Download this information here: SunCatcher GDPR.pdf

GDPR and SunCatcher

The GDPR (General Data Protection Regulation) will replace the current DPA (Data Protection Act) from 25th May 2018. The main aim of the regulation is to give citizens greater control over what can be done with their personal data by businesses, and SunCatcher is committed to the protection of the data of our authors, vendors, and consumers.

Our GDPR process

We have completed a full audit of all our existing applications, websites, information systems and data processing activities. We have mapped out how and where we collect sensitive and personal data and confirmed our legal basis to hold onto it.

We worked with our vendors to ensure all data that we have a legal basis to hold is managed and processed in a way that is GDPR compliant. We have updated our policies and the language we are using for consent when we collect personal and sensitive information to meet the requirements of GDPR.

Finally, we have set up future workflows to ensure we are addressing privacy by design in the planning of any new projects. We are building the appropriate back-end systems to ensure we are compliant with our information security obligations and are equipped to effectively deal with data subject requests.

We broke down our initiatives into eight different focus areas as mapped out below:

  • Policies: We reviewed centrally located legal policies and guidelines and customised them where necessary. We made policies and guidelines accessible to staff and external customers. This includes incidence response and our Information Security policies and processes.
  • Applications: We identified enterprise applications that hold sensitive and personal data, investigated and implemented security measures, and identified and reviewed retention periods and policies.
  • Websites: We identified websites that collect personal data, and updated consent documentation to ensure that it is GDPR compliant. We also standardised collection mechanisms for future website publications.
  • Vendors: We identified vendors that store and/or process personal data and established additional security measures as necessary. We reviewed agreements and are in the process of inserting model clauses and updating contracts where appropriate.
  • Legal Basis: We determined our measurement of legal basis to hold onto current data that we have a legitimate business reason to keep and discarded where no legal basis existed.
  • Privacy by Design: We developed a standardised process where all new products and projects will have a Data Impact Privacy Assessment conducted at the start. We have targeted staff who deal with personal data for training and prepared an ongoing training programme and onboarding procedure.
  • Data Subject Access Requests: We determined and implemented processes and documentation for
    • Access, Restrict Processing
    • Rectification, Data Portability
    • Erasure, Objections and Breach Escalation Process
  • Communications and Training: We worked with a core project team as well as business owners across all areas of SunCatcher to establish a general business awareness of GDPR and detailed expectations of the staff. We have regular meetings and communications pieces and will continue engagement up to, and beyond, May 2018.

Additional technical and organisational security measures we have in place to protect personal data

Access to our systems is granted on a need to basis; regular backups are taken and data is transmitted securely using HTTPS protocol.  Systems are protected with anti-malware and patched regularly. Firewall and SIEM tools are in place to detect and prevent intrusion. Staff are also provided with regular cyber security and awareness training