As an organisation at the forefront of data processing, we’re very active in our preparations for GDPR compliance. As a business built on data, we can’t afford to get this wrong. We are committed to ensuring we do the right thing for Feedback Ferret, our customers, the third parties we work with and individuals.
As a Data Controller and Data Processor, Feedback Ferret will be fully compliant with GDPR requirements by May 25th 2018. We’ve developed a plan for compliance and are focused on ensuring all tasks are in play, that they continue to progress, and can be evidenced to demonstrate compliance.
Governance Structure and Data Protection Officer
Since Feedback Ferret is already accredited with ISO27001 certification, its Information Security Management System (ISMS) is already at the forefront to ensure compliance with data privacy. This is discussed throughout the business with regular updates provided to the Directors, the Management Board and Team Managers.
Feedback Ferret’s Data Protection Officer is Vian van der Berg (Business Director) who leads the GDPR compliance team. Vian will shortly be fully trained by undertaking the “GDPR for DPO’s Foundation and Practitioner” courses.
Commercial Agreements & Documentation
In October 2017, Feedback Ferret began consulting with its solicitors to review all existing commercial documentation and data security policies to ensure they are all GDPR compliant.
Feedback Ferret will imminently circulate a Variation Agreement to all its existing clients to ensure compliance with the new General Data Protection Regulations.
Feedback Ferret will also imminently circulate to all its partners and vendors a new Data Protection Agreement to ensure compliance with the new General Data Protection Regulations.
The business is also in the process of reviewing all HR policies, privacy and corporate data security policies and documents, including general terms of business.
Information Security Risk
Feedback Ferret is ISO27001 accredited. Led by our Business Director, Feedback Ferret is focused on continuing to maintain an ISMS which covers everything you would expect and more. We ensure it remains robust and compliant by undergoing an independent 3rd party audit each year.
This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture.
The company has recently completed a full hardware security audit by an independent 3rd party as part of our commitment to ensure we mitigate all possible risks and stay up to date with the most effective data security solutions.
Staff awareness & training
All our staff was introduced to a GPDR compliancy half day workshop in October 2017 presented by an expert 3rd party consultancy firm.
Our staff induction process will now include a one-hour online GDPR introduction webinar, together with the usual online Data Protection e-learning assessment.
Data security is an ongoing staff initiative and refresher data protection courses are introduced annually for both technical and non-technical staff.
Several circulars are distributed throughout the business during the year as and when changes to regulations or policies need to be communicated to staff.
We’ve largely completed our data mapping exercise. We know what data we have, where it’s held, where it came from, where it sits in our system, who has access to it, and the risk factor. We are in the processing of seeking consent or deleting data where necessary as part of our Impact Risk Assessment, and which will now be included to the ISO27001 scope as part of the Information Asset Risk Assessment each year.
Data Privacy Breach
We have an effective data privacy incident and breach management plan, which we’ll continue to review and enhance as required:
Embedding Data Privacy into operations
Privacy Impact Assessments (PIAs) are now compulsory across Feedback Ferret for all new products/services and will be included to the ISO27001 scope.
Retrospective PIAs for existing products/services have been completed, with any changes required to ensure we achieve GDPR compliance identified. These changes are now in development and will be released as soon as they are available as we work through our roadmap to compliance.
Subject Access Requests
We already have a process for dealing with consumer queries and subject access requests. This is a requirement under the Data Protection Act, therefore we’re confident in our processes, which are tried/tested and we continually review for improvement. The key difference under GDPR is the timescale for response to a DSAR which is reduced from 40 days to 30 days. We do not foresee this as an issue.
Lawful basis for processing personal data
Feedback Ferret, acting as Data Processor, processes client data to fulfil our contractual obligations to our clients.
Feedback Ferret, acting as Data Controller, processes marketing data to inform and educate prospects and clients of matters that may be of interest to them in the Voice of Customer world (e.g. blogs, news stories, white papers, client success stories).
All client data is managed according to our Data Processing Agreement (DPA). Our DPA is currently under review and will be GDPR compliant by February 2018. (Also see section “Commercial Agreements & Documentation”).
Prospect / marketing data is managed by seeking consent from the individuals. We are awaiting the release of new GDPR legislation scheduled for March 2018 to initiate the required changes.
Our sales and marketing teams have been in conversation with our data partners, and those that need to be compliant all have active GDPR plans. You can be confident that any data which is subject to GDPR, will be fully compliant.
Monitoring covers many areas at Feedback Ferret. Internally we conduct audits and ad-hoc walk throughs to make sure we’re doing the right thing.
We’re regularly audited by external third parties – our customers, our data partners and external bodies, such as British Assessments Bureau when reviewing our ISO27001 status. In addition, individual staff members attend training seminars, conferences and webinars as part of our compliance programme.
We will shortly be enlisting the services of another 3rd party specialist to conduct a full GDPR assessment which will advise how close we are to meeting the new regulation and what additional actions are required prior to the deadline.
All GDPR development will be carried out with continued adherence to the current Data Protection Act. We will also ensure continued compliance with our ISO27001:2013 accreditation which covers the establishment, implementation, maintenance and continual improvement of an ISMS within the organisation, as well as requirements for the assessment and treatment of information security risks tailored to our needs.
For further information on GDPR, we recommend the advice which is available on the Information Commissioner’s Website.
Click below to download Feedback Ferret’s GDPR Audit Response Document: