The EU’s General Data Protection Regulation automatically comes into force on the 25th May 2018. On this date all businesses must comply with the new data protection rules that apply to the collection, storage, processing and use of personal data.
Rejuvenate Productions Ltd does not offer advice on GDPR and this statement must not be construed as advice.
Who does the GDPR apply to
Any business that offers goods or services to individuals within the EU and/or monitors the behaviour of data subjects in the EU must comply with the GDPR.
The GDPR applies to both data processors and data controllers, although they do have different obligations.
What is Personal Data
Personal data is defined under the GDPR as: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.“
Personal data therefore includes, but is not limited to: a name, email address, IP address, photos, location data, bank details, social networking posts, medical information, device IDs, genetic data and biometric data.
Data Subject Rights
Data subjects have the right to request: access to all personal data held on them, rectify inaccurate data, object to processing (for example: for marketing purposes), export of data and erasure of data. Appropriate processes and templates should be put in place to allow data subjects to exercise their data subject rights within the statutory time limit (of 1 month).
There are new obligations to report a personal data breach to a data protection supervisory authority where the breach is likely to result in a risk to the rights and freedoms of individuals, and in some circumstance to data subjects. A personal data breach is defined as “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data” and includes paper data, not just electronic data. Breaches must be reported within 72 hours, providing the specific information set out in the GDPR.
Appointing a Data Protection Officer (“DPO”)
Most businesses with fewer than 250 employees will be exempt. However, if a core activity of a business involves large-scale monitoring or processing of sensitive personal data a DPO must be appointed.
Fines for Breaches of the GDPR
Businesses can be fined the higher of up to 4% of their global turnover or 20 million Euros for serious breaches of the GDPR, or 2% of global turnover or 10 million Euros for breaches that are administrative.
Preparing for Change
Businesses must know what personal data they hold, how it is collected, how it is stored and used and where and to whom it is being transferred. All such processes and information must be documented.
Businesses must implement technical and organisational measures that show they have considered and integrated data protection into their processing activities.
To achieve the above objectives, businesses should:
* audit their processing activities and security measures;
* have in place GDPR compliant privacy and security policies;
* review and amend existing contracts with customers, suppliers and subcontractors;
* create a written data processing agreement for use between data processors and data controllers.
Rejuvenate Productions Specific Data Protection Information
Rejuvenate Productions has always taken the safety of your data very seriously and we will continue to do so after GDPR.
Company Registration Details
Rejuvenate Productions Ltd is a private company limited by shares, registered in
England and Wales under number 04872054. We are registered with the Information Commissioner’s Office under number ZA228494.
Data Protection Officer
Rejuvenate Productions Ltd has fewer than 250 employees and does not engage in large-scale monitoring of sensitive personal data. As such we consider that we are not obligated to appoint a Data Protection Officer.
Rejuvenate’s Data Centres are operated and managed internally, and they are located within the EU. Hardware is supplied and housed by a range of partners. For information relating to your specific data, please contact Rejuvenate.
The primary Rejuvenate data centre is located in Gravelines. Our backup data centre is Roubaix. Dedicated service clients will be aware of the location of their data centre. All data centres are protected by perimeter fencing, electric gate entry and a gate house which is manned 24x7x365 by security personnel. Strict access controls are operational within the data centre building including proximity access card readers and secure lockable racks to prevent unauthorised access to the data centre and equipment.
All our sites with SSL certificates enjoy communication between the web browser and our data centres protected by 256-bit SSL encryption.
Data Breach Notification
Our responsibility to notify all customers of a data breach within 72 hours is acknowledged.
Personnel and Procedures
All Rejuvenate Productions Ltd staff are resident in the UK and we do not use overseas contractors when building or maintaining our core systems.
We operate strict access controls to our production databases. Only technical staff have logons which enable access to production databases. Only senior technical staff have permanent access to update production databases. All other staff can only access data through our own internal tools, which restrict data access to a need-to-know basis.
Rejuvenate Productions Ltd continually strives to improve the functionality of our products in all regards, and GDPR is no exception. The existing and upcoming functionality related to GDPR is detailed below.
© Rejuvenate Productions Limited. Registered in England and Wales
Company Number 04872054