General Data Protection Regulation
This document outlines how Learning Nuggets Company Limited (“Learning Nuggets”) complies with the European Union General Data Protection Regulation (“GDPR”).
Learning Nuggets’ data protection project (the “Project”) is designed to safeguard Personal Data according to the GDPR requirements. In particular, this document describes the elements pursuant to which Learning Nuggets intends to ensure the security and confidentiality of Personal Data, (ii) protect against any anticipated threats or hazards to the security of Personal Data, and (iii) protect against the unauthorised access or use of Personal Data in ways that could result in substantial harm to Learning Nuggets’ customers and their respective clients.
Scope of the Project
This applies to personal data (as defined by the GDPR) that is accessed or received by Learning Nuggets acting as a data processor on behalf of its customers (data controllers) in connection with providing the contracted services (“Personal Data”).
Official GDPR Compliance Statement
Learning Nuggets currently processes Personal Data lawfully in accordance with the Data Protection Directive. With respect to the GDPR, which will apply from 25 May 2018, we are now compliant.
Appointment of a Data Protection Officer
Learning Nuggets’ Data Protection Officer (“DPO”) is responsible for coordinating and overseeing the Project. The DPO may designate other representatives of Learning Nuggets to oversee and coordinate elements of the Project.
Privacy Impact Assessment
Learning Nuggets identifies and assesses external and internal risks to the security, confidentiality, and integrity of the Personal Data that could result in the unauthorised disclosure, misuse, alteration, destruction or other compromise of such information. The DPO will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards.
Overseeing Sub-Processors of Personal Data
The DPO coordinates with those responsible for the sub-processors related activities to raise awareness of, and to institute methods for selecting sub-processors that are capable of maintaining appropriate safeguards for Personal Data. In addition, the DPO works with Learning Nuggets’ legal team to develop and incorporate standard contractual protections applicable to sub-processors, which will require such providers to implement and maintain appropriate data protection safeguards. The DPO can provide evidence on these agreements upon request.
Data Hosting Services
Generally, Learning Nuggets utilises data hosting services provided by CustomPublish AS (“CustomPublish”), and access is controlled by CustomPublish according to its data protection policies and procedures. You can read further details on CustomPublish’ GDPR compliance https://www.custompublish.com.
Protecting Access to Data
Learning Nuggets has in place a management system that allows controlled access to its computing resources and data owned or controlled by Learning Nuggets. Learning Nuggets enforces information security controls, data classification policies and authorisation mechanisms that specifies the level of access for a user, a process, or a system. Learning Nuggets has also established the requirements for ensuring authorised use of its computing resources via proper user identification and password authentication.
Learning Nuggets retains and destroys as necessary the records received or created in the transaction of its business in accordance with regulatory requirements and contractual agreements. Learning Nuggets actively applies a data retention policy to all systems.
Learning Nuggets’ encrypts all personal data at rest and in-transit when it acts as the data processor or controller.
Data Breach Notification
Learning Nuggets has developed and implemented a data breach response plan designed to provide guidance to employees and contractors on how to report suspected data breaches. Upon becoming aware of an issue involving Personal Data, employees and contractors must report the issue immediately to the DPO. These steps include performing a risk analysis of each suspected data breach to determine whether the event requires notification under the GDPR.
Training and Education
The Project policies and procedures are communicated to all employees and contractors either directly on hire or annually as part of formal Quality and Information Security Training. Significant changes to policy and legislation including GDPR are delivered via special training sessions to the entire organisation. A record of this is held centrally by the DPO. Further, employees and contractors are bound by confidentiality provisions written into all contracts both permanent and temporary.