This document explains at a high level, how we comply with the core principles of GDPR
Lawfulness, fairness and transparency
- We ensure we have a proper lawful basis for processing data, and only choose to use Consent when it’s appropriate. If we wish to use Legitimate Interests, we ensure a Legitimate Interests Assessment is carried out.
- We only process data in ways that people would expect. When we are designing new data processing processes, we ensure that data collection is seen as fair and not disproportionate to our aims.
- We explain all of these details in our Privacy Notices to ensure transparency.
- Our Privacy Notices and internal documentation make clear the reasons for collecting data, and we ensure that data collected for specific purposes is not reused for any other purpose.
- Put simply, we only collect personal data we actually need for specific purposes. If we don’t need it, we won’t collect it.
- Our Privacy by design process ensures the data we collect is adequate, relevant and limited to what is necessary
- Most of the data we hold on members comes from our customers Human Resource Information Systems (HRIS) and therefore should already be accurate.
- We prompt our customers to regularly provide membership updates to capture starters, leavers and any changes of members information.
- Members can update their details directly through their Profile, or by getting in touch with our support teams.
- We have no interest in keeping data for longer than required. We apply strict retention policies to our data;
- Erasing data within 180 days of contract termination
- Within contract, we delete members data after 2 years of inactivity, and
- 60 days after a member is marked as a leaver
- This is reflected in our Privacy Notices and our Data Processing Agreement
Integrity and Confidentiality
- Reward Gateway has put Security at the forefront of our business since its founding in 2006 and was the first benefits company in the UK to achieve ISO27001 compliance in 2009.
- We have a full time team of Information Security professionals with qualifications including CISSP, PCI ISA, ISO27001 Internal Auditor.
- We apply Centre for Internet Security (CIS) hardening baselines to all assets and perform threat analysis using Microsoft's STRIDE framework.
- Our Vulnerability Management Programme scans all assets monthly, and we have contracts with forensic incident response firms on standby.
- We publish twice-yearly penetration test reports, copies of our policies and procedures and much more in our Security Pack
Accountability and Governance
- We have Data Protection Policies covering our group companies.
- We ensure ‘data protection by design and default’ by ensuring our Information Security Team and Data Protection Officer are involved in all product design discussions.
- We carry out Data Protection Impact Assessments where needed
- We have a Data Protection Officer (DPO@rewardgateway.com)
- We maintain written contracts and Data Processing Agreements with clients and suppliers