Brooknight Security is committed to maintaining the highest degree of integrity in all our dealings with potential, current and past clients of BROOKNIGHT. Brooknight is committed in normal commercial confidentiality and the protection of all personal information received during providing the business products and services provided by BROOKNIGHT.
BROOKNIGHT extends the same standards to all our clients, suppliers and associates. We will comply with the legislative requirements regarding confidentially and data protection and will ensure all our sub-contractors and third-party suppliers (Sub Data Processors) agree and adopt our non-disclosure agreement and conditions for operating and processing our client data.
We conduct our own services honestly and honourably and expect our clients (Data Controllers) and Sub Data Processors to do the same. Our advice, strategic assistance and the methods imparted through our services take proper account of ethical considerations.
Through our actions and advice, we will always try to conform to relevant law and BROOKNIGHT believes that all businesses and organisations, including our own business, have a duty of care to avoid causing any adverse effect on the rights and freedoms of individuals.
Our contract and/or terms and conditions of engagement will usually be in the form of a detailed proposal, including aims, activities, costs, timescales and deliverables. They are supported by our General Data Protection Regulation (GDPR) statement of intent (see below) in respect of our processing activities as a Data Processor / Sub Data Processor under the GDPR.
The quality of our services and the value of our service to our clients are paramount to us and we will always strive to meet our clients’ contractual requirements. We shall ensure a compliance review is carried out against our own processing activities as a Data Processor / Sub Data Processor when supplying detailed information to our clients and ensure that all our Sub Data Processors do the same.
BROOKNIGHT retains the moral rights in, and ownership of, all intellectual property that we create unless agreed otherwise in advance with our clients. In return we respect the moral and intellectual copyright vested in our clients’ intellectual property. Our suppliers are under strict terms of confidentiality not to disclose, disseminate and/or inform any third party about BROOKNIGHT, clients, business or individual (data subjects) personal identifiable information.
BROOKNIGHT maintains the quality of what we do through constant ongoing review with our clients, of all aims, activities, outcomes and the cost-effectiveness of every activity. We encourage regular review meetings and provide regular progress reports on the services we are engaged to deliver.
BROOKNIGHT endeavours to conduct all our activities with professionalism and integrity. We take great care to be completely objective in the judgement and any recommendations that are proposed, so that issues are never influenced by anything other than the best and proper interests of our clients.
BROOKNIGHT always strives to be fair and objective in our advice and actions. We practice compliance with all forms of discrimination legislation, and actively promote policies and procedures to ensure that no person is ever disadvantaged by reason of their racial or ethnic origin, or on grounds of gender, sexual orientation (including gender reassignment), marital status, age, nationality, religion or belief or disability or any action which may constitute harassment of any kind.
This ‘position statement’ sets down our approach with regard to compliance with our obligations under GDPR in relation to:
The role of the Data Processor is the processing of the data under the instructions of the Data Controller, (our clients). Under the GDPR, BROOKNIGHT will:
As a software and service provider BROOKNIGHT, as a Data Processor, supports PBD principles in delivery of a solution, whether it be out-of-the-box or is uniquely configured or a customised solution. The software and services provided by BROOKNIGHT will follow our own software and Service Development Life Cycle (SDLC) and corresponding IT development processes to cover the lifecycle of an information system which holds PII:
BROOKNIGHT is fully aware that as a Data Processor we need to support our clients as Data Controllers. There are key areas of data management and protection relevant to the GDPR Articles and Recitals which influence the SDLC’s functional and technical planning requirements regarding adopting a PBD approach when implementing data protection into the system and organisation as a legal requirement.
We understand under Article 25-1/3 our clients, as Data Controllers, shall determine the means of processing as well as the risks of varying likelihood and severity for the rights and freedoms of an individual and in doing so they need to implement appropriate technical and organisational measures for security when it relates to PII as much as for pseudonymisation data sets.
Under Recital 78 our clients, as Data Controllers, will be required to demonstrate compliance to adopt and implement measures which meet the Principles of data protection by design and data protection by default. Among other things, transparency will need to be demonstrated regarding functions and to enable the individual (data subject) to monitor the data processing, enabling proper security controls are in place.
Where developing, designing, selecting and using applications, products and services that are based on the processing of personal data or the processing is necessary to fulfil a task, BROOKNIGHT, as a Data Processor, will take account of both the rights of individuals and the GDPR obligations of their clients as Data Controllers when developing and designing our products, services and applications. This will include performance of Privacy Impact Assessments (PIAs) regarding our products and services for general application. However, clients should note that such PIAs will not be specific to a client’s use of personal data that it may hold as a Data Controller, for which the client alone must perform its own PIA when deploying BROOKNIGHT software and services to comply with Articles 23 and 25.
