StarLeaf and GDPR compliance
The EU General Data Protection Directive (GDPR) is a piece of privacy legislation that creates a unified set of data protection laws across Europe and strengthens the rights that EU persons have over their personal data. The law is effective as of 25 May 2018 and will continue to be enforced in the UK after it leaves the European Union. It also applies to all companies that process and store the personal data of anyone who resides in the EU, regardless of where the company is located.
As a data controller and data processor, StarLeaf is committed to the highest standards of information security, privacy, and transparency. We work closely with our customers and partners to meet requirements for our services and procedures.
StarLeaf began GDPR preparations in 2017 by reviewing all of our internal policies, processes, procedures, data systems, and documentation. This included:
- Updating agreements to meet the GDPR requirements in order to permit customers to continue to lawfully transfer EU personal data into StarLeaf systems, ensure data transfer agreements are in place when applicable, and permit StarLeaf to continue to receive and process that data;
- Updating third-party vendor contracts to meet the requirements of GDPR in order to lawfully transfer EU personal data to those third parties and permit those third parties to continue to receive and process that data;
- Updating policies and procedures to ensure data controller and data processor responsibilities are documented and practiced between StarLeaf, its partners, and its customers;
- Analyzing all StarLeaf systems and features to determine whether any improvements or additions can be made to make them more efficient for customers that are subject to GDPR;
- Updating privacy statements to ensure transparency regarding consent, right of access, the type of information that is collected, where it is stored, to where it may be transferred, lawful basis for processing personal data, how to correct personal data, and other aspects required by GDPR;
- Conducting a privacy impact assessment per the direction of the Article 29 Working Party ;
- Appointing a Data Protection Officer and activating the role; and
- Updating breach notification procedures to detect, report, and investigate any potential data breach.
These items are in-progress and being tracked by a committed GDPR task force.
StarLeaf also appointed a specialist information security and compliance firm, Allendevaux & Company , to review our environment, policies, procedures, and practices in terms of GDPR compliance.
StarLeaf is now also working towards ISO 27001 accreditation to ensure that all our security procedures and compliance activities meet international best practices.