GDPR and Data Protection Measures

Introduction

The European Union’s (EU) General Data Protection Regulation (“GDPR” or the “Regulation”) went into effect on May 25, 2018. It was a significant change for global data privacy law and introduced complex rules for organizations involved in the collection and processing of personal data of individuals located in the EU. The Regulation:

  • Updated the previous EU privacy framework to create a common set of data privacy and security rules across the EU.
  • Reinforces principles of transparency and openness with individuals as to what data companies hold about them and how it is used.
  • Provides individuals in the EU more consistent rights to access and control their personal data.
  • Establishes a general accountability requirement, requiring companies to be able to demonstrate the ways in which they comply with data protection principles.

Our Commitment

As a business with global reach, Mind3 Limited takes its responsibility to protect personal data very seriously. Trust is the cornerstone of our relationships and we are committed to the security and protection of personal data, working to provide a compliant and consistent approach to data protection.

Mind3 Limited’s security and privacy policies are continuously evolving, demonstrating an understanding of and an appreciation for applicable laws, including in anticipation of new and future regulations.

GDPR compliance required Mind3 Limited to look at updates to data collection, use, transfer, disclosure, and disposal policies and procedures. Our preparation included:

Privacy Policy:

  • Our Privacy Policy has been updated for the GDPR so that individuals whose personal data we process are informed of what data we collect, why the data is required, how it is used, what their rights are, to whom the information is disclosed, and what safeguards are in place to protect their information.
  • Mind3 Limited has ensured employees and current and new third-party service providers are aware of our ‘storage limitation’ principles, which govern how personal data is stored, archived, and destroyed.
  • Data Breaches: our data breach response procedures were updated to help us discover, contain, and remediate data privacy and security incidents. This included the required notice provision to individuals and relevant supervisory authorities.

International Data Transfers & Third-Party Disclosures

  • We enhanced our procedures and safeguarding measures to secure, encrypt, and maintain data integrity during the transfer and/or storage of personal data outside the EU. On a corporate level, Mind3 ensures that, where appropriate, they look into Inter-affiliate Data Processing and Transfer Agreements with clients, specific to each program. When engaging sub processors, including hosting providers, Mind3 Limited carries out due diligence and vetting processes to ensure that appropriate protections are in place.

Legal Basis for Processing

We review all processing activities to identify the relevant legal basis. Where applicable, we maintain records of our processing activities, in order to meet our obligations under Article 30 of the GDPR. In part, we are identifying and assessing what personal data we hold, where it comes from, how and why it is processed, and if and to whom it is disclosed.

Obtaining Consent and Providing Notice

We have revised our consent and notice process to help individuals easily understand what personal information is being collected, how it will be used and for what purpose. We articulate the individual’s rights to access and control their personal data.  This is included in our Privacy Policy on our website.

Third Party Risk Management

We updated our existing risk assessment processes and continue to evaluate our current and new third-party service providers. This includes updating contracts with our service providers that process personal data on our behalf. Where appropriate, we employ due diligence procedures to help these third parties understand and meet their obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the third party’s technical and organizational measures in place, and their compliance with the GDPR.

Information Security & Technical and Organizational Measures

Mind3 Limited recognises that personal data is only as secure as the tools and technologies that manage it. We take appropriate technical and organizational measures and precautions to protect and secure personal data that we process.

We have information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure, or destruction. Where appropriate we employ layers of security measures, including, for example developing applications with the latest secure coding techniques to protect against malicious exploits such as SQL injection and cross-site scripting. Vulnerability, penetration and security scanning is done when required using an outside service as a proactive measure.

User Training, IT Security Policy

Mind3 Limited employees participate in regular compliance training. All Mind3 Limited employees are required to agree to protect confidential information and sign up to the Information Security Policy as a condition of employment and as appropriate thereafter. Mind3 Limited requires new employees to pass a background check at the time of hire, as permitted by applicable law. This background check may include a check of criminal history, employment history, sanctions check and education verification.

Encryption in Transit – Mind3 Limited encrypts email data in transit using the TLS 1.2 protocol when communicating with a server that accepts encrypted connections. Enhanced encryption techniques have been deployed to easily encrypt assessments and email files. Data and information protection is further enforced by our Data Loss Prevention solution.

GDPR Roles and Employees

Mind3 Limited has appointed an Information Security Officer (“ISO”) to develop and implement a roadmap for complying with the GDPR and other data privacy laws. The ISO is responsible for promoting awareness of privacy across the organisation, assessing our GDPR readiness, identifying and addressing any gap areas, and implementing the new policies, procedures and measures discussed here.

Although privacy and confidentiality are embedded in our global standards, methodologies, training and practice, we understand that the requirements of the GPDR are complex. We recognize that employee and third party provider awareness and understanding is vital to continued compliance. We are continually updating and monitoring our privacy training programs to ensure we are educating our employees on how to handle personal data under the GDPR and other privacy laws.

If you have any questions about Mind3 Limited’s privacy program, please contact us at emma.ferrier@mind-3.com or, if by postal mail, at Mind3 Ltd., 85 Great Portland Street, Marylebone, London, W1W 7LT.