GDPR Compliance Statement
FOR THE PURPOSES OF THE GENERAL DATA PROTECTION REGULATION 2016
General Data Protection Regulation 2016
Data protection laws in the UK are changing with effect from 25 May 2018 when the General Data Protection Regulation 2016 ("GDPR") will replace the Data Protection Act 1998. GDPR provides greater protection to individuals whose data is being processed by organisations located in the EU and, in certain circumstances, by organisations based outside of the EU.
GDPR also places a number of new and extended requirements on organisations. Mobivate is committed to ensuring the personal data you provide to us is protected in line with the requirements of GDPR, whether we act as a data controller or as data processor and whether you are our customer, supplier or other contact.
Mobivate is committed to providing high standards of data security, privacy and transparency. We are taking steps to achieve GDPR compliance and aim to be compliant with the key principles of GDPR by 25 May 2018. We are taking action in respect of the following areas:
We have conducted an audit of the personal data we hold. As a result, we have a detailed understanding of the personal data we process, why we process it, the grounds on which we process it, where we store it, to whom the personal data may be transferred, how long we retain it and the security measures that are in place to protect the data.
Based on the results of the audit, we will take steps that we deem necessary (some of which are set out in more detail below) to improve our compliance with the following key principles of GDPR:
- our processing of personal data will be fair and lawful
- personal data will only be obtained for specific, explicit and legitimate purposes
- the personal data we process is adequate, relevant and limited to what is necessary
- the personal data we process is accurate and up to date
- the personal data will not be retained by us for longer than is necessary
- there are appropriate measures in place to protect the personal data from unauthorised or unlawful processing.
We will also ensure we keep appropriate records in respect of the processing we carry out, to demonstrate our compliance with the key principles of GDPR and the decisions we have taken and actions we have implemented in line with GDPR. Where appropriate we will conduct privacy impact assessments, for example if we process new types of personal data or if we change our IT or security processes and systems and such changes may affect our processing of personal data Security Standards
Access to our database servers is secured using network Access Control Lists (ACLs) which only allow access from our application server. We can only access databases via application servers. Access to our application servers is double layered - a VPN connection is required to access the internal network, and servers are accessible using 1024bit public/private key encryption. Dual layered - access to backend servers is done over SSH (2048 bit keys), only accessible via a VPN connection. Data file uploads is done over SFTP. Access is only allowed using Public/Private key combo (no password allowed), and key strength can be determined by the customer. The data files are removed automatically after a few days.
We are updating contracts with our customers and suppliers to ensure they are GDPR compliant and that, where necessary, they contain the processing provisions set out in Article 28 of GDPR. We will work with our suppliers and customers to make sure the new contractual terms reflect the processing that takes place under each agreement.
We will also provide fair processing notices to all data subjects about whom we process personal data to explain how we process their personal data and why.
We are updating our employment contracts and our internal policies and procedures to reflect the requirements of GDPR. We have provided and will continue to provide GDPR training and raise awareness of the changes made to the documentation to all staff.
New employee-facing policies that we will introduce include policies relating to data use, security and retention, subject access requests and breach notification.
If you have any questions about the approach we are taking to GDPR, please contact Mobivate at firstname.lastname@example.org