GDPR Tracker

GDPR Compliance Report Holiday Cloud 25/05/2018 Contents 1. Business Profile 2. Personal & Sensitive Data 3. Staff Awareness and Training 4. Lawful Data Processing 5. Consent 6. Privacy Policies and Notices 7. Internal Policies and Procedures 8. Third party processing 9. Consider where data is stored 10. Data Retention 11. Data Subject Access Rights 12. Data Subject Requests 13. Right to Data Portability 14. Right to Erasure 15. Right to Rectification 16. Right to Object 17. Data Profiling 18. Processed for Specified, Explicit and Legitimate Purposes 19. Adequate, Relevant and Limited Data Processing 20. Accuracy of Data 21. Restriction of Personal Data Processing 22. Privacy by Design 23. Management of electronic and manual records 24. Data Protection Officers (DPO) 25. Data Breaches 26. Data Protection Impact Assessments 27. Data Security Policy 28. Transfer of Data outside of the EEA 29. Group Companies 30. International Transfers Business Profile Company Name Holiday Cloud Registered Company Address Foxfield St John, Raheny, Dublin 5 Website URL www.holidaycloud.ie Telephone Number 852521382 Email Address william@holidaycloud.ie Key Business Contact William Kelly Personal & Sensitive Data Is your business processing Personal Data? No What type of Personal Data is your business processing? Question not yet completed Is sensitive Personal Data being processed? No Are you processing Personal Data as a Data Controller or Data Processor or both? Question not yet completed Are you documenting the personal data which you are processing as a Data Controller and/or Data Processor or both? Question not yet completed List all the locations where you store Personal or Sensitive Data Question not yet completed Actions Your organisation should document what personal data it holds, where it came from and who it is being shared with. Not Applicable Businesses should review and map key personal data flows. Not Applicable Businesses should consider what data transfer mechanisms they have in place and whether these will continue to be appropriate and whether they are GDPR compliant Not Applicable Businesses should document the legal basis on which they are processing each category of personal data. Not Applicable You should make sure that your organisation is registered with your country’s Data Protection Authority. Click here to find out who your DPA is. Not Applicable Staff Awareness and Training Are your senior management team aware of GDPR? Question not yet completed Have you provided training to your management team and staff on GDPR? Question not yet completed Do the management team and key staff members appreciate the impact GDPR is likely to have on your organisation? Question not yet completed Actions Organisations need to follow privacy by design. This is to ensure that privacy is embedded into any new processing or product that is deployed. This needs to be thought about early in the process to enable a structured assessment and systematic validation. Not Applicable Organisations need to arrange training for your management team and key staff members. Not Applicable Lawful Data Processing Please check all the processing activities that apply to your Sales and Marketing Department (Records of Processing Activities) Digital Marketing Social Media Marketing & Advertising Customer Support Email Marketing Contact Form Available On Public Website Online Customer Registration Cookie Management Please check all the processing activities that apply to your Human Resources Department (Records of Processing Activities) Question not yet completed Please check all the processing activities that apply to your IT Department (Records of Processing Activities) Email Management Please check all the processing activities that apply to Business Management (Records of Processing Activities) Question not yet completed Please check all the processing activities that apply to your Facilities Department (Records of Processing Activities) Question not yet completed Please check all the processing activities that apply to your Finance Department (Records of Processing Activities) Question not yet completed Please check all the processing activities that apply to your Operations (Records of Processing Activities) Question not yet completed Other Processing Activities Question not yet completed Is there a lawful ground for processing the personal data for each processing activity (Refer to the GDPR Data Mapping Template within the Documents section)? No Is there a lawful ground for processing any sensitive personal data for each processing operation? No Are the legal grounds for processing personal data recorded? No Actions We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity. Not Applicable We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose. Not Applicable We have documented our decision on which lawful basis applies to help us demonstrate compliance. Not Applicable We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice. Not Applicable Where we process special category data, we have also identified a condition for processing special category data, and have documented this. Not Applicable Where we process criminal offence data, we have also identified a condition for processing this data, and have documented this. Not Applicable Consent How is consent collected? Web Forms Sign In Page Email Campaigns What information is being collected? Email Who is collecting it? Question not yet completed Why is it being collected? For customers that opt in, they can receive the latest deals and travel news to their inbox How will it be used? newsletters Who will it be shared with? nobody – ever What will be the effect of this on the individuals concerned? an email will be sent 3 times