DATE: 12th March 2018
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
GDPR compliance is mandatory and will apply to i2i Marketing as we hold the data of thousands of staff and collect consumer data during experiential campaigns and through promotions.
i2i Marketing will comply with applicable GDPR regulations as a data controller and processor when they take effect on 25th May 2018. Working in conjunction with our clients, we will explore opportunities within our services offerings to assist our customers to meet their GDPR obligations.
Where Does i2i Stand?
We are committed to address EU data protection requirements applicable to us as a data controller and processor. We are working with a specialist external consultant Acuity Dataguard to ensure we are fully compliant with GDPR.
i2i collects personal data from consumers through experiential and promotional activity for clients. We also hold thousands of staff member’s private details including names, email addresses, home addresses, and so on.
The GDPR states that there are two main parties involved who must align to ensure the standards are carried out.
A controller specifies how and why personal data is processed, while a processor conducts the actual processing of the data (source).
In the case of the staffing database i2i is the controller and Watu is the processor. In the case of marketing and promotions and experiential activity our clients are the controllers and i2i is the processor
The controller is responsible for ensuring the processor is following the law.
NEW RULES & i2i’S APPROACH
i2i have invested in the highest levels of IT security working with our IT company RockIT to minimize any potential breaches.
If our security within i2i was ever to be breached and data exposed which could result in a risk for the individuals, it is i2i’s responsibility to inform the clients or staff as soon as possible. The rules state that notification to the individuals must be within 72 hours.
Consumers and staff must physically confirm that they want to be contacted and i2i will actively seek permission confirming that they want to be contacted. This will be designed into all communication whether by email or promotional leaflets.
i2i will ensure that only personal data that is really needed and can be justified is requested and collected.
Right to access:
Individuals may, at any time, request “from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose” and this must be provided as a free service with the option of the information being provided in electronic format.
If the i2i Marketing team receives a request from a consumer or a staff member for details about their data, we will process this request within 48 hours.
For staff we process the data provided via the profile template questions, for use related to booking them work.
The data is already provided via their staff profiles, which staff have free access to at any point, and we can provide copy in electronic format if so requested.
Right to be forgotten:
Staff may state that they withdraw consent of their personal data being held at any time. In this case, i2i would be responsible for removing the data.
If a staff member contacts i2i after having cancelled their account, and requests that their personal data be erased, we are able to do so by changing their personal details to ‘blanks’. If they were no longer due any payment, we would also be able to erase bank details.
This rule states that the individual must have access to their held data and we must be able to provide it in ‘machine readable format’ to be passed on to another controller.
If a staff member reaches out to i2i, we are able to provide them with this data which would include their profile template details and bank details, as they were ‘previously provided’ by the individual.
Privacy by design:
This refers to building a safe structure from the start, as well as limiting the access of data.
i2i ensures that its data is kept extremely secure, and it is our first priority with regards to the software. The data is held with a reputable company and includes encryption where necessary.
All staff are being contacted to reconfirm in writing that they are happy for their details to remain on the i2i database and for their contact details to be shared with Event managers on specific jobs they are working on
With regards to ‘data minimalisation’ which states that only the minimum data must be required and accessed, only ask questions in the profile template which are relevant to the type of work.
Additionally, bank information is only gathered after a staff member has been confirmed for a piece of activity, so that we do not unnecessarily collect private data.
As for access being limited to only those who need to access the information, we have ensured that each client account is kept separate. The only people with access to this data are i2i managers and the developers.
Data protection officers:
A company must hire a DPO if handling a certain type of data, such as criminal convictions, or if monitoring the data subjects on a large scale.
i2i does not handle data on this scale and so does not have a specific DPO, but has a Board Director responsible for data protection and we consider the protection of data to be the responsibility of the entire team and as mentioned earlier, the security of this data remains our absolutely priority. As changes in law come about, we will work together to ensure i2i remains in accordance with the legal requirements.
i2i will be transparent with our use of data and will demonstrate that an individual’s data is treated with respect and held securely and that the customer’s best interests are at the heart of everything that we do.
As per the above guidelines, i2i already fulfils many of the requirements stated by the new GDPR. We have a consistently transparent and helpful policy and many of the requirements have been in practice already, such as offering to wipe staff data or ensuring that structures are designed with security in mind.
We will continue to operate as such, and welcome queries and comments from any clients or staff.