We are fully committed to information security within our business in accordance with GDPR. As a data processor we understand how data flows through our business and have placed significant investment on the movement, protection, storage, utilisation and destruction of data.
What have MDS reviewed within the business?
Our business has conducted an information audit to map data flows.
Our business has documented what personal data we hold, where it came from, who we share it with, and what we do with it.
Our business has an appropriate data protection policy.
Decision makers and key people in our business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
Our business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
We have implemented appropriate technical and organisational measures to integrate data protection into our processing activities.
We provide data protection awareness training for all staff.
Our business has effective processes to identify, report, manage and resolve any personal data breaches.
Our business has procedures to respond to a data controllers’ request to supress the processing of specific personal data.
Our business can respond to a request from the data controller for the supply of the personal data we process in an electronic format.
We have policies in place for incident response, data retention and back-up.
Our contract with our customer includes detailed data processing and confidentiality provisions including:
- The non-disclosure agreement,
- The data processing agreement, and
- The conditions of supply.
Data Controller Identity
Mailing & Data Solutions Ltd is the data processor and our clients are either data controller or data processor. We undertake to carry out mailing fulfilment services based on the client already having either explicit consent to mail or having agreed legitimate interest. As a business we expect and demand that the onus is on the client to have the necessary controls in place from the end client to mail legitimately and we are in no way liable should this not be the case.
Types of Data and Purposes
We require ONLY the relevant information to be able to carry out our duties as a mailing house and any additional information supplied should be flagged to our client and removed from the database before we proceed further. On occasions and where provided in writing we will process work with additional fields should the client accept the risks associated.
We have a management system in place to destroy all client database information provided for the purpose of mailing up to one month after mail dispatch. If provided in writing we can offer extended or shorter provision however there must be an overarching reason for this and it must be in writing by the client. An example would be if we are managing the returns we would require the data for 3-6 months and this would be agreed in advance by the client.
We utilise a secure FTP site to enable the safe movement of data from client to ourselves.
The FTP holds client data for seven days before automatically destroying it. This is simply a data transfer site and not a cloud back-up site.
Data Subject Rights
Your clients have a number of rights under GDPR. These rights (subject to conditions) include the right of data portability, the right to object to the processing of their personal data, the right to require you to update and correct their data, the right to erasure of their personal data, the right to obtain a restriction on processing of the data, the right to withdraw where applicable their consent to processing of that data. Finally, the end client has a right to lodge a complaint with the data protection authority should they wish. Our role is to help facilitate the requests from your clients in a timely, efficient and professional method within the GDPR guidelines.