StarLeaf and GDPR compliance

StarLeaf’s commitment to the General Data Protection Regulation

The EU General Data Protection Directive (GDPR) is the most significant privacy legislation in decades, creating a unified set of data protection law across Europe. The GDPR replaces the 1995 EU Data Protection Directive known as European Directive 95/46/EC, fortifying the rights that EU persons have over their personal data. The law will also be adopted and policed by the United Kingdom after Brexit, according to the UK’s ICO website.

StarLeaf is committed to the highest standards of information security, privacy and transparency. Toward this, StarLeaf will comply with the GDPR as a data controller and data processor before the effective date of 25 May 2018, whilst also working closely with our customers and partners to meet contractual obligations for our services and procedures.

StarLeaf and GDPR

StarLeaf initiated GDPR preparations during 2017, reviewing all of its internal policies, processes, procedures, data systems and documentation to ensure readiness. In ongoing efforts toward GDPR compliance, the following activities have been underway:

• Updating privacy statements to ensure transparency regarding consent, right of access, the type of information collected, where it is stored, to where it may be transferred, lawful basis for processing personal data, how to redress personal data, and other aspects required by GDPR
• Implementing data processing agreements between data controllers and data processors
• Implementing standard contractual clauses for cross-border data transfers to ensure adequate protections safeguard personal data
• Updating third-party vendor contracts to meet the requirements of GDPR with proper flow-down terms
• Updating policies and procedures to ensure data controller and data processor responsibilities are documented and practised between StarLeaf, its partners, and its customers
• Updating breach notification procedures to detect, report, and investigate any potential data breach
• Analyzing all StarLeaf systems and features to determine where improvements or additions can be made to make them more efficient for customers that are subject to GDPR
• Training staff about the importance of GDPR practices and sufficient safeguards that must be observed with vigilance
• Implementing security by design into StarLeaf services and technologies platforms

These items are in-progress and being tracked by a committed GDPR task force.

What’s next

During 2017, StarLeaf retained a third-party information security and compliance firm, Allendevaux & Company , to conduct a gap analysis of its environment, policies, procedures and practices regarding GDPR’s requirements. Thereafter, StarLeaf began implementing an Information Security Management System (ISMS). All GDPR requirements are being woven into the policies and procedures of the ISMS, which will be third-party certified in an ISO/IEC 27001:2013 governance programme and audited on a regular basis. Implementing ISO27001 raises the bar through independent verification that security practices and compliance activities meet international best practices for information security and compliance.

Amendments to data processing agreements will be made available to our customers and partners soon, along with other materials to assist with GDPR efforts. If you have any questions, please reach out to your StarLeaf representative, or send an email to John Croft at john.croft@starleaf.com.

Associated documents

• StarLeaf GDPR statement
• StarLeaf DPA