Access Intelligence Trust Centre
Access Intelligence on GDPR
This General Data Protection Regulation Evidence Pack covers the following corporate entities:
- Access Intelligence
- Access Intelligence Media Comms (AIMC) trading as Vuelio
- Access Intelligence Media Data (AIMD) trading as Vuelio
- Fenix Media trading as Pulsar
- ResponseSource Ltd
- All operating from The Johnson Building, 79 Hatton Garden, London, EC1N 8AW
In this document, these corporate entities will be collectively referred to as “Access Intelligence”
1. Introduction to GDPR
The EU General Data Protection Regulation (EU GDPR) came into effect on May 25th, 2018 and reshaped the data protection laws of all 28 countries in the European Union. This affected the operating procedures and systems of all organisations which process personal data. On 31st December 2020, the UK left the EU (“Brexit”) and retained EU GDPR in domestic law, but the UK now has the independence to keep the framework under review.
The UK General Data Protection Regulation (UK GDPR) is part of the new data protection landscape that includes the Data Protection Act 2018 (the DPA 2018). The UK GDPR sets out requirements for how organisations need to handle personal data. The UK GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. The key principles, rights and obligations remain the same.
Access Intelligence deal with a large quantity of personal data and closely follows this legislation; as such, we are fully prepared to meet the requirements outlined within the Regulation and can demonstrate safe and secure personal data management practices across all areas of the business.
Article 5 of the Regulation sets out the principles relating to the processing of personal data: how it should be processed, for how long, which restrictions are needed, and details of the safeguards which are in place to prevent misuse. The Data Controller and Data Processor both need to demonstrate full compliance with the Regulation – to evidence this, Access Intelligence has prepared this document to communicate our position on the major points of the GDPR and to provide ready context for Clients interested in their own preparedness.
Article 6 of the GDPR states that personal data processing can only take place if one (or more) of six legal bases defined within the Regulation has been established by a Data Controller.
For Pulsar, both the Client and Pulsar are Data Controllers in their own right. Pulsar controls the collection of personal data within the product. However, Pulsar would still be a Processor for any data the Client added to the product.
For Vuelio, the Client is the Data Controller and Vuelio acts as the Data Processor by enacting their lawful, written data processing instructions. Vuelio will conduct data processing necessary for the Client purposes and as contracted with the Client as the Data Controller.
All Data Controllers must be registered with the ICO. Access Intelligence and Pulsar are controllers of their own internal business processing. Vuelio & ResponseSource also maintain and provide a Media and Political Contact Database as part of the Platform and in this context, is the Data Controller, using Legitimate Interests as the legal basis for the provision of this data to Clients to communicate with these Contacts. ICO registration certificates are as follows:
- Access Intelligence plc
- AI Media Data Ltd (Vuelio)
- Access Intelligence Media and Communications Ltd
- ResponseSource Ltd
- Fenix Media Ltd (Pulsar)
2. Data Protection by Design and by Default
One of the core guiding principles of the General Data Protection Regulation is the requirement for “data protection by design and default”. Outlined in Article 25 of the Regulation, this is demonstrated through Access Intelligence’s commitment to implementing a framework of appropriate technical and organisational measures which will ensure effective data protection, and only undertaking the processing of personal data that is necessary for a specific task at a given time. Technical measures include designing out any potential software or development vulnerabilities, limiting access to personal data repositories within all Access Intelligence platforms, security and penetration testing of applications, as well as providing means for the Client to comply with their own personal data retention and disposal requirements.
3. Data Protection Impact Assessments, Risk Mitigation and the Confidentiality, Integrity and Availability of Information
Data Protection Impact Assessments (DPIA) are highlighted within the GDPR as necessary when the controlling or processing of personal data is likely to present a high risk to the rights and freedoms of a data subject. The Data Controller is required to conduct and record these assessments prior to commencing the processing of personal data, and in doing so will highlight and mitigate any risks that need to be addressed.
Access Intelligence have undertaken Data Protection Impact Assessments (DPIA) against all key data processing activities and these will be reviewed annually (at a minimum) to ensure that they remain current and relevant. In addition, Access Intelligence reviews the confidentiality, integrity and availability of all data under its control, and records those reviews in formal risk assessments which are externally validated as part of our ISO 27001 certification.
4. External Validation
Trust between Data Controllers and their selected Data Processors is of paramount importance, which is why Access Intelligence remains committed to demonstrating full regulatory compliance with all applicable legislation, regulations and standards.
In respect of the changes to Article 27 following Brexit, Access Intelligence partnered with GDPR Local, to offer data subjects living in the EU a local representative. A team of external DPOs then reviewed our data protection policies, processes, and records. Access Intelligence was approved to meet GDPR compliance requirements.
Access Intelligence is ISO/IEC 27001 certified. This is an international standard for Information Security Management that demonstrates an ongoing commitment to apply the most rigorous risk management model to protect information and data belonging to both our clients and the Group.
