May 24, 2018
In December 2016, the EU Parliament and Council agreed upon the EU General Data Protection Regulation (GDPR), first proposed in 2012, to go into effect on May 25, 2018.
GDPR offers a new framework for data protection with increased obligations for organizations. GDPR focuses on protecting personal data and handing control of it back to the subject of the data.
Below you will find our GDPR policy and information on the following:
- 1. Customer GDPR Roll-Out
- 2. Governance Structure and Jonathan Adler’s Data Protection Officer
- 3. Data Mapping
- 4. Information Security
- 5. Privacy Impact Assessments
- 6. Responding to Subject Access Requests / Rectification / Deletion
- 7. Data Breach Reporting
- 9. Who to Contact
1. Customer GDPR Roll-Out
Where we process personal data, we use lawful processing conditions for those using our products/services or those interested in doing so.
At Jonathan Adler we collect information for the following reasons:
To better serve our clients interest and to provide them with a more tailored experience
To execute performance of a contract with those using our products/services or those who have expressed interested in doing so
To facilitate the processing of information when those using our products/services or those interested in doing so have expressed legitimate interest in our providing them with information and/or services
To convey information that is in the public interest
To convey information that is of vital interest to those using our products/services or those interested in doing so
To address those using our products/services or those interested in doing so with their consent
2. Governance Structure and Jonathan Adler’s Data Protection Officer
Data privacy is discussed throughout Jonathan Adler with frequent reminders to all of our employees who handle personal and information, the Executive Team, and members of our staff at all locations.
Jonathan Adler’s named Data Protection Officer is Damen Seminero.
Damen leads the Privacy and Data Compliance initiative at Jonathan Adler, helping embed data privacy into operations whilst also monitoring activity on an ongoing basis.
3. Data Mapping
Jonathan Adler is in the process of completing “Article 30; our Data mapping exercise”. We know what data we have, where it’s held, how we access it, the classification of the data, records for transfer and flowcharts to show how it moves between systems, processes and countries.
4. Information Security
Our Chief Technology Officer, Damen Seminero is focused on maintaining information security.
This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture across our product family.
5. Privacy Impact Assessments
As needed a Privacy Impact Assessment will be completed and evidence gathered, such as copies of privacy notices, a due diligence questionnaire, periodic testing.
6. Responding to Subject Access Requests / Rectification / Deletion
Jonathan Adler has a process in place to manage these requests and sees no issue responding within the new GDPR required timescale of 30 days
7. Data Breach Reporting
The ICO or Information Commissioner’s Office has a Blog that clears up a lot of myths around data breach reporting. Art. 33 (2) states as data processor, Jonathan Adler’s obligation is to notify data controllers without undue delay after becoming aware of it.
WP29 have provided some guidance on this which states:
“The GDPR does not provide an explicit time limit within which the processor must alert the controller, except that it must do so “without undue delay”. Therefore, WP29 recommends an immediate notification by the processor to the controller, with further information about the breach provided in phases as information becomes available. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours.”
Jonathan Adler’s position is, the regulation states without “undue delay”, therefore this is what we will abide by. However, we recognize that for our Customer, the Data Controller, the clock will only start ticking when they become aware there has been an incident.
9. Who to Contact
You can reach our Compliance team via email for any GDPR related questions at: firstname.lastname@example.org