Data is secured, and the integrity and confidentiality are maintained, using technical and organisational means under the management of our client as a Data Controller when they position the software solution or product inside their own IT infrastructure. When using BROOKNIGHT data centre or storage services, BROOKNIGHT may use the services of a third party (Microsoft Azure, Amazon Web Services) which is as an EU based company and will act as a Sub Data Processor of BROOKNIGHT. When we use Sub Data Processors, BROOKNIGHT will ensure full compliance required under the GDPR is observed as follows:
Article 5.1(f) Personal data will be processed in a manner that ensures appropriate security, protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Using appropriate technical or organisational measures (‘integrity and confidentiality).
Article 24 To support where applicable the responsibility and liability of a Data Controller in the requirement of responding to any risk or security assessments regarding the processing of PII in relation to their data subjects. It is understood by BROOKNIGHT that the role of the Data Controller is to ensure appropriate technical and organisational measures are in place to ensure and demonstrate compliance and are regularly reviewed.
As referred in Article 42 adherence to approved codes of conduct and/or approved certification mechanisms may be used as an element of demonstrated compliance.
Article 32-1 (b-d) It is the Data Controller’s responsibility to i) ensure ongoing confidentially, integrity, availability and resilience of processing systems and services; ii) restore and make available or accessible personal data in a timely manner in the event of a physical or technical incident; and iii) regularly test and evaluate the effectiveness of the technical and organisational measures for security.
Recital 49 The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams, computer security incident response teams, by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the Data Controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
BROOKNIGHT will assist their clients if they require a system configuration regarding data encryption or pseudonymisation. Article 6 – 4(e) states a Data Controller shall consider the existence of the appropriate safeguards, which may include encryption and pseudonymisation. Article 32-1(a) states a Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including amongst other things as appropriate for the pseudonymisation and encryption of personal data.
Under GDPR Recital 26 it clearly states the Data Controller needs to abide by the Principles of data protection and that this should apply regarding PII which has undergone pseudonymisation, where if it is attributed to an individual using connecting information would be considered PII. To ascertain whether means are reasonably likely to be used to identify the individual, account should be taken of all objective factors, such as costs of the amount of time required for identification, taking into consideration the available technologies at the time of the processing and their developments.
Recital 28 – The application of the pseudonymisation to personal data can reduce the risks to the data subject; explicit introduction of ‘pseudonymisation’ in the GDPR is not intended to preclude any other measures of data protection.
Recital 29 – The purposes are to create incentives to apply pseudonymisation as a practice when processing PII. The GDPR is implemented in such a way that additional PII to a specific individual (data subject) is kept separately. The Data Controller processing the PII should indicate the authorised person within the same controller, for example separate departments. The Data Controller should also remove all PII indicators when processing data and ensure no link can be made to reconstitute the data back to an individual (data subject).
Under the Recital 83, the Data Controller and Data Processor should evaluate the risks inherent in the processing and implement measures to mitigate risks, such as encryption. Appropriate security measures such as confidentiality, to ensure consideration is applied to the risks such as accidental loss, unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may lead to physical, material or non-material damage to an individual(s).
As detailed in Recitals 39 and 58 the principle on transparency makes it clear that our client, as a Data Controller, is required to meet their obligations and BROOKNIGHT shall, as their Data Processor, will assist our client to meet their obligations. The products and services which hold and process PII will be required to comply with the GDPR Principles and the rights of individuals (data subjects).
The right to port data is a complex matter, and needs a case by case review, but system holding data would have the ability to allow a Data Controller to make that determination. As much as to meet Article 20 where a Data Controller must supply an individual with a copy of their data in a structured, commonly used and machine-readable format and the individual has the right to ‘port’ that data without hindrance or delay. An individual has a right to require one Data Controller to transmit the data pertaining to them to another Data Controller where technically feasible. We will assist in supplying secure access or transmission solutions if the data porting applies to data we hold in our hosted environments.
We understand that our clients, as Data Controllers, must inform all Data Processors where the individual’s data is processed by IT / Applications / Storage systems that the individual has exercised their right to erasure. Controller and Processor inventories are critical to this right and in doing so BROOKNIGHT will co-operate with our clients to fulfil this obligation. To this aim and under Article 19 our clients, as the Data Controller, will inform us as the Data Processor or Sub Processor where the right to rectification /erasure / restriction have been exercised by the individual. The exemption to this is if it involves disproportionate effort. The Data Controller will inform the individual of all the recipients with whom their data has been shared and under Recital 66, where our Client as the Data Controller have shared individuals PII with BROOKNIGHT , will inform us as the Data Processor that such right has been exercised and the data subject’s PII is to be erased in any links to, or copies or replications of the personal data.
