Eazy Collect Services Limited - GDPR Policy Statement (updated 25th August 2020)
The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data. The UK Data Protection Act 1998 (DPA) will be superseded by a new DPA currently in Parliament that enacts the GDPR’s requirements.
The new law marks a wide-reaching and significant shift in the way organisations must protect personal data. It will introduce new responsibilities, including the need to demonstrate compliance and will have more stringent enforcement and substantially increased penalties. It grants data subjects a number of new rights, including the right to judicial remedy against organisations that have infringed their rights, and requires organisations to adopt “appropriate technical and organisational measures” to protect personal data. It also introduces mandatory data breach reporting to the applicable regulatory bodies such as the Financial Conduct Authority (FCA) and Information Commissioner’s Office (ICO).
Eazy Collect is committed to high standards of information security, privacy and transparency and many of the GDPR privacy and security principles have already been in place across our processes and systems for several years. Eazy Collect is both a Data Controller in its operation as a business and a Data Processor in the performance of our contracted services to its clients.
We place a high priority on protecting and managing data in accordance with internal policies and accepted standards including ISO 27001, FCA regulatory compliance as a Payment Institution and as an accredited BACS Approved Bureau. ISO 27001 is one of the most widely recognised, internationally accepted independent security standards. ISO 27001 covers certification for the systems, applications, people, technology, processes, and data centres. Eazy Collect complies with all applicable GDPR regulations and will continue to work closely with our clients, suppliers and partners to meet mutual GDPR and contractual obligations for our procedures, products and services.
1. General Approach and Compliance
There were four main areas of focus in preparing and delivering GDPR compliance:
- Building on existing security and business continuity management systems and certifications, including ISO 9001, 27001 and FCA Re-authorisation under PSD2, to ensure our own compliance.
- Updating of applicable company policies.
- Dissemination of guidelines and dedicated communications to assist clients and supplier relationships to meet GDPR.
- Implementation audit, delivery and full integration into systems and processes to ensure future GDPR compliance.
Eazy Collect has a robust ISO-based Management System (ISMS) which is an amalgamation and blend of its certified ISO9001:2015 QMS and ISO27001 Security Standard and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements within the ISMS using internal and external advisors. This has already led to updated information security policies and procedures and will build on existing management systems, informed by gap analysis and data protection risk assessments and supported by communication and training programmes.
Eazy Collect’s ISO and DPO will inform, advise and monitor compliance together with the Board. The company will implement tools as appropriate that support the process, provide necessary security and ensure ongoing delivery of objectives.
Eazy Collect’s hosted services and products provided to our clients already meet rigid ISO 27001 data security standards and conform to GDPR. As a Data Processor contracted with clients who are designated as Data Controllers, Eazy Collect has comprehensively reviewed and updated risk assessments to include more detailed consideration of the data types we hold along with a data protection impact analysis of personal information stored and processed.
Policies covering incident response plans, backup data retention and audit recording/retrieval have been reviewed and updated.
In the highly unlikely event of a data breach, our Information Security Policy includes specific procedures and escalation processes for appropriate communications and reporting to the applicable regulatory bodies within FCA regulated timeframes.
Appendix 1 - Technical and Organisation Measures, provides further detail about the required security measures taken as well as brief descriptions and examples of the specific measures implemented across our systems and processes.
2. Eazy Collect Clients - Your GDPR Responsibilities as a Data Controller
It is important to recognise that GDPR compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.
The volume of data handled by organisations is growing and is captured, processed and stored on an increasing number of devices and networks. Requirements such as data protection impact assessments, active mitigation of risks and evidence of risk management measures will require organisations to develop a more disciplined approach to customer data, especially those with personal data spread across many locations and/or systems with varying levels of personal data quality and ownership. Furthermore, investing in the management of consent presents an opportunity to build trust and provide increasingly useful services with customers.
All organisations will need to be confident, for example, that personal and transactional data can be located and anonymised or erased, in order to respond to requests to delete, rectify, transfer, access or restrict the processing of data.
Eazy Collect is committed to developing technology solutions to support clients’ GDPR obligations, whether through standard features or added value solutions or toolkits. Currently, Eazy Collect has adapted its own systems and internal data management to meet GDPR requirements in its role as either a Data Controller or Data Processor; however, our current Eazy Customer Manager ® solution made available to clients in the provision of our core delivery of contracted direct debit and other payment processing services does not itself meet a client’s own GDPR compliance as a Data Controller.
Article 5 of the GDPR outlines the six principles that should be applied to any collection or processing of Personal Data. Eazy Collect complies with all principles.
- Personal Data must be processed lawfully, fairly and transparently
- Personal Data can only be collected for specified, explicit and legitimate purposes
- Personal Data must be adequate, relevant and limited to what is necessary for processing
- Personal Data must be accurate and kept up-to-date
- Personal Data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
- Personal Data must be processed in a manner that ensures its security
As a Data Controller, clients are contractually obligated and must implement and ensure GDPR compliance is met fully across your own company processes and managed accordingly within your in-house billing and CRM systems.
Data Controllers need to identify lawful processing condition(s) (how you’re using Personal Data) in relation to Personal Data being sent to Eazy Collect for processing. These are:
- Compliance with a legal obligation
- Performance of a contract
- Legitimate Interest
- Public Interest
- Vital Interest
The GDPR imposes restrictions on the transfer of Personal Data outside the EU, to third countries or international organisations. Such restrictions are in place to ensure that the level of protection afforded by the GDPR on the processing or storage of Personal Data is not undermined. Eazy Collect handle, process and store all Personal Data inside the EU in accordance with strict ISO 27001 security standards.
3. Key Policies and Documentation
Available Eazy Collect Policies and GDPR related documentation can be found on the links below:
4. Further Useful Resource Materials
Appendix 1 – Technical and Organisation Measures
Eazy Collect shall or has already implemented the following controls, technical and organisation measures along with several others in adherence to ISO27001 and FCA compliance under the second Payment Service Directive (PSD2).