StarLeaf and GDPR compliance
We are witnessing an unprecedent level of activity throughout the world for data protection regulations. More than 120 countries have enacted forms of data breach and data protection regulations, impacting the way international business applies safeguards and approaches transborder flows of personal and sensitive data. Staying compliant with the changing legal landscape is an ongoing task, and at StarLeaf, we are committed to complying with all applicable data protection laws, making compliance easier for your business when you employ the StarLeaf service.
Whether the regulation is the UK’s, EU’s GDPR, Brazil’s LGPD, California’s CCPA and many others, we’re on top of it, which means we’ve got you covered. Our team of data privacy experts are experienced, certified and focused, applying best practices and strong privacy protections to ensure the ongoing confidentiality, integrity and availability of our services.
The following paragraphs provide additional insight regarding StarLeaf’s regulatory posture across several areas. These bulletins follow closely and represent a superset of best practices such as the eight OECD privacy principles, the six GDPR privacy principles, and the ten LGPD principles of data processing that make it mandatory for the data controller and data processor to fully and transparently demonstrate the adoption of effective measures capable of proving compliance with the rules for the protection of personal data.
We have formatted this information in a nested format to reduce information fatigue and permit quick access to the areas of interest. Click Expand/Collapse at the top of the page to view the entirety of this bulletin.
First and foremost, StarLeaf aggregates international regulatory compliances requirements into its policies comprising its Information Security Management (ISMS), which adheres to and is organised according to the ISO/IEC 27001:2013 standard. Policies and procedures drive consistent practice throughout the StarLeaf organisation. Training throughout the organisation is based upon the policy and practice of the ISMS.
Second, the company’s practices undergo third-party audit at a minimum of once per year if not more frequently. Overseen by the BSI Group, onsite audit ensures measurement of compliance, and promotes accountability for consistent practices. The results of this audit are published into an assessment report that we make available to data controllers.
Today’s evolving regulations stress that regulated information must be processed lawfully, fairly and transparently. We employ privacy law specialist to ensure the lawful basis for processing is declared in our website privacy notice. For example, the GDPR provides six bases in Article 6(1): consent, contract, legal obligation, vital interests, public task, and legitimate interest. The LGPD permits ten lawful bases: consent, compliance, contract, legitimate interest, judicial proceedings, protection of life, protection of health, research, public administration, and credit protection. Whether these or other regulations, at StarLeaf we will not process data until the lawful basis is established and documented.
By promoting fairness, we mean that StarLeaf will not mislead data subjects about how we collect their data and how we use it. This ties into transparency, ensuring our privacy notice clearly describes how StarLeaf supports the belief in transparency. For instance, under Article 5.2 of the GDPR, the data controller “must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject” throughout the lifecycle of processing. This means that in all practices, StarLeaf aims to communicate with data subjects in concise, transparent, intelligible, clear and plain language. It also means we try hard to not use overly legalistic, technical or specialist terminology, reducing information fatigue.
Data regulations evolving around the world demand that companies limit what’s collected to the minimum necessary for the purpose needed to accomplish processing. When we collect email addresses to send out news bulletins or meeting invites, we cannot reuse that information for other purposes.
When processing data in Australia, by way of example, StarLeaf works to comply with the thirteen Australian Privacy Principles as set forth in the federal Privacy Act 1988 as amended 22 February 2018; these principles are reflected in StarLeaf’s policies. When processing data in Japan, StarLeaf takes into consideration the eight basic principles under the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data from the Organisation for Economic Co-operation and Development.
Several legal mechanisms are employed to facilitate international data transfers. When using other processors located in third countries without a decision of adequacy, we enter into a contract incorporating standard data protection clauses recognised or issued in accordance with the UK data protection regime. These are known as ‘standard contractual clauses’ (‘SCCs’ or ‘model clauses’).
StarLeaf is committed to practicing data minimisation. We make available in our data processing agreement a declaration of data collected, ensuring it is “adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed”. For instance, consider this example. When users share information with Facebook, privacy advocates have issue when Facebook shares that information with Whatsapp and vice-versa. In essence, if the data is not needed, it must be erased or anonymised. These principles are surfacing in regulations around the world, and StarLeaf updates its privacy notice and data processing agreement to stay current with these developing regulations.
Storing inaccurate data about individuals is a violation of data protection regulations that insist controllers and processors maintain accurate data. The GDPR states personal data stored must be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.” Some regulations require the controller to honour data subject requests to correct inaccurate data about themselves. At StarLeaf, we support data subject requests that include the correction or erasure of inaccurate data, and we have processes in place to accommodate this.
The GDPR set the bar when it mandated that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed” (Article 5.1.e). This principle limits how long data may be kept and ties into StarLeaf’s data retention policy. While account profile data is kept for the duration of the active account, call records are anonymised after 397 days, meaning the details of the calls and associated diagnostics are deleted at that threshold. We do this to comply with the requirement not to keep data “longer than is necessary”.
Both integrity and confidentiality play a huge role in data security. Regulations based on the OECD tie these ideas to the Security Safeguards Principle, where “personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.” Similarly, the GDPR mandates that regulated data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” (Article 5.1.f). Starleaf employs over 140 controls (safeguards) to comply with regulations and will continue to update its practices are new regulations are introduced, heightening the requirements to protection the information of data subjects. Overall, our services are empowered by robust, resilient, state-of-the-art platforms, overseen by a security and compliance team of specialists, audited independently by a third party.
Privacy in today’s age cannot be an after-thought or add-on; it must be designed into platforms and services from the outset. Evolving data protection regulations are demanding this including the GDPR, with principles such as Privacy by Design and Privacy by Default. At StarLeaf, we not only practice those principles, we believe in those principles.
StarLeaf has elected a qualified, lead data protection officer, registered with the UK’s ICO, to ensure that the company processes personal data of customers in compliance with data protection regulations. She monitors compliance with these and other obligations constantly, independently, performing audit and checking recording keeping per the requirements of GDPR Article 30.
The contact information for the data protection officer is as follows:
Rebekah Allendevaux, CIPP/E, CIPT, CIS LI, CIS LA
Learn more about how we monitor and comply with the evolving regulatory landscape to protect user information. You can communicate with our security and compliance team by sending your questions or comments to email@example.com.
The StarLeaf Data Processing Addendum (“DPA”) can be viewed here: