Claritum GDPR Statement

What is GDPR?

The new EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.

How is Claritum preparing for it?

Claritum is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards and will comply with applicable GDPR regulations when they take effect in 2018, as a data processor, while also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.

The company has two main areas of focus in preparing for GDPR overseen by an internal cross-functional team:

Building on existing security and business continuity management systems and certifications (including ISO 9001) to ensure our own compliance.
Product programmes to support compliance for users of our software applications including solutions to streamline the process and drive greater efficiency.

It is important to recognise that compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.

Compliance

Claritum already has robust information security policies and procedures but policies such as Incident Response Plans and Backup Data Retention will be reviewed and updated.

Compliance will also be supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.

Contract Update

A new addendum to your current contract is being prepared and Customer Services will be contacting you to get this approved and in place.

This addendum covers the rights and responsibilities on both sides, as you, the ‘data controller’ and Claritum, the ‘data processor’ under the terms of the GDPR.

ISO 9001

As with all compliance programmes, clear documentation of and consistent adherence to the policies is key and so Claritum is working towards ISO 9001 compliance. More information about this will be available over the coming months.

Data Protection Officer

Even though (technically) Claritum are not required to do so under the terms of the GDPR, Claritum have appointed a Data Protection Officer (‘DPO’) whose task is to inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, providing necessary security and ongoing delivery of objectives.

Queries regarding GDPR specifically can be sent to gdpr@claritum.com.

Claritum Application Development

Claritum’s software development methodologies ensure that the security and integrity of the software and platform is maintained at all times. Within our GDPR programme, Claritum continue to review and update these procedures as necessary.

Claritum Platform

Claritum are committed to continually develop and maintain the application, adding value and providing efficiencies to help your business grow. Along that journey and as we identify them, we will also be including improvements to the platform to assist you (the data controller) in fulfilling potential GDPR compliance requests from you customers.

These efficiency improvements will be announced along with other release notices in the usual way.

Personal Data Mapping - data Subjects and Elements

As a Data Processor we manage the following personal data in Claritum on behalf of our Customers

Data Subject

Personal Data Element

Supplier User

· Name and Surname

· Email

· Phone Details

· External ID

· Place of Work

Customer User

· Name and Surname

· Email Address

· Phone Details

· Fax

· Cost Centre

· Physical Address

· External ID

· Gender

· Place of Work

· Image

· Banking Details

Service Manager

· Name and Surname

· Email Address

· Phone Details

· Place of Work

· External ID

· Banking Details

Additionally, we have prepared a ‘map’ of all the places in the system that potentially ‘personally-identifiable’ information may come into the Claritum system. This map also details which types of users may access the data and to what extent (viewing/reading, updating, both).

This data ‘map’ can be found here

Where is Claritum Data stored?

The Claritum system runs on Rackspace Public Cloud. UK and European customers are hosted in their London (UK) region.

The data centers meet the following standards:

For full information on Rackspace's data centers, please see their Global Infrastructure and Uptime. For information on the security, please see their Global Enterprise Security guide.

Rackspace have also released their GDPR statement and shared FAQ's list which can be viewed on their website: https://www.rackspace.com/en-gb/gdpr

Systems and Personal Data we share to support our Customers

As a Data Controller we securely store your information in other applications allowing us to support you and your organisation on a daily basis.

Data Processor

Data Subject