General Data Protection Regulation

GDPR compliance

On 25 May 2018, the most significant piece of European data protection legislation to be introduced in over 20 years came into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

Kirona is committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections which have been built into our services and contracts over the years.

What can you do

What are your responsibilities as a customer of Kirona’s?

Job Manager, DRS and InfoSuite customers typically act as the data controller for any personal data they provide to Kirona in connection with their use of Kirona’s services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Kirona is a data processor and processes personal data on behalf of the data controller when the controller is using Job Manager, DRS and InfoSuite.

Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that the processing of personal data is performed in compliance with the GDPR and is secure. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

If you are a data controller, you will find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable), as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP). In the UK, the relevant data protection authority is the Information Commissioner’s’ Office (see https://ico.org.uk).

You should also seek independent legal advice relating to your status and obligations under the GDPR because only a lawyer can provide you with legal advice specifically tailored to your organisation and situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for, legal advice.

Where should you start?

As a current or future customer of Kirona, now is the time for you to be compliant with GDPR.

Consider these tips:

  • Familiarise yourself with the provisions of the GDPR, particularly how they may differ from your current data protection obligations.
  • Create an updated inventory of personal data that you handle.
  • Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR, and address any gaps.
  • Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to your business circumstances.

 

Kirona’s commitment to the GDPR

Amongst other requirements, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of Kirona’s services.

Expert Knowledge, Reliability and Resources

Kirona utilises security and privacy professionals tasked with maintaining the company’s defence systems, developing security review processes, building security infrastructure and implementing Kirona’s security policies.

Data Protection Commitments

Data Processing Agreements

We have updated our standard customer contracts to reflect the GDPR requirements and will make these updates available to existing customers on request to facilitate our customers’ compliance assessment and GDPR readiness when using Kirona’s services.

Processing According to Instructions

Any personal data that a customer and its end-users put into our systems will only be processed in accordance with the customer’s instructions, as described in our GDPR-updated data processing agreements.

Personnel Confidentiality Commitments

All Kirona employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy training. Kirona’s Acceptable Use Policy specifically addresses responsibilities and expected behaviour with respect to the protection of information.

All personnel who are customer facing and have access to any customer personal data are DBS security vetted to Baseline Personnel Security Standard.

Use of Sub-processors

Kirona engages some third-party providers to assist in supporting its data processing activities. Each provider must pass a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy.

Kirona makes information available about the third-party sub-processors involved in our services and includes commitments relating to sub-processors in the current and updated data processing agreements.

Security of the Services

According to the GDPR, the data controller and the data processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Kirona operates infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services and safe operation by customers. Job Manager, DRS and InfoSuite run on this infrastructure.

Data Return and Deletion

When Kirona receives a deletion instruction from a customer regarding their hosted solution, Kirona will delete the relevant customer data from all of its systems unless retention is mandated by a legal obligation.

Assistance to the Customer

Data Subject’s Rights

Kirona recognises that the GDPR imposes several obligations on data controllers when responding to data subject requests. In particular, a data controller must generally respond within one month of receiving any request.  Kirona will assist you in responding to any request from a data subject and in ensuring compliance with your obligations under the GDPR.

Information Security Team

Kirona deploys a dedicated team headed by a Data Protection Officer where data protection related enquiries can be directed. In the first instance contact the Compliance Manager phil.crewe@kirona.com.

Incident Notifications

The GDPR places a new obligation on data processors to notify the data controller without undue delay after learning of a data breach. Kirona will inform you, without undue delay, of incidents involving your personal data in line with the data incident terms in our current agreements and any updated terms which apply under GDPR.

Standards and Certifications

ISO 27001 (Information Security Management)

ISO 27001 is one of the most widely recognised, internationally accepted independent security standards. Kirona has earned ISO 27001 certification for the systems, applications, people, technology and processes that make up our shared Common Infrastructure as well as for the Job Manager, DRS and InfoSuite products.

FAQs

What is the GDPR?

The General Data Protection Regulation is a new piece of EU privacy legislation that has replaced the 95/46/EC Directive on Data Protection.

Does the GDPR require storage of personal data in the UK?

No. Like the 95/46/EC Directive on Data Protection, the GDPR sets out certain conditions for the transfer of personal data outside the EU. Such conditions can be met via mechanisms such as model contract clauses.

Will the GDPR give customers the right to audit Kirona?

Under the GDPR, audit rights must be granted to data controllers in their contracts with data processors.

What role does ISO 27001 play in compliance with the GDPR?

Our third-party ISO certifications and audit reports can be used by customers to help conduct their risk assessments and help them determine whether appropriate technical and organisational measures are in place.

What other information has Kirona provided on the GDPR?

Kirona has responded willingly to requests from customers to provide a wide variety of detail on this topic. For more information contact the Compliance Manager phil.crewe@kirona.com.

 

V3.0