Our Approach to Data Protection
Trust is at the heart of each transaction between Resolver, its customers and clients. It is important to us, and crucial to the success of our business, that Resolver is trusted to look after the information our customers and clients give us, and to do everything we can to process it safely and securely.
We’ve done a lot of work over the last 6 months to get ourselves ready for GDPR. Like many companies, we have made a whole host of technical, organisational, contractual and process-led changes to ensure we are meeting the requirements of the new Regulation.
What has Resolver done to prepare for the GDPR?
As part of our GDPR Readiness Programme, we commissioned an independent, external assessment of our whole organisation. This identified a set of recommendations, which has driven our preparations. For example:
- Continuing to invest in our security infrastructure;
- Reviewing, formalising and updating our processes, policies and other documentation;
- Conducting assessments of our suppliers and third parties and ensuring we have the contractual terms and technical / organisational measures in place to allow them to process data on behalf of us, which may include international transfer;
- As the GDPR is a new Regulation we are also abreast of any updates to the guidance issued by the likes of the Information Commissioner’s Office, and will continue to evolve accordingly.
Below is some more information on some of these areas:
- We send and receive emails through two encrypted methods – opportunistic TLS encryption and, where requested, Forced TLS encryption.
- Our database is encrypted on disk.
- Our system runs inside a Virtual Private Cloud on Amazon Web Services (AWS). There is only a single-entry point requiring an SSH tunnel based on public/private encrypted keypairs. When not in use the gateway is shut down rendering the VPC inaccessible.
- We carry out regular penetration tests and have undergone various security audits as part of our client obligations.
Data Collection, Storage, Retention
- We process this data so that the user is able to resolve their problem with the relevant company. Our lawful basis for processing is Legitimate Interest under Article 6 – Lawfulness of Processing Data and Article 7 – Conditions for Consent.
- The Resolver platform is hosted by Amazon Web Services (AWS) in Ireland. Back-ups are on AWS in Frankfurt.
International Data Transfer
Although Resolver itself does not process data outside of the EEA, we use Third Party sub-processors that do. The GDPR is very clear that the Data Controller is responsible for the entire value chain and therefore we have implemented the following measures so that personal data is processed safely and securely:
- Audited our Third Parties for use of EU-US Privacy Shields;
- Signed Data Processing Addendums with our data processors/sub-processors as required; and
- Undertaken GDPR compliance assessments to assess the readiness of our Third Parties.
Governance, Policies and Processes
We have reviewed and formalised our processes to account for the much greater emphasis on accountability, demonstrability and transparency; that organisations are accountable for the personal data they process, that they must be able to demonstrate they comply with all the regulations and they must be completely clear with their customers how personal data is collected and used.
Our staff have gone through GDPR training sessions, tailored to their roles within the business. This includes training on the 7 Rights of the Data Subject, and data retention.
We have formally appointed a Data Protection Lead, who have taken on the new GDPR accountabilities, including ensuring our continued compliance with the Regulation.