SR Partnership recognises the significance of its compliance obligations in respect of both Data Protection and Information Security in relation to its General Data Protection Regulation (GDPR). We have always taken data security and privacy extremely seriously and believe that the GDPR is an important step forward for clarifying and enabling individual privacy rights. As such we are committed to GDPR compliance. Our aim has always been to provide you with the highest level of data security and as such we constantly review and reinforce our data protection and information security practices.
This definition document defines how SR Partnership have addressed GDPR Compliance.
Our Responsibilities as a Data Processor
There is a requirement placed on SR Partnership that we must adhere to the full requirements of GDPR, in addition to the contractual requirements, or we may be held liable or jointly liable in the event of a breach depending on the circumstances.
In addition to our contractual obligations to the data controller, under the GDPR, as a processor we recognise we also have the following direct responsibilities:
- not to use a sub-processor without the prior written authorisation of the data controller;
- to co-operate with supervisory authorities (such as the ICO);
- to ensure the security of our processing;
- to keep records of processing activities;
- to notify any personal data breaches to the data controller;
- to employ a data protection officer where required under GDPR; and
- to appoint (in writing) a representative within the European Union if needed.
We understand that as a processor, if we fail to meet any of these obligations, or act outside or against the instructions of the data controller, then we may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.
In response to the above, we can confirm:
- We will only process personal data in accordance with your instructions,
- We do utilise sub-processors (Assessors) in order to provide our services. These Assessors are subject to GDPR reviews to ensure are meeting their responsibilities under GDPR.
- We will co-operate with supervisory authorities (such as the ICO) as required;
- We commit to ensuring the security of our processing;
- We commit to keeping records of processing activities (Data Matrix);
- We will inform data controllers of a personal data breach “without undue delay” after becoming aware of it.
- We are not required under GDPR to employ a data protection officer. However, in recognition of the importance of Data Protection, we have instructed a Senior Member of staff to be our ‘Data Compliance Officer’ who will take ultimate responsibility for upholding GDPR compliance within SR Partnership.
- We confirm we are not required to appoint (in writing) a representative within the European Union.
Our Responsibilities as a Data Controller
In its own right, SR Partnership has a responsibility to comply with the requirement GDPR.
We can confirm that we have undergone a review of our internal operations and have ensured that all our GDPR compliance requirements have been addressed. We have opted to take a ‘best practice’ approach that takes elements from the BS10012:2017 standard for Personal Information Management to ensure we apply a thorough, risk-based approach to data protection.
In particular we have:
- Undertaken a full Privacy Impact Assessment of all our activities that involve personal data
- Compiled a Data Inventory/Data Flow (Data Matrix) to fully understand personal data and the GDPR compliance requirements within SR Partnership
- Undertaken a review of all organisational and technical measures in respect of Information Security and Data Protection (e.g. Data Protection Policy, Retention Policy & Schedule, Data Subjects Rights Procedure, Information Security controls, Supply Chain GDPR vetting controls etc.)
- Undertaken full staff awareness for GDPR (to also include Information Security)
- Undertaken a review of critical suppliers and conducted due diligence checks of their GDPR compliance status and taken appropriate action as a result (where applicable)
Any questions relating to data privacy or GDPR with SR Partnership or this definition document should be sent by email to email@example.com or by writing to SR Partnership at SR Partnership Ltd, Tythe Farm, Staploe Road, Wyboston, Bedfordshire, MK44 3AT. Alternatively, you can call our Data Compliance Officer on 01480 219314.