On the 25th May 2018 the European Union (EU) General Data Protection Regulation – EU 2016/679 – (the ‘GDPR’) will come into force. The GDPR establishes global privacy requirements governing the management and protection of personal data whilst respecting individual choice—regardless of where data is processed. The GDPR will provide all EU residents with a greater say over the way in which their personal data is processed by organisations and places new obligations on those organisations.
Proact understands the importance of the new requirements and is committed to being GDPR‑compliant across our services when enforcement begins and on an ongoing basis thereafter.
Protecting our customers’ data has always been something which is fundamental to Proact and we will continue to dedicate significant time and resources to ensure our customers’ data is dealt with carefully and securely and so as to preserve individuals’ privacy in accordance with the law.
Proact believes that the GDPR is a positive step towards strengthening data protection laws across the EU and worldwide, and enabling fundamental individual privacy rights.
How Proact has prepared for the GDPR
Proact has taken steps to implement appropriate technical and organisational measures in order to ensure that its processing of personal information will meet the requirements set out in the GDPR prior to 25th May 2018, and to uphold the protection of the rights of data subjects, including:
- Operation of an Information Security Management System in accordance with the principles of ISO 27001. The Proact corporate group is accredited in each of our major service delivery centres in the United Kingdom, the Netherlands, Germany and Sweden. Proact also utilise third party datacentre providers who are ISO 27001 accredited;
- Other than in respect of intra-group engagement, Proact shall not engage another processor without prior written instruction from the data controller, and ensuring that such processor provides sufficient guarantees to implement its own appropriate technical and organisational measures to meet the requirements of the GDPR;
- Only processing personal data it receives from its customers in accordance with customers’ instructions;
- Ensuring persons authorised to process personal data are under appropriate obligations of confidentiality;
- Maintaining appropriate records of processing activities carried out;
- Carrying out assessments of the impact of processing operations on the protection of personal data, including where Proact processes personal information on behalf of a customer;
- Ensuring a level of security of personal data appropriate to the risk, including as appropriate:
- Pseudonymisation and encryption;
- Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Business continuity processes to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
- Assisting customers, insofar as is reasonable and possible, to fulfil customers’ obligations to respond to requests for exercising data subjects rights under the GDPR;
- At the request of a customer, and in accordance with the customer contract, deleting/returning all personal data after the end of the provision of services relating to processing, and (unless otherwise required by law) deleting existing copies;
- Making available to customers all information necessary to demonstrate our own compliance with the GDPR;
- Cooperate, insofar as reasonable, in audits requested by the customer; and
- Providing reasonable assistance to customers to ensure compliance with their obligations pursuant to Articles 32 to 36 of the GDPR as follows:
- Article 32 – Security of processing
- Article 33 – breach notification to supervisory authority
- Article 34 – breach notification to data subject
- Article 35 – impact assessments
- Article 36 – prior consultation