The standard forms the basis for effective management of confidential information and the application of information security controls. It recognises an ongoing commitment to review systems and suppliers, identify risks, assess implications and put controls in place for data security. This includes auditing all systems, information assets, operational processes, legal and regulatory requirements, and an ongoing training programme to strengthen the organisation’s expertise in risk management and data security.
ISO 27001 recognises the Group’s exceptional standards in data management and security. This benefits all clients who can rely on the Company’s ability to store and process sensitive data in a secure way underpinned by robust systems, increased business resilience, and exceptional management processes.
In addition, Access Intelligence use specialist external third parties to undertake regular security and penetration testing of our platform, systems and applications.
5. Data Subject Rights
A key provision of GDPR is the expansion of the rights of data subjects to access, track, correct, restrict and erase their personal data which may be in the possession of a data processing organisation.
Within the GDPR there are several significant rights afforded to data subjects that can potentially affect operations undertaken by Access intelligence (as a Data Processor for the Client) and for Media and Political Contacts where Vuelio & ResponseSource is the Data Controller. They are as follows:
a. The right of access by the data subject – The data subject can request from the Data Controller a confirmation as to if personal data concerning them is being held. If that is the case, the data subject can then request details of the information, including the purpose of the data processing, details of where it has been disclosed, the period for which the personal data will be stored, etc.
b. The right to rectification (correction of data held) – The data subject can obtain from the data controller the correction or completion of any inaccurate or incomplete personal data that is being held about them.
c. The right to erasure (‘right to be forgotten’) – The data subject can request deletion of their personal data in certain situations, for example where the data has been processed unlawfully, is no longer needed for the purposes for which it was originally gathered, a legal obligation applies, or simply where the data subject has withdrawn their consent.
d. The right to object to processing – The data subject can request that the data controller ceases processing of their personal data where the accuracy of the data is contested, the processing is unlawful, and where the use of the data is no longer necessary.
e. The right to restriction of processing – The data subject can request that the data controller restricts the processing of their personal data where the accuracy of the data is contested, the processing is unlawful, and where the use of the data is no longer necessary.
f. The right to data portability – under certain circumstances, the data subject can request an export of their personal data from the data controller directly to them, or from the controller directly to another data controller.
In each of these cases, Access Intelligence will be enhancing the technical functions within the platforms to assist the applicable Data Controller (our customer) in meeting their obligations.
6. Data Processing Agreements
Data processing terms are included in all contracts with clients and suppliers.
Under the GDPR, Data Controllers must provide their Data Processors with clear documented instructions regarding the authorised processing activities for their personal data is stored within the Access Intelligence Platforms.
If the processing involves international data transfers to a country without an adequacy decision from the EU (restricted transfer), the Data Processing Agreement (DPA) will also include Standard Contractual Clauses (SCCs) or the UK’s International Data Protection Agreement (IDTA), to add extra protection to the data once transferred out of the UK/EU.
Access Intelligence will not undertake any personal data processing activities that are not described within the Client’s documented instructions. To this end, Access Intelligence has incorporated documented instructions pertinent to our platform and delivery of services in our Terms and Conditions to aid in uniformity of processing; in contrast to holding thousands of separate (and disparate) documented instructions, we can ensure a consistent experience for clients and reduce any risk of error.
The Client must conduct any Data Protection Impact Assessments (DPIA) and risk assessments that are necessary in connection with the personal data processing activity, and be prepared to share the results with Access Intelligence if requested to demonstrate compliance.
7. Resilience, Testing and Security Controls in Place
The Access Intelligence Group – including its brands Vuelio, ResponseSource and Pulsar – has achieved the ISO/IEC 27001 certification. This is an international standard for Information Security Management that demonstrates an ongoing commitment to apply the most rigorous risk management model to protect information and data belonging to both the Group and its clients. For more information about security certifications please see our Trust Centre.
Access Intelligence‘s main resilience objective is to ensure that we deliver our availability commitments as recorded within each Client’s contracted Service Level Agreement.
Vuelio operates from several segregated data centres within the UK, with our backup site and automated failover procedures designed to minimise Client service disruption in the event of a service-affecting incident.
Pulsar is hosted on cloud infrastructure in Ireland, with automatic scaling and replication in multiple isolated locations in place to minimise Client service disruption in the event of a service-affecting incident.
Access Intelligence also has an established set of business continuity scenarios mapped out and is ready to implement these if a situation so requires (see ISDL08).
Security testing is carried out on a regular basis by internal and external teams to test aspects of operational preparedness and the management of potential risks, threats and vulnerabilities. We conduct regular penetration tests and risk assessments (see ISDL31) of our physical and digital security controls in line with the requirements of our Information Security Management System (ISMS).
Access Intelligence maintains separate development and test environments away from its production environments, and follows secure development (see ISDL77), testing and change control (see ISDL54) principles that are designed to prevent information security incidents.
Access Intelligence’s Information Security Management System (ISMS) is ISO 27001 certified, and has embedded policies, processes and procedures throughout the organisation to ensure compliance with the organisation’s information security (see ISDL01)and data protection (see ISDL13) requirements. Access Intelligence delivers a framework of regular internal audits (see ISDL14) and risk assessments to drive continuous improvement by identifying and developing all aspects of information security across the business. The controls established in the ISMS deliver a robust framework of governance and protection (see ISDL325), not just for Access Intelligence, but for our Clients and any associated data subjects.
