Thank you for your interest in Patchworks’ approach to the General Data Protection Regulation (GDPR).
Patchworks is undertaking GDPR compliance work to ensure that we safeguard our customer, partner and employee data appropriately. In order to do so we are have developed a formal programme of activity to enhance the existing safeguards we have in place under current data protection legislation.
Provided below is a more detailed description of the updates and enhancements that Patchworks is making to existing data protection measures in response to the GDPR and the forthcoming UK Data Protection Bill.
Patchworks has taken every effort to ensure that the information in this document is informative and helps communicate our guideline approach on GDPR. The information contained in this document is for general information purposes only. Whilst every effort has been made to ensure the accuracy of the statements contained within this document, Patchworks assumes no responsibility for errors or omissions in the contents of this information. In no event shall Patchworks be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the information contained herein. Patchworks reserves the right to make additions, deletions, or modification to the information at any time without prior notice. The information does not form part of any contractual documentation, does not bind Patchworks in any way and should not be relied upon.
My company uses the Patchworks platform (iPaaS) to connect critical systems in my business. Do I need to consider Patchworks within my own GDPR compliance journey?
Yes. From the perspective of the GDPR, the Patchworks platform is a Data Processor, as we transmit and handle personal data from and to your various systems.
Please refer to our Statement of Compliance for more information on how Patchworks are doing everything we can to ensure that we make your GDPR compliance journey easier.
Is Patchworks a Data Controller?
Yes. As with any business operating in the UK and EU, we come under the aegis of the GDPR as a Data Controller, as a result of holding personal data for the following:
- Interested parties
Is there a formal data privacy program in place with an assigned owner?
Patchworks has a long-standing commitment to handling personal data with care and has put in place an ongoing program of work to meet the requirements of the DPA and to prepare for the new legislation coming into force. To enhance the Data Protection operating model in light of GDPR and the new UK Data Protection Bill, Patchworks has a mature GDPR Change and Management Program underway with an Accountable Executive (assigned owner).
Are the lawful bases for the processing of personal data defined and documented?
We determine and document the lawful basis for processing personal data with reference to each type of data processing at the point it is identified.
The lawful basis for processing will be updated as required and will be documented within our Data Process Mapping registers.
The lawful basis for processing will be used by the Patchworks Team to support data subjects exercising their rights.
Is consent used as a lawful basis for processing data? And if so, is it obtained as required by GDPR?
Where processing occurs, we assess the conditions for processing; determine the lawful basis and, in specific cases, consent will be determined to be that basis.
Patchworks’ processes for obtaining consent have been revised in order to meet the requirements of GDPR.
Does your company have a documented, implemented, data retention schedule in place, which covers your client’s personal data?
Yes, this is included within our Data Process Mapping registers.
After a person ceases to be a customer of Patchworks, we may keep their data for up to 10 years for any one of the following reasons:
- To respond to any questions or complaints.
- To demonstrate that we treated you fairly.
- To maintain records according to rules that apply to us.
We may keep data for longer than 10 years if we cannot delete it for legal, regulatory or technical reasons. We may also retain data for research or statistical reasons. If we do, we will ensure that data subjects’ privacy is protected and will only use it for those purposes.
Individuals can request that their data be erased and this will be dealt with by the Patchworks Team.
Does your company apply any measures to anonymise, pseudonymise and / or encrypt any of your clients’ personal data?
Patchworks has the capability to encrypt, pseudonymise and anonymise personal data. This may be used as one measure, within a suite of measures, designed to reduce risk where deemed appropriate and as part of an overall risk-based approach to the management of personal data.
Do you process special categories of personal data?
We do not handle, store or process special categories of personal data.
Does the organisation have a personal data inventory and process mapping in place, accompanied by processes and procedures to maintain these?
We have undertaken personal data and process mapping across the organisation to ensure that we document and control all instances where we capture personal data, how it is stored and the legal basis for each instance.
The information is stored in a central system, that is maintained and updated as the organisation changes.
How do you provide the information required as set out in the GDPR to data subjects when their data is collected?
Patchworks has made its full data privacy notice available to customers, interested parties, partners, suppliers and employees via a variety of mechanisms.
In line with ICO best practice, we communicate with individuals as effectively as possible at all times, using a layered approach. For example, abbreviated Data Privacy Notices as appropriate to the situation, supplemented by access to the complete Data Privacy Notice.
Does your company have the capability to erase personal data without undue delay, as outlined in the GDPR?