per week Is the intended use likely to cause individuals to object or complain? no How is this consent demonstrated? We Keep A Record Of When And How We Got Consent From The Individual. We Keep A Record Of Exactly What They Were Told At The Time. Where is consent recorded? Mailchimp Managing Consent We Regularly Review Consents To Check That The Relationship, The Processing And The Purposes Have Not Changed. We Have Processes In Place To Refresh Consent At Appropriate Intervals, Including Any Parental Consents. We Consider Using Privacy Dashboards Or Other Preference-management Tools As A Matter Of Good Practice. We Make It Easy For Individuals To Withdraw Their Consent At Any Time, And Publicise How To Do So. We Act On Withdrawals Of Consent As Soon As We Can. We Don’t Penalise Individuals Who Wish To Withdraw Consent. Are data subjects able to withdraw their consent for processing? No Do you have explicit consent for processing sensitive data? No Is personal data of children collected and processed? No Actions Organisations should review how they seek, record and manage consent. Organisations need to assess whether the consents they hold are GDPR compliant and whether you need to make any changes. Businesses should refresh existing consents now if they do not meet the GDPR standard. Completed You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity Not Applicable Privacy Policies and Notices Do you have a privacy policy? https://www.holidaycloud.ie/privacy-policy/ If you do have a privacy policy, has it been updated to comply with GDPR? https://www.holidaycloud.ie/privacy-policy/ Actions You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. If you do not have a privacy policy, you will need to arrange for one to be prepared as soon as possible. Completed Internal Policies and Procedures Have you updated your internal policies and procedures to comply with GDPR? privacy policy and web sign up forms Do you have a Data Protection Policy? No Are your staff handbooks and employment contracts contain up to date references? No Do you need to update your staff consents for processing data? No Are your website documents GDPR compliant? https://www.holidaycloud.ie/privacy-policy/ Actions You need to review and update your policies and contracts to ensure that they are compliant with GDPR including privacy policies and notices, data protection policies, data security, employee data policies, data sharing policies, IT security policies and data retention policies. Completed Third party processing List all companies and 3rd parties that store your data Mailchimp Have you carried out due diligence on your third-party suppliers? online reviews Are your third-party suppliers GDPR compliant? https://mailchimp.com/legal/privacy/ Are your third-party suppliers able to stand behind the warranties and indemnities contained in your contracts? No Do your contracts request that third party suppliers comply with GDPR including putting in place appropriate technical and organisational measures? Question not yet completed Are you relying on third parties to obtain consents where you may be processing data? No Do your contracts state that the consents have been obtained in accordance with GDPR? No Who are your external data processors? Question not yet completed Do you have contracts with them? No Actions Consider what third parties process data on your behalf. Completed Consider what third parties may have access to your personal data – icloud storage companies. Completed All organisations need to enter into contracts with third party data processors. Completed Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards. Completed Do you undertake and record prior diligence of service providers. Completed Data controllers may only appoint data processors which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR. Processors are required to process personal data in accordance with the controllers instructions. Completed Consider where data is stored Are all the stipulated terms included in processor contracts? No Are there controller/processor contracts containing all the stipulated terms? No Actions You need to put in place contracts with the companies that store your data. Completed Data Retention Has your organisation analysed how long it needs to hold personal data for? Our newsletters are sent out 3 times per week, this will continue as long as Holiday Cloud is actively finding travel deals Does your organisation have a data retention policy? No Are there procedures in place for archiving and destruction of data? No Actions An organisation shall not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without delay. Not Applicable Data Subject Access Rights Is your organisation aware of the rights of a data subjects? No Is your organisation able to comply with the rights of data subjects in GDPR? we dont actually store any customer data Actions Your organisation should familiarise itself with the new rights of data subjects set out in GDPR. Completed Data Subject Requests Does your organisation have a process in place to deal with subject access requests? Through each email we sent there are options available to opt out. Opting out is done through an automated system and we so not actually have to remove any opt outs as it is done automatically Is there a documented policy/procedure for handling subject access requests (SARs)? No Are individuals provided with a mechanism to request access to information held about them? No Is the data controller able to respond to SARs within one month? We dont hold any data, all data mainly names or email address can be removed through the opt out option on each email we send. Actions Your organisation is no longer able to charge for SAR. Completed Your