General Data Protection Regulation

25 January 2018

GDPR Statement

The EU General Data Protection Regulation (“GDPR”) is European legislation that has been designed to try and harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the EU approach data privacy.  

The GDPR comes into force on 25 May 2018 and introduces an enhanced EU-wide data protection regime that will have direct effect in member states and affect companies established outside the EU who wish to trade with EU partners or within the EU.

SLC is currently reviewing and, where necessary, updating, its data protection practices to meet the enhanced requirements of the GDPR. 

Who is this Statement for?

This Statement is intended to provide information relating to the steps that SLC is taking to ensure compliance with the GDPR. 

Introduction

If you are currently subject to the DPA, you will be impacted by GDPR. The GDPR applies to both ‘data controllers’ and ‘data processors’.  The definitions of both terms are broadly the same as under the Data protection Act 1998 (DPA) – i.e. the data controller says how and why personal data is processed and the data processor acts on the controller’s behalf.  Both data controllers and data processors will have significantly more legal liability if they are responsible for a breach.  If you are a data processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. However, if you are a data controller, you are not relieved of your obligations where a data processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. 

GDPR Impact on the SLC

What does this mean for SLC?  This means that we have to investigate our own systems, procedures, working practices, polices etc. to ensure that internally we meet the requirements expected under GDPR.  It also means that SLC will map their data and information flows in order to assess their privacy risks.  Once these activities are completed SLC will put additional security and technological safeguards in place as necessary.

It also means that we have to ensure our third parties with whom we share Personal Identifying Information data are also carrying out the required work towards compliance.  We aim to achieve this by actively speaking with our suppliers, carrying out audits where applicable, and to provide assistance if required. 

Roles and Responsibilities

SLC can perform two roles:

  • Data Controller– where SLC is the organisation responsible for determining the purposes and means of the processing of personal data; and/or
  • Data Processor– where SLC processes personal data on behalf of our customers.

As a data controller, SLC has the statutory responsibility for the processing of personal data. However, as a data processor, SLC has a contractual responsibility to the relevant data controller or data processor in addition to specific GDPR requirements mainly focussed on security. Generally, regulatory responsibility for use of personal data remains the responsibility of the data controller. SLC is not a joint data controller unless agreed elsewhere separately.

SLC has a Data Protection Officer (DPO) to meet requirements the DPA, and following consideration will determine the extent of support the DPO requires to support them in their duties to meet requirements under GDPR. 

The Principles

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

SLC shall comply with the GDPR principles for processing personal data, which require that personal data is:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

SLC will also respect the rights of data subjects which are enshrined in the GDPR.

Contacts

For general GDPR related questions, contact GDPR_Responses@slc.co.uk.