Skip to main content

How Reward Gateway complies with the GDPR

Mohammad Mansoor
  • Updated

This document explains at a high level, how we comply with the core principles of GDPR

 

Lawfulness, fairness and transparency

  • We ensure we have a proper lawful basis for processing data, and only choose to use Consent when it’s appropriate. If we wish to use Legitimate Interests, we ensure a Legitimate Interests Assessment is carried out. 
  • We only process data in ways that people would expect. When we are designing new data processing processes, we ensure that data collection is seen as fair and not disproportionate to our aims. 
  • We explain all of these details in our Privacy Notices to ensure transparency. 

 

Purpose Limitation

  • Our Privacy Notices and internal documentation make clear the reasons for collecting data, and we ensure that data collected for specific purposes is not reused for any other purpose. 

 

Data minimisation 

  • Put simply, we only collect personal data we actually need for specific purposes. If we don’t need it, we won’t collect it. 
  • Our Privacy by design process ensures the data we collect is adequate, relevant and limited to what is necessary

Accuracy

  • Most of the data we hold on members comes from our customers Human Resource Information Systems (HRIS) and therefore should already be accurate.
  • We prompt our customers to regularly provide membership updates to capture starters, leavers and any changes of members information.
  • Members can update their details directly through their Profile, or by getting in touch with our support teams. 

Storage Limitation

  • We have no interest in keeping data for longer than required. We apply strict retention policies to our data;
    • Erasing data within 180 days of contract termination
    • Within contract, we delete members data after 2 years of inactivity, and
    • 60 days after a member is marked as a leaver
    • This is reflected in our Privacy Notices and our Data Processing Agreement 

Integrity and Confidentiality

  • Reward Gateway has put Security at the forefront of our business since its founding in 2006 and was the first benefits company in the UK to achieve ISO27001 compliance in 2009.
  • We have a full time team of Information Security professionals with qualifications including CISSP, PCI ISA, ISO27001 Internal Auditor. 
  • We apply Centre for Internet Security (CIS) hardening baselines to all assets and perform threat analysis using Microsoft's STRIDE framework. 
  • Our Vulnerability Management Programme scans all assets monthly, and we have contracts with forensic incident response firms on standby. 
  • We publish twice-yearly penetration test reports, copies of our policies and procedures and much more in our Security Pack

 

Accountability and Governance

  • We have Data Protection Policies covering our group companies.
  • We ensure ‘data protection by design and default’ by ensuring our Information Security Team and Data Protection Officer are involved in all product design discussions.
  • We carry out Data Protection Impact Assessments where needed
  • We have a Data Protection Officer (DPO@rewardgateway.com
  • We maintain written contracts and Data Processing Agreements with clients and suppliers 

Related articles