General FAQs
When did the GDPR become enforceable?
The GDPR came into force on 25 May 2018. Supervisory authorities in EU member states have been able to enforce it from that date, and individuals are now able to exercise their new rights and bring action directly against companies that breach their rights.
What companies are affected by the GDPR?
The GDPR affects: (1) all companies located in the EU that process personal data in their activities; and (2) any non-EU companies that process personal data about individuals in the EU in connection with either (i) the offering of goods or services, or (ii) the monitoring of their behaviour in the EU.
Where a company subject to GDPR under one of these tests uses a 3rd party (such as an IT vendor) to process personal data on its behalf it is legally obliged to: (i) have a contract with that 3rd party; and (ii) include certain terms in the contract with the 3rd party regarding the processing of personal data.
What information is protected by the GDPR?
The personal data of anyone located in the EU (whether or not they are an EU citizen) is protected by the GDPR. The GDPR defines personal data as "any information relating to an identified or identifiable natural person" (known as a 'data subject') and says "an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
The European Commission have given some examples of this, explaining it includes "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address".
What does the GDPR say about notifying authorities and data subjects if a data breach occurs?
If a 'breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data' occurs:
- the data processor must notify the data controller without undue delay (within contracts we normally agree to inform clients within 24-48 hours to allow the data controller to comply with its reporting obligations)
- the data controller must notify its regulator (for a UK company that is the Information Commissioner's Office (ICO)) without undue delay and where feasible, not later than 72 hours after it first becomes aware
- the data controller must notify affected data subjects without undue delay where the breach is likely to result in a high risk to those data subjects, unless limited exemptions apply
Data subject rights
What is the ‘right to be forgotten’?
This is the right (also referred to as 'erasure') the GDPR gives individuals to request the deletion or removal of their personal data where there is no compelling reason for its continued processing. It is not an absolute right, but a company must be able to delete personal data on request if the data subject has valid grounds for the deletion.
When does the ‘right to be forgotten’ apply?
The right to erasure does not provide an absolute 'right to be forgotten'. Individuals have a right to have personal data erased and to prevent processing in specific circumstances. The ones that are most likely to be relevant in our business are:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- Where the individual withdraws consent (if the processing was based on consent)
- Where the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- Where the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
- Where the personal data has to be erased in order to comply with a legal obligation
What are the time limits for erasure of personal data?
One of the principles set out in the GDPR is that no personal data should be held in a form which allows an individual to be identified for longer than necessary for the purpose for which it is obtained. The exception is where there is a legal requirement to keep it longer.
We have defined information retention standards based on legal, regulatory and good practice guidance that detail the length of time that types of data are held for.
What have we done?
How did Computershare respond to the GDPR?
We have invested significant resources into this project, identifying the parts of the GDPR relevant to our business and created seven workstreams to implement necessary changes.
We have reviewed and updated all of our contracts impacted by the GDPR. These contracts now include certain specific terms, designed to ensure that processing carried out by a processor meets all the requirements of the GDPR (not just those related to keeping personal data secure).
Do you have a Data Protection Officer (DPO)?
Yes, we take data protection extremely seriously and have dedicated DPOs in Europe – one covering the United Kingdom, Ireland and Channel Islands, and the other covering Continental Europe.
Data protection at Computershare
Do you appoint any sub-processors to process data subjects’ personal data?
Yes. Like most large companies, we rely on a range of third party providers to help us perform certain services. Some of these third parties will have access to personal data to perform services for us. These range from IT providers, to facilities management providers, to financial intermediaries such as clearing houses and custodian banks. Where we use sub-processors we conduct appropriate vendor due diligence, ensure appropriate contractual arrangements are in place, carefully monitor performance, and enforce adherence to high information security standards that provide adequate protection for that personal data.
Do you provide information to data subjects at the point that their personal data is first provided to Computershare to tell them what we will use their personal data for?
That depends whether we are acting as a data controller or data processor. If we are acting as a data controller we will always provide required privacy information at the point required by law (normally through terms and conditions and associated privacy statements).
If we are acting as a data processor for another company, it is normally up to the other company to inform data subjects about the transfer of personal data to us, and how we will use that personal data. We are currently reviewing and amending our privacy statements and processes for notifying them to data subjects to ensure compliance with the GDPR.
What technical and organisational security measures do we have in place to protect data subjects’ personal data?
Information security is critical to all of our clients and is therefore a key focus for us. We host over one hundred and twenty five million records worldwide. The security of these records is of the utmost importance and we continually make sizable investments to protect our information, IT systems, applications, infrastructure and processes. A summary of security measures implemented can be provided on request.In line with the GDPR, how long does Computershare hold personal data for?
Computershare seeks to hold personal data in line with its data retention policy that was reviewed as part of our GDPR project to ensure it reflects legal and regulatory requirements, and good practice guidance regarding the duration of processing of personal data.
How will you consider privacy where processes change in the future?
We have a Privacy Impact Assessment procedure that enables the privacy impacts of change to be identified and assessed at the point a change is proposed. This process will support ongoing compliance with the GDPR and continued minimisation of privacy risk to data subjects.
Are you a Data Controller or Data Processor?
Whether we are a data controller or a data processor will depend on the service provided and processing performed, and ultimate decision-making responsibility in respect of personal data. We will always be clear in our contracts with corporate and retail clients whether we are acting as a data controller or data processor.
Any other questions?
If you have any other questions about the GDPR or other European regulations, please contact us.