organisation should have procedures in place to deal with data access requests and plan how it will handle requests within the new timescales and provide any additional information. Completed Businesses should ensure that they are able to access personal data easily and have searchable databases. Completed Setup SAR Form Completed Right to Data Portability Can data subjects get their personal data in a structured, commonly used and machine readable format? No Actions Ensure that you have systems in place to comply with GDPR’s requirements Completed Right to Erasure Are individuals informed of their right to demand erasure of personal information held about them (where applicable)? non applicable Are there controls and formal procedures in place to allow personal data to be erased or blocked? Options are marked clearly to erase on each email we send Do you have procedures available to manage such requests? Options are marked clearly to erase on each email we send Actions Data subjects may request that an organisation erases the personal data it holds about them in certain circumstances. Unless an organisation has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. Completed Right to Rectification Does your organisation have a procedure in place to deal with the rectification of personal data? No Consider how easy it will be for your organisation to rectify data? We dont store data Have you considered where data is stored and how accessible is the data? Question not yet completed Actions If a data subject informs an organisation that personal data held by an organisation is inaccurate or incomplete, requesting that it be rectified, the personal data in question shall be rectified, and the data subject informed of that rectification, within one month of receipt the data subject’s notice (this can be extended by up to two months in the case of complex requests, and in such cases the data subject shall be informed of the need for the extension). In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification of that personal data. Not Applicable Right to Object Are individuals told about their right to object to certain types of processing? No Are there policies to ensure rights can be effected in practice? No Actions Data subjects have the right to object to an organisation processing their personal data based on legitimate interests (including profiling), direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes. Not Applicable Data Profiling Is profiling based on consent? (if so it this must be explicit). No Does any profiling use sensitive data? No Does any profiling involve children’s data? No Actions Where an organisation uses personal data for profiling purposes, the following shall apply: Not Applicable Clear information explaining the profiling will be provided, including its significance and the likely consequences; Not Applicable Appropriate mathematical or statistical procedures will be used; Not Applicable Technical and organisational measures necessary to minimise the risk of errors and to enable such errors to be easily corrected shall be implemented; and Not Applicable All personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling. Not Applicable Processed for Specified, Explicit and Legitimate Purposes Is personal data collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purpose? Options are marked clearly to erase on each email we send, we dont store any data at all. Actions An organisation should only process personal data for the specific purposes explained to data subjects (or for other purposes expressly permitted by GDPR). The purposes for which an organisation processes personal data must be informed to data subjects at the time that their personal data is collected, where it is collected directly from them, or as soon as possible (not more than one calendar month) after collection where it is obtained from a third party. Completed Adequate, Relevant and Limited Data Processing Do you have a procedure in place that will ensure that personal data is only used adequate, relevant and limited data processing? Question not yet completed Actions An organisation should only collect and process personal data for and to the extent necessary for the specific purpose(s) informed to data subjects. Not Applicable Data subjects may request that an organisation ceases processing the personal data it holds about them. If a data subject makes such a request, an organisation shall retain only the amount of personal data pertaining to that data subject that is necessary to ensure that no further processing of their personal data takes place. Not Applicable Accuracy of Data Do you have a procedure in place that will ensure that data is accurate and regularly checked, processed and kept up to date? No Actions An organisation shall ensure that all personal data collected and processed is kept accurate and up-todate. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate. Not Applicable Restriction of Personal Data Processing Do you have the ability to restrict processing or all or part of a data subject’s data? No Actions Under GDPR, data subjects are entitled to request that the processing of their data can be restricted. Not Applicable Privacy by Design Do you have systems in place that will ensure the secure processing of data? No Do policies and procedures build in a requirement to integrate compliance into processing activities? No Actions An organisation shall ensure that all personal data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Not Applicable Management of electronic and manual records Has your organisation reviewed how it manages its records? Question not yet completed Are the records secure? Question not yet completed Are third parties able to access to records? Question not yet completed Are third parties governed by contracts? Question not yet completed Are third party staff trained to comply with GDPR? Question not yet completed Actions Organisations are required to put in place technical, organisational and security measures to cover both the storage of electronic and paper records. Not Applicable Data Protection Officers (DPO) Does your organisation need a DPO? No If not, who is going to be responsible for GDPR compliance? William Kelly Where a DPO is appointed are escalation and reporting lines in place? No If a DPO is not required legally, consider whether one should be appointed. No Actions Your organisation should designate someone to take responsibility for data protection compliance and assess whether this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer under GDPR. Completed No general obligation to appoint a DPO but the following must appoint a DPO: Public authorities (with some minor exceptions) Any organisation whose core activities require: “regular and systematic monitoring” of data subjects “on a large scale”; or “large scale” processing of Sensitive Data or criminal records; and Those obliged to do so by local law (countries such as Germany are likely to fall into this category) Completed Data Breaches Are there clear procedures in place to notify the controller in the prescribed form of any data breach without undue delay after becoming aware of it? No Does your organisation have a policy setting out how it will handle data breaches including reporting and incident management? No Is there clear internal guidance explaining when notification is required and what information needs to be reported? No Are there procedures in place to notify DPAs and data subjects of a data breach (where applicable)? No Are data breaches documented? No Are there cooperation procedures in place between controllers, suppliers and other partners to deal with data breaches? No Actions You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Not Applicable Have you considered data breach insurance cover? Not Applicable Data Protection Impact Assessments Does your organisation need to carry out a DPIA? No Has your organisation reviewed the ICO code of practice on DPIA’s? Question not yet completed Actions You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation. Completed An organisation shall carry out Privacy Impact Assessments when and as required under GDPR. Completed Data Security Policy Does your organisation have a data security policy? No Does your organisation have a nominated data security officer? William Kelly How often is your data security procedures reviewed? Monthly Has your organisation carried out a data security risk assessment? Non applicable as we hold no data Does your organisation have appropriate technical and organisational security measures? Question not yet completed Does your website have a SSL certificate? Question not yet completed Has your organisation assessed the risks involved in processing data and how to mitigate those risks? Question not yet completed What safeguards does the organisation have in place to protect data both electronic and paper data? Question not yet completed Does the organisation have a plan for dealing with security issues and a gap plan? Question not yet completed Are industry standard encryption algorithms and technologies employed for transferring, storing, and receiving individuals sensitive personal information? Question not yet completed Are steps taken to pseudonymise personal data where possible? Question not yet completed Can the availability and access to personal data be restored in a timely manner in the event of a physical or technical incident? Question not yet completed Actions An organisation should ensure they have the correct Data security policies and procedures in place including being able to deal with Data Security issues. Not Applicable An organisation shall conduct a review of their Data Security Policies on a regular basis. Not Applicable Transfer of Data outside of the EEA Does your organisation transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA. No Does your organisation have remote workers that access data from outside of the EEA? No Have your data subjects consented to the transfer of data outside of the EEA? No Actions Review your arrangements to ensure that they are GDPR compliant. Completed The transfer of personal data to a country outside of the EEA shall take place in accordance with the rules set out in GDPR. Completed Group Companies Are any group companies located outside the EU that target/monitor EU subjects? No If so, has an EU representative established in one of the EU States where the data subjects are, been designated in writing (where appropriate)? Question not yet completed Is the EU representative mandated to be addressed (in addition to the controller / processor) by supervisory authorities and data subjects on processing issues? No Actions If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this. Not Applicable International businesses should decide which member state is main data processing entity. Not Applicable International Transfers Is personal data transferred outside the EEA? No What type of personal data is transferred and does this include any sensitive personal data? Question not yet completed What is the purpose(s) of the transfer? Question not yet completed Who is the transfer to? Question not yet completed Are data subjects told of any intended transfers of their personal data? No Actions Ensure that you comply with the rules in GDPR when transferring data outside the EEA. Ensure you have the necessary consents from data subjects to transfer their data outside of the EEA Completed