We are both processor and controller - for different activities. We are a processor when our clients instruct us to carry out an activity, and a controller when we provide services to members directly.
Who provided this opinion?
We consulted extensively with Squire Patton-Boggs and Kirkland to reach this conclusion. We’ve also consulted further with independent Privacy experts.
What led you to reach this conclusion?
Both solicitors recognised that we’re working with our clients to the same goal: ensuring the privacy of the end users, our clients' employees. However, the activities that employees could conduct themselves was a determining factor.
This led to the position that:
We are a processor for the activities we conduct on our clients' behalf to ensure that their employees can access, use the programme and some products, and to provide support around this.
We are a controller for our clients' employees when they engage directly with us to use the full suite of services available. This particularly relates to SmartSpending™ and our handling of payment details.
This does not mean that we are a joint controller.
Do your standard contract terms include the new GDPR mandatory provisions?
Are you maintaining Data Processing Records?
We maintain a full list of Processor and Controller activities we undertake and have created data flow diagrams to illustrate these. These have been aligned to our Supplier Management policies and all processing activities are logged.
Which are the categories of processing Reward Gateway carries out on the client's behalf?
We have identified that the main processing activity we carry out on our clients' behalf is the management of eligibility information (for example; receiving data from you to assign licenses to your employees). Other products we offer (like Childcare Vouchers, Cycle to Work, and Reward & Recognition) have specific processing activities that we have also detailed.
All of this is outlined in our new Data Processing Addendum.
Will you be making any changes to the service as a result?
What about marketing to employees before they register?
As our clients have purchased Reward Gateway as part of their employees' overall benefits package and employment contract, it’s in the employee's interest to know about the service, so we’ll still be able to support you in these endeavours. However, we suggest that our clients check this with their own legal teams.
What about Subject Access Requests and Withdrawal of Consent?
This has always been an obligation of ours under the existing Data Protection Act but we may not have made it sufficiently clear. Individuals can always email email@example.com or apply to us in writing and we will handle their request at no cost.
We have built tools to help handle these with little or no manual intervention on a self-service basis.
For more information please refer to this article.
Will you sign our processing addendum?
Reviewing and signing each individual data processing addendum we receive is not possible or practical. Instead, we’ll be issuing a comprehensive addendum drafted by our solicitors which covers the GDPR changes and ensures you and your employees continue to be properly protected. The updated terms in this addendum will take effect when the GDPR comes into force on 25th May 2018.
Will you continue to process data in accordance with our instructions?
Yes, and we always have. Any data which you or your employee’s put into our systems will only be processed as described in our updated GDPR data processing agreements and conditions. We’ve always been honest about our activities in this area and clearly stated that we would never go against your wishes in this regard.
What about your other processors?
Reward Gateway conducts the majority of data processing activities required to provide the services you use in-house. However, we do need to engage with some other entities or third-parties to assist in supporting or fulfilling these in some cases. Each of these goes through a rigorous selection process to ensure it can deliver the right level of security and privacy.
What about processors who are outside of the EU?
The GDPR still allows for processors to exist outside of the EU and personal data transfers to occur. It also provides several mechanisms for doing this and confirming that an adequate level of protection is applied. This may be done through model contract clauses or confirmed using adequacy frameworks, like the EU-US Privacy Shield.
We contractually commit under our current data processing agreements to enforce these mechanisms if personal data is transferred outside of the EU and will offer an equivalent commitment when the GDPR comes into force.
We are also committed to ensuring that where our processing activities relate to the data which you have supplied to us, we’ll offer the Right to Object and consult with you before making any changes. This is particularly applicable to our web hosting and support provisions.
Have you got in-house data protection expertise?
We have evaluated the requirement for a dedicated DPO and believe we do not require one at this stage. We have a 'responsible person' which is Will Tracz, Chief Technical Architect. In addition,
We have a Security team dedicated to the security of our customer information.
- We evaluate our applications using STRIDE and LINDDUN threat modelling to ensure we build our apps Secure and Private by design.
- We carry out DPIA's for all projects and major changes
We conduct an annual penetration test with MDSec Ltd.
We are ISO 27001:2013 certified and audits are conducted every six months by BSI. This process also requires us to conduct our own annual internal audit against our Information Security Management System (ISMS.)
We already use cryptography and hash function to protect information and have measures in place to secure the communications with our servers.
A number of our clients also conduct their own audits against us and we would be happy to speak with you if this is a requirement of yours.
Our Product and Security teams will work with you and others to ensure that our services continue to help you meet your compliance requirements.
What about your other employees involved in processing activities?
Security and the protection of your information are our number one priority at Reward Gateway.
All Reward Gateway employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy training. This training specifically addresses responsibilities and expected behaviours around the protection of information.
Do you have a defined process for response to data breach incidents including engagement of appropriate clients?
This is already covered by our Incident Management Policy and Business Continuity Plans which are in line with ISO 27001 and GDPR.
What standards or certificates do you have?
You and your security and technology teams are able to find more out about this by visiting http://rg.co/security