its clients.
Our Responsibilities as a Data Processor
There is a requirement placed on MMRIT Limited that we must adhere to the full requirements of GDPR, in addition to the contractual requirements, or we may be held liable or jointly liable in the event of a breach depending on the circumstances.
In addition to our contractual obligations to the data controller, under the GDPR, as a processor we recognise we also have the following direct responsibilities: –
- Not to use a sub-processor without the prior written authorisation of the data controller;
- To co-operate with supervisory authorities (such as the ICO);
- To ensure the security of our processing;
- To keep records of processing activities;
- To notify any personal data breaches to the data controller;
- To employ a data protection officer where required under GDPR; and
- To appoint (in writing) a representative within the European Union if needed.
We understand that as a processor, if we fail to meet any of these obligations, or act outside or against the instructions of the data controller, then we may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.
In response to the above, we can confirm: –
- We will only process personal data in accordance with your instructions;
- We do/do not utilise sub-processors;
- We will co-operate with supervisory authorities (such as the ICO) as required;
- We commit to ensuring the security of our processing;
- We commit to keeping records of processing activities (Data Matrix);
- We will inform data controllers of a personal data breach ‘without undue delay’ after becoming aware of it;
- We are not required under GDPR to employ a data protection officer. However, in recognition of the importance of Data Protection, we have instructed a Senior Member of staff to be our ‘Data Protection Officer’ who will take ultimate responsibility for upholding GDPR compliance within MMRIT Limited;
- We confirm we are not required to appoint (in writing) a representative within the European Union.
For full details on our Information Security controls, please see our associated Information Security GDPR Definition.
Our Responsibilities as a Data Controller
In its own right, MMRIT Limited has a responsibility to comply with the requirement GDPR.
We can confirm that we have undergone a review of our internal operations and have ensured that all our GDPR compliance requirements have been addressed ahead of the 25th May 2018 deadline. We have opted to take a ‘best practice’ approach that takes elements from the BS10012:2017 standard for Personal Information Management to ensure we apply a thorough, risk-based approach to data protection.
In particular we have: –
- Undertaken a full Privacy Impact Assessment of all our activities that involve personal data;
- Compiled a Data Inventory/Data Flow (Data Matrix) to fully understand personal data and the GDPR compliance requirements within MMRIT Limited;
- Risk Assessed the associated personal data Information Assets to ensure we understand and mitigate associated risks, to include formal record of the controls we have applied to the Information Assets;
- Undertaken a review of all organisational and technical measures in respect of Information Security and Data Protection (e.g. Data Protection Policy, Retention Policy and Schedule, Data Subjects Rights Procedure, Information Security controls, Supply Chain GDPR vetting controls etc.);
- Undertaken full staff awareness for GDPR (to also include Information Security);
- Undertaken a review of critical suppliers and conducted due diligence checks of their GDPR compliance status and taken appropriate action as a result (where applicable).
Any questions relating to data privacy or GDPR with MMRIT Limited or this definition document should be sent by email to firstname.lastname@example.org or by writing to MMRIT Limited, 11-21 Paul Street, London, EC2A 4JU. Alternatively, you can call our Data Protection Officer on 0207 300 1100.