As outlined above (see data retention schedule FAQ) any requests for personal data to be erased will be dealt with by the Patchworks Team within the defined parameters.
All requests will be handled in a timely manner to ensure compliance with the GDPR.
Does your company have the capability to provide personal data without undue delay, as outlined in the GDPR?
Yes. All requests for personal data will be handled by the Patchworks Team in a timely manner to ensure compliance with the GDPR.
Can your company provide personal data in a machine readable format (i.e. a CSV file), as outlined in the GDPR?
Yes. We will provide data in a machine readable and portable format to ensure compliance with the GDPR, whilst doing our best to meet the needs of the individual making the request.
Does your company have a documented and implemented process to update and / or change personal data?
Yes. As a Data Processor, we have also documented our existing processes for updating and / or changing personal data that we process on behalf of other Data Controllers.
Does your company have documented and approved procedures in place to apply the principles of data protection by design and default (as defined in the GDPR)?
Yes. All changes to the Patchworks Platform that impact the handling and / or processing of personal data are assessed and tracked using Data Privacy Impact Assessments (DPIAs).
IT Security requirements are embedded within our standard operating procedures, ensuring that these are incorporated into systems, tools and processes.
This is all underpinned by a mature and supportive training and learning culture that surrounds all change within Patchworks and ensures that risk is considered at all times.
Does your company, or any of its subcontractors, store or process any personal data outside of the EEA?
Yes. Patchworks handle personal data, both as a Data Processor and as a Data Controller, via third party services and subcontractors that may store data outside the EEA.
Where this is the case, we will ensure that it is protected in the same way as it would be if it stayed within the EEA, by using one of the following safeguards:
- Transfer it to a non-EEA country with privacy laws the provide the same protection as the EEA; or
- Put a contract in place with the recipient that ensures that personal data is protected to the same standards as the EEA; or
- Transfer it to an organisation(s) that are part of Privacy Shield. This is a framework that defines privacy standards for data sent between EU countries and the US. Privacy Shield ensures that data is handled as would be expected were the data to remain in the EEA.
Using the mechanisms outlined above, Patchworks send personal data to processing hubs in the US.
Does your company have a designated Data Protection Officer?
No. Having reviewed the scope of the GDPR with regards to Patchworks as a Data Controller and as a Data Processor and having taken formal advice from a retained third party, we have decided not to appoint a designated Data Protection Officer (DPO).
The GDPR, and the handling of personal data in general, are taken seriously by Patchworks, with our Board taking overall accountability for ensuring that we are compliant and that we make the compliance journey for our customers as easy as we can.
Please contact the Patchworks Team if you require further information with regards to this.
Does your company have documented and approved plans in place to ensure that staff, contractors, consultants and subcontractors are trained and / or made aware of their roles and responsibility in relation to GDPR?
Patchworks has an ongoing programme of awareness communications with all staff, contractors, consultants and subcontractors regarding their roles and responsibilities in relation to data protection.
All members of the Patchworks Team receive data protection training, tailored to the role that they perform, on an ongoing basis throughout their employment.
Training is updated to reflect new regulatory and / or legislative requirements.
Does your company ensure that staff, contractors, consultants and subcontractors sign a confidentiality agreement?
Patchworks endeavours to ensure that all staff, contractors, consultants and subcontractors sign a confidentiality agreement.
Does your company have GDPR compliant processes in place to identify, document, respond to and notify your Data Controllers and / or Data Subjects of any personal data breach without undue delay?
Yes. We have a documented Data Breach Policy.
In Patchworks’ capacity as a Data Processor, the Data Controller will be notified without undue delay should a breach occur.
As a Data Controller itself, Patchworks has reporting obligations to the Information Commissioner’s Office (ICO). Within the constraints of those obligations and our own internal data breach management processes, we will endeavour to inform Controllers in Common of the breach.
In relation to your company’s application of the GDPR, does your company comply with any Code of Conduct, seals or marks (as identified in the GDPR)?
Patchworks regularly reviews the data protection horizon in order to identify such codes of conduct / seals / marks as they become available. When these are identified, Patchworks consider the merits of implementation.
I hope that the above helps to address any concerns that you may have in relation to data protection and our approach to the GDPR, here at Patchworks. Please feel free to contact me, or any of the Company Directors, should you require any further information.
Andy Richley, Head of Marketing
These FAQs were last updated on 23rd May, 2018.