As an in-house system provider, we have compiled the frequently asked questions below, to help you with inquiries from our customers, partners and suppliers. We will continue to update and maintain this section regularly as we are reviewing our current polices to comply with GDPR.
Q: What is GDPR?
The General Data Protection Regulations was published in 2016 and is designed to harmonise all EU legislation and update the UK 1998 Data protection Act. It comes into force in May 2018.
Q: What is the goal of GDPR?
To give data subjects greater control over how they are communicated to, how their personal data is safeguarded and how their privacy is protected.
The data protection principles are, data should be:
- Processed with transparency
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and (where necessary) kept up to date
- Kept in a form which permits identification of data subject for no longer than necessary
- Processed in a manner that ensures appropriate security
What is the definition of personal data?
A piece of or multiple pieces of information that can identify an individual, for example just a name: Dave Smith is not enough to identify a person, however Dave Smith and an IP address is and would then be subject to the GDPR.
Q: What are the requirements after BREXIT?
The same as before. When the UK leaves the EU in March 2019, GDPR will already be in force in the UK – the government has already drafted the new Data Protection Bill which is the equivalent of GDPR.
It would be detrimental for the UK to be out of step with GDPR when we consider that communicating with data subjects in EU countries triggers GDPR rules regardless of the country you are based in.
Q: How are SBS preparing for GDPR?
- We have put together a cross functional project team and track our activity
- Attending external training and running an internal awareness program
- Seeking professional legal expertise
- Conducting a data mapping exercise to establish what data we hold, where it came from and who we share it with
- Reviewing our Privacy Statement to ensure its written in simple language and easily available
- Review our procedures and adding additional documentation as required
- Identify the lawful basis for processing personal data
- Review how we seek, manage and record consent and refresh where necessary
- Ensure the right procedures are in place to detect, report and investigate Personal Data Breaches
- Registered with the ICO
- Appointed a Data Protection Officer
- Determine when a Privacy Impact Assessment should be conducted
- Consider how we share data outside of the EU
Q: In which country is the Data Stored?
A: Sunrise has two data centres located in North Europe (Ireland) and West Europe (The Netherlands). We also maintain diagnostic information to maintain the performance and quality of the application. This is stored in the US and limited to IP address only.
Q: Are there formal procedures for deleting data with purpose for processing the Data has been fulfilled?
A: No. Our existing procedures involve disabling users rather than deleting their personal data. This is to comply with our auditing policies. We are currently reviewing our current policies to comply with GDPR and maintain our other legal commitments.
Q: How and how frequently is Data deleted from the System?
A: We do not delete any Data from the System
Q: Are all back-ups of the Data also deleted?
A: No. Our backups have lifetime of 2 weeks and are not persisted beyond the 2 weeks.
Q: Are there any formal procedures to notify the supervisory authority and the data subjects in case of a data breach in the System?
A: Yes, when becoming aware of a data breach, our formal procedures to notify the supervisory authority and the data subjects are included in our Incident Management Process.
Q: Is the Data transferred to or accessed by a third-party and has the data subject been informed of such transfer or access?
A: Yes. The Data is transferred to or accessed by a third party, but the data subjects have not been informed of such transfer.
Q: Is Data transferred to a country outside the EU/EEA (third-country transfer)?