Quickline Communications GDPR Compliance Plan

Quickline is committed to ensuring we do the right thing for you and your personal data; and as such we are working towards GDPR compliance, 25th May 2018.

Since the end of 2017 we have been proactive towards our GDPR readiness activity. As a business built on customer service and data, we strive to make sure that we get things right and where not, we put things right as we are committed to ensuring we do the right thing for Quickline, our customers and the third parties we work with.

After monitoring and understanding the changes the GDPR delivers, we've understood the requirements, briefed our internal teams and developed a plan for compliance. Driven by a team of qualified Data Protection Practitioners, we're focussed on ensuring all tasks are in play, that they continue to progress, and by 25th May 2018, can be evidenced to demonstrate compliance.

Quickline can achieve GDPR compliance by undertaking a collaborative and transparent approach with our suppliers and customers. Whilst we're realistic that some of our data suppliers may not complete the process ahead of the deadline, we're working closely with them all to ensure that as many as possible are making the right efforts and continue to be used in the supply of our services.

With over 6,000 customers across the country, we're sure you can appreciate the complexities involved in maintaining people’s data, and why it's taking us some time to attain compliance. We also want to ensure that this is comprehensive and complete.

Whilst we have not been inundated with questions from customers, in an effort to ensure transparency regarding the rollout, we've provided some more information on the following areas:

Like many companies, we've been waiting on guidance to be issued by the ICO and EU’s Article 29 Working Party. We understand that we cannot wait until all guidance has been released to implement our GDPR program, so have been proactive and pragmatic with our plan. We continue to review guidance as it becomes available and will adjust our implementation if appropriate.

GDPR Customer Roll Out

From 15th April 2018 we'll start to roll out a GDPR addendum to all our customers when we speak to you either via Sales or Support. When we speak with you next, we will ensure that we gain your consent under contractual performance obligations to correct where necessary, and process personal data. This will allow Quickline and our customers to meet our GDPR obligations.

All our customers need to agree to revised data protection terms to reflect the change from the Data Protection Act to General Data Protection Regulation (effective 25th May 2018). We'll also require our customers to advise us on the lawful processing condition for using our products/services.

There are six lawful processing conditions:

Compliance with a legal obligation
Performance of a contract
Legitimate interest
Public interest
Vital interest
Consent

Consent is changing to be more explicit so at the point of data collection, the individual will need to be informed exactly how their data will be used and who it will be shared with. This makes it really difficult to achieve compliance for third parties using consent as one of their lawful bases for processing. Consent can be selected by our customer who is asking us to process data on their behalf, as they will hold the first party consent and will have advised their consumer as to how their data will be processed in their privacy notice.

Governance Structure and Quickline’s Data Protection Officer

Data privacy is discussed throughout Quickline with regular presentations to the Board of Directors and Leadership Team.

Quickline’s named Data Protection Officer is Steve Gray.

Steve leads the Privacy and Data Compliance Team, where each Compliance Manager has a core focus on the services Quickline deliver, helping embed data privacy into operations whilst also monitoring activity on an ongoing basis.

Data Mapping and Quickline’s Data Asset Register

We've almost completed our data mapping exercise, so we are aware of what data we have, where it’s held, how we access it, the classification of the data, and records for transfer to show how it moves between systems, processes and to a lesser degree countries.

A lot of information that already exists within Quickline is held across a number of systems, so we're in the process of updating our Data Asset Register, which will automate as much activity as possible, aiding transparency and supporting the tight controls which are required to ensure compliance.

Embedding Data Privacy into Operations – Training, Awareness & PIAs

We've launched an internal initiative to be traing out to our employees; this ongoing initiative has the following objectives to ensure our team members do the right thing and act within GDPR parameters:

We’ll ensure we know what we can do with data, and if unsure, we’ll ask We’ll be clear about how we’re going to use data and tell you We’ll ensure we protect the data we hold & process We’ll ensure compliance, both individually and as a team Underpinning this is not only communication, but clear policies and procedures

Privacy Impact Assessments (PIAs) are now compulsory across Quickline for all new services and any third parties we share personal data with.

Retrospective PIAs for existing services have been completed, with any changes required to ensure we achieve GDPR compliance identified. These changes are now in development and will be released as soon as they are available, but definitely in time for 25th May 2018. This means any services you use from Quickline will support your own GDPR compliance.

Information Security Risk

Quickline is already ISO27001 accredited.

Led by our Head of Quality & Systems, we are focussed on maintaining an information security program which covers everything you would expect.

This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture.

Third Party Risk and our Data Partners

Due diligence prior to working with a third party is key to ensure data has been gathered lawfully, and to ensure any data we share will be secure. Once a Data Processor contract has been signed, this is also reviewed on an ongoing basis to maintain relevance.

Where appropriate, a Privacy Impact Assessment will be completed and evidence gathered, such as copies of privacy notices, a due diligence questionnaire, periodic testing.

All of our partners, [and there aren’t many] need to comply with applicable data protection regulations. Depending on where the data partners is in the world, and what data they process, GDPR compliance may not be relevant. If they need to comply with GDPR, we'll ensure they do by way of a Data Processing contract. If they don’t comply, it would mean neither can Quickline or our customers, which is clearly not acceptable.

Each party in the chain has an obligation to ensure the third parties they each work with measure up, which is something we’re committed to here at Quickline.

Responding to individual complaints and data subject access requests (DSARs) We already has a very robust process for dealing with consumer queries and subject access requests. This is a requirement under the Data Protection Act, therefore we're confident in our processes, which are tried & tested and we continually review for improvement. The key difference under GDPR is the timescale for response to a DSAR is reduced from 40 days to 30 days, which we do not foresee as an issue.

Our consumer query process is also used to monitor our customers, our data partners and our products & processes. Root cause analysis is applied to every enquiry, allowing us to identify if further action is required.

If you have a valid reason to make an enquiry please do so by emailing the following address, and provide a rationale supporting the request:

gdpr@quickline.co.uk

Data Privacy Breach Management Program We have an effective data privacy incident and breach management plan, which we'll continue to review and enhance as required. The ICO has published a blog on the topic of breach management which is quoted below:

“Under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it. Organisations will have to provide certain details when reporting, but the GDPR says that where the organisation doesn’t have all the details available, more can be provided later. The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.”

Article. 33 (2) states as data processor, Quickline’s obligation is to notify data controllers without undue delay after becoming aware of it.

The GDPR does not provide an explicit time limit within which the processor must alert the controller, except that it must do so “without undue delay”. Therefore, WP29 recommends an immediate notification by the processor to the controller, with further information about the breach provided in phases as information becomes available. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours.

Our position is, the regulation states without “undue delay”, so this is what we will work towards. However, we recognise that for our customer, and the Data Controller, the clock will only start ticking when they become aware there has been an incident.

Ongoing Monitoring

Monitoring covers many areas at Quickline.

Internally we conduct audits to make sure we’re doing the right thing.

We're regularly audited by external third parties – our customers, our data partners and external bodies, such as QMS when reviewing our ISO 9001 & ISO27001 status compliance.

As a business built on service and data, we can't afford to get this wrong. The reputational risk far exceeds any fines. That's why we're committed to ensuring we do the right thing, accepting the change, and for us, our customers, the third parties we work with and individuals.

How to contact us

Please contact us if you have any questions about our GDPR readniness: