General Data Protection Regulation

 

Overview

This document outlines how Learning Nuggets Company Limited (“Learning Nuggets”) complies with the European Union General Data Protection Regulation (“GDPR”).

Learning Nuggets’ data protection project (the “Project”) is designed to safeguard Personal Data according to the GDPR requirements. In particular, this document describes the elements pursuant to which Learning Nuggets  intends to ensure the security and confidentiality of Personal Data, (ii) protect against any anticipated threats or hazards to the security of Personal Data, and (iii) protect against the unauthorised access or use of Personal Data in ways that could result in substantial harm to Learning Nuggets’ customers and their respective clients.

Scope of the Project

This applies to personal data (as defined by the GDPR) that is accessed or received by Learning Nuggets acting as a data processor on behalf of its customers (data controllers) in connection with providing the contracted services (“Personal Data”).

Official GDPR Compliance Statement

Learning Nuggets currently processes Personal Data lawfully in accordance with the Data Protection Directive.  With respect to the GDPR, which will apply from 25 May 2018, we are now compliant.

Appointment of a Data Protection Officer

Learning Nuggets’ Data Protection Officer (“DPO”) is responsible for coordinating and overseeing the Project. The DPO may designate other representatives of Learning Nuggets  to oversee and coordinate elements of the Project.

Privacy Impact Assessment

Learning Nuggets identifies and assesses external and internal risks to the security, confidentiality, and integrity of the Personal Data that could result in the unauthorised disclosure, misuse, alteration, destruction or other compromise of such information.  The DPO will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards.

Overseeing Sub-Processors of Personal Data

The DPO coordinates with those responsible for the sub-processors related activities to raise awareness of, and to institute methods for selecting sub-processors that are capable of maintaining appropriate safeguards for Personal Data. In addition, the DPO works with Learning Nuggets’ legal team to develop and incorporate standard contractual protections applicable to sub-processors, which will require such providers to implement and maintain appropriate data protection safeguards.  The DPO can provide evidence on these agreements upon request.

Data Hosting Services

Generally, Learning Nuggets utilises data hosting services provided by CustomPublish AS (“CustomPublish”), and access is controlled by CustomPublish according to its data protection policies and procedures. You can read further details on CustomPublish’ GDPR compliance https://www.custompublish.com.

Protecting Access to Data

Learning Nuggets  has in place a management system that allows controlled access to its computing resources and data owned or controlled by Learning Nuggets. Learning Nuggets  enforces information security controls,  data classification policies and authorisation mechanisms that specifies the level of access for a user, a process, or a system.  Learning Nuggets  has also established the requirements for ensuring authorised use of its computing resources via proper user identification and password authentication.

Data Retention

Learning Nuggets  retains and destroys as necessary the records received or created in the transaction of its business in accordance with regulatory requirements and contractual agreements.   Learning Nuggets  actively applies a data retention policy to all systems.

Encryption

Learning Nuggets’ encrypts all personal data at rest and in-transit when it acts as the data processor or controller.

Data Breach Notification

Learning Nuggets  has developed and implemented a data breach response plan designed to provide guidance to employees and contractors on how to report suspected data breaches. Upon becoming aware of an issue involving Personal Data, employees and contractors must report the issue immediately to the DPO.   These steps include performing a risk analysis of each suspected data breach to determine whether the event requires notification under the GDPR.

Training and Education

The Project policies and procedures are communicated to all employees and contractors either directly on hire or annually as part of formal Quality and Information Security Training. Significant changes to policy and legislation including GDPR are delivered via special training sessions to the entire organisation.  A record of this is held centrally by the DPO.  Further, employees and contractors are bound by confidentiality provisions written into all contracts both permanent and temporary.

Contacting Us

If you have any additional questions or need assistance, please contact our DPO, john.broni@thelearningnuggets.com.  For more information on Terms of UsePrivacy Policy and Cookies.