GDPR Compliance Statement

1. PURPOSE OF THIS STATEMENT

The General Data Protection Regulation (GDPR) represents a significant overhaul of data protection law. It strengthens the rights of data subjects in relation to the uses that governments, businesses and other organization can make of their personal data and imposes new legal obligations on those organizations about how they hold and process personal data relating to their staff, customers, suppliers, and other stakeholders. Affirmed Identity LLC (“Affirmed Identity”) and its products takes privacy very seriously and has undertaken an extensive GDPR-readiness program using both GDPR-trained internal resources and specialist external advisers. The purpose of this statement is to inform our clients about the steps that we have been taking by way of preparation.

2. INFORMATION AND SECURITY AUDIT

Affirmed Identity has undertaken an internal data-mapping exercise, in order to ascertain exactly what kinds of personal data we hold, the sources from which it is obtained, and how it is used. We have also undertaken a security audit to ensure that, where we hold and process personal data, there are appropriate technical and organizational measures in place to ensure that the data is protected. Our findings have been documented in order to help us comply with the GDPR's accountability requirement.

3. LAWFUL BASIS OF PROCESSING

The GDPR states that the processing of personal data is only lawful if it is done under one of the defined “lawful bases”: these include, for example, that the data subject has given consent to the processing, that the processing is necessary for the performance of a contract with the data subject, or that the processing is necessary for the purposes of the organization's “legitimate interests”. On the basis of the output from the information audit, Affirmed Identity has identified an appropriate lawful basis for each kind of processing that we undertake, and these are documented in our privacy notices.

4. PRIVACY NOTICES

Our privacy notices have been updated to ensure that data subjects are properly informed about all the details that GDPR requires us to notify them about, such as the identity and contact details of Affirmed Identity as the controller of the personal data; the contact details for the person responsible for data protection within the organization; the purposes of the processing, and the lawful basis for it; the “legitimate interests”, where this is the lawful basis of processing on which we are relying; and the existence of the data subject's right (a) to request access to the personal data, (b) to request rectification or erasure of personal data, (c) to request that the processing is restricted, (d) to object to the processing and (e) to data portability.

5. INTERNAL POLICIES AND PROCEDURES

We have developed and implemented several new policies and procedures to ensure that we are able to respond efficiently to data protection issues. These include a new Privacy Policy which directs staff as to how personal data should be used, along with procedures for dealing with:

• Subject access requests
• Requests from data subjects to exercise their other rights under the GDPR, such as the “right to be forgotten” and the right to have inaccurate data rectified.
• Personal data breach incidents
• Objections to direct marketing.

6. CLIENT AGREEMENTS

We have developed a Data Protection Addendum to our standard terms of engagement, that addresses the GDPR's requirements about contracts between data controllers and data processors where we are handling personal data on behalf of a client. In summary, the Addendum provides that:

• Affirmed Identity will only process the personal data on the client's written instructions;
• Affirmed Identity will ensure that all personnel with access to the personal data treat it in confidence;
• Affirmed Identity will put in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing, and against accidental loss, destruction or damage;
• Affirmed Identity will not engage a subcontractor as a third-party processor of the personal data without the client's approval;
• Affirmed Identity will assist the client in responding to requests from data subjects and in ensuring compliance with certain of the client's other obligations under data protection law;
• Affirmed Identity will delete or return personal data on termination of the relevant engagement;
• Affirmed Identity will keep complete and accurate records and information to demonstrate its compliance, and allow for audits by the client or its representatives;
• Affirmed Identity will inform the client if an instruction infringes data protection law; and
• Affirmed Identity will not transfer any personal data outside the European Economic Area unless (a) the client's prior written consent has been obtained, and (b) appropriate safeguards have been put in place for the personal data.

The inclusion of this Addendum means that our clients can be assured that, if Affirmed Identity processes personal data on their behalf, it is being done on the basis of a contract that meets those requirements.

8. THIRD PARTY PROCESSORS

We will do our best to ensure that with effect from 25th May 2018, our contracts with any third-party companies that process personal data on our behalf include the relevant controller-processor clauses.

9. STAFF TRAINING

We have put in place data protection awareness training for all staff. This includes training about the GDPR's data protection principles and other key aspects of data protection law as it relates to Affirmed Identity's business, and as a minimum some essential “do's and don'ts” in relation to the obtaining, processing and sharing of personal data. Staff need to be aware of the importance of respecting personal data, and of their own responsibilities in this regard.