Access Intelligence maintains a data retention policy and supporting schedule, to make certain that personal data is only retained for as long as is necessary to carry out the specific data processing task that is required.
Access Intelligence products provide tools for the Client to manage their own data retention requirements. At the point at which the data is no longer needed, the data can be highlighted and securely erased, with the backups securely overwritten after 28 days. After this time, we are not able to perform any data recovery requests for our Clients.
8. Staff Access and Responsibilities
Access Intelligence carefully selects and recruits personnel to ensure the highest possible standards of professionalism and to screen (see ISDL55) any potential security risks before they could impact the business. Personnel are subject to vetting and, where applicable, police security checks. All staff are required to sign formal non-disclosure agreements as part of their onboarding process alongside their contractual terms of employment.
Access Intelligence takes training and awareness regarding information security and data protection seriously. Staff are trained (see ISDL02) during their induction process on a variety of information security topics with a separate breakout session addressing GDPR compliance. Access Intelligence also undertakes role-specific training to cover relevant threats that may be encountered by various positions throughout the organisation, as well as running annual refresher training courses and ad-hoc sessions to address situations that have arisen and require the business’s action.
Access Intelligence employs a principle of minimum access, such that staff are only afforded access to the data necessary and the tools required to complete the tasks required of their role (see ISDL07). If this needs to be changed, management approval is requested to decide whether a different level of access should be granted and on what basis. Access Intelligence undertakes regular reviews of the access granted to all users to determine whether it is in line with their current role, as well as reviewing access and activity logs.
As part of Access Intelligence’s commitment to transparency, Access Intelligence will disclose its use of approved sub-processors, assigning work to them within strict contractual boundaries. We will always declare any sub-processors used for a Client and we will communicate the mapping of the data flow of personal information to and from them. When changing sub-processors, Access Intelligence will update this list not less than 4 days in advance of the date on which the change of sub-processor is affected. All sub-processors are carefully selected (see ISDL19), and are subject to ongoing checks and validations to ensure that they have GDPR-compliant information security processes and data protection practices that are no less stringent than our own.
Our contracts with sub-processors include key clauses to ensure acceptable standards of information security and data protection. If suppliers are processing data outside of UK/EU, or another country deemed to have “adequate” data protection laws by the EU, we will add further agreements in the form of either Standard Contractual Clauses (SCCs) or an International Data Transfer Agreement (IDTA).
Access Intelligence maintains a register of Sub-Processors, available at http://www.accessintelligence.com/trustcentre/sub-processors/
10. Record Keeping
Outlined in Article 30 of the Regulation are the Record keeping responsibilities of both the Data Controller and the Data Processor. Access Intelligence manages Record Keeping and Retention periods for Access Intelligence’s data and for the Data Controller’s use of the Vuelio, Pulsar and ResponseSource Platforms. Access Intelligence’s record-keeping responsibilities include keeping records as per below:
a. Client Contracts with specific Data Processing Instructions
b. Supplier Contracts and Supply Chain Risk Management
c. Internal and External Audit Reports
d. Data Processing Impact Assessments (DPIAs)
e. Software Testing Reports
f. Data subject rights requests (DSARs)
g. Privacy Policies – version controlled, and tracking
h. Client service cases (including their content and status information).
i. Records of ownership
j. Staff training in matters of Information Security and Data Protection
k. Access control information for physical locations
l. Application access logs
m. Data breaches, security events (real or simulated)
n. Penetration testing reports and results
o. External reports to relevant supervisory authorities
11. Information Commissioner’s Office (ICO)
Access Intelligence is committed to ensuring that its Clients receive the highest standard of assistance in the event of an information security incident or data breach affecting personal data. As the Data Controller in most cases, it falls to the Client to report such incidents to the Information Commissioner’s Office (the UK’s supervisory authority) in a timely manner (within 72 hours of becoming aware), and communicate details of the incident to the affected data subjects. Our Data Protection Officer heads an internal team who are responsible for investigating and reporting any information security incidents and ensures that these reports are provided to the appropriate Client promptly. Access Intelligence operates to an internal deadline of 24 hours from breach discovery to make a full report available to the Client. The incident report provides the following information where applicable:
a. Date and time of incident, date and time of incident discovery and reporting
b. Nature of incident; categorisation and description of the personal data involved
c. Description of incident
d. Disclosure of any data processors, sub-processors or third parties involved with the breach
e. Breakdown of immediate actions and resolutions, including steps to reduce further breaches
f. Root cause analysis
g. Supervisory Authority notification actions undertaken
h. How data subjects have been affected
12. Data Protection Contact
As part of Access Intelligence’s commitment to data protection and operational improvement, we have appointed a Data Protection Officer who oversees all GDPR, ISMS and information security governance activities. External parties, individuals and data subjects can get in touch via:
Information Security & Data Protection Officer
The Johnson Building
79 Hatton Garden