For the purposes of processing of PII which may result in a contravention of the GDPR (a data breach), BROOKNIGHT, as the Data Processor, and/or our Sub Data Processors, will determine if i) a breach is likely, and ii) there is a high risk to processing of the PII in the systems held outside of our clients IT infrastructure (e.g. hosted by our third party Sub Data Processors,) which could put at risk the rights and freedoms of data subjects, and we will ensure such technical measures are in place to identify, track, assess and report such breaches. We will report all contraventions regarding data security to our clients as Data Controllers. Where our client requires us as the Data Processor or our Sub Data Processor to carry out activities which could lead to a contravention of GDPR, we as Data Processor and our Sub Data Processors reserve the right to refuse such processing activities. Such security measures and reporting of data breaches will be dealt with in compliance with GDPR and, Articles 33 and 34 and Recitals 85, 86 and 87.
This includes addressing the reporting obligations to the individual (data subject) as well as to the Information Authority in the member state where the data is held and processed.
A Data Processor is defined in Article 4(8) as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controllers. Under the GDPR Recital 81 1-10 (a-h), a Data Controller shall only use Data Processors who provide sufficient guarantees to implement appropriate technical and organisational measures in order that their processing activities will meet the requirements of the Regulation and ensure the protection of individuals rights (data subject).
Engagement of Sub Data Processors and contractual obligations
It is understood by BROOKNIGHT, as a Data Processor, that we shall not engage a Sub Data Processor without the prior specific or general written authorisation of our clients as Data Controllers. Where BROOKNIGHT and/or the client as a Data Controller require services from a Sub Data Processor, each will consult and require demonstration of compliance under the GDPR by the Sub Data Processor. This will be in writing and each party will demonstrate compliance and record such in the contract and record any intended changes concerning the engagement, replacement or addition of a Sub Data Processor allowing time for the parties to object and/or agree. A Data Controller will require a full report and set of evidence from the Sub Data Processor regarding compliance with the GDPR as part of the written notification and will have the right to audit the main Data Processor as much as the Sub Data Processor. It is therefore understood by BROOKNIGHT that the relationship between their clients as Data Controllers and BROOKNIGHT as the Data Processor and our Sub Processors will be governed by a contract or other legislative laws in the EU or as part of UK law that is binding on the Data Processor / Sub Processor. The contract will set out, as a minimum:
It will also define and set the obligations and rights of the Data Controller. The contract or other legal agreement shall provide that the Data Processor and any Sub Data Processors:
Where the Sub Data Processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller. Both Data Processor / Sub Processor shall provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR. The Information Authority (Supervisory Authority) may adopt a standard contractual clause(s) for such purpose as set down in Article 63;
BROOKNIGHT as the Data Processor will not make any determination of the use of their clients’ PII as in doing so it would mean we would be a Data Controller.
Under Article 82, the right to compensation, any data subject who has suffered material or non-material damage because of a breach of the law shall have the right to receive compensation from the Data Controller and Data Processor for the damage suffered. The Data Processor shall be liable for the damage caused by the processing only where it has not complied with the obligations of the EU GDPR, Union and Member State Law. The Data Processor as much as the Data Controller shall be exempt from liability if they can prove that it is not in any way responsible for the event giving rise to the damage.
It is understood by BROOKNIGHT that either alone or jointly both the Data Controller and the Data Processor can be found liable for the entire damage to ensure effective compensation of the data subject affected. Where the Data Processor has paid full compensation for the damage suffered, it is entitled to claim back from the Data Controller or other Data Processor that part of the compensation corresponding to their part in the responsibility for the damage (Recital 50).
Legal action via the courts can be pursued by the damaged individual under the law of the Member State. The general conditions to impose fines will be managed by the applicable Information Authority in the country where the data subjects’ data is processed and/or where joint Information Authorities agree which concerned Authority will take the lead.
BROOKNIGHT have also taken note of the UK Digital Economy Act (DEA) as part of their GDPR compliance review and strategy as it covers a variety of different measures, one of which is the requirement to register with the Information Authority which will be based on the volume of data they process and the category of the data. This is yet to be translated by the Information Commissioner’s Office in the UK, but it is noted by BROOKNIGHT as a Data Controller processing employee and marketing data.
There are requirements for Data Controllers and Data Processors to ensure effective cyber security controls and awareness are in place. It brings in ‘Directors Responsibility’, which means personal liability of company directors for infringements of the Regulation and the forthcoming UK Data Protection Act 2018 of which the GDPR will form part. The DEA brings about the requirement to ensure compliance with the Regulatory Information Sharing Code of Practice regarding public sector data sharing. BROOKNIGHT will consider this code as part of their GDPR Strategy.
As part of our GDPR compliance review and strategy we have considered the Data Protection Bill, as the Bill exercises several agreed modifications to the GDPR to make it work for the UK. We shall be considering the requirement regarding data transfers of PII to non-EU countries (section 17) which restricts the sharing of data to a non-EU country or international organisation which cannot demonstrate adequate protections as set out in Article 45(3).
Special Categories of Personal Data (formally referred to as “sensitive personal data”) needs to be justified for processing without consent for employment and criminal convictions purposes – BROOKNIGHT may process such data for such purpose as an employer, and as a software and service provider as part of a system which will hold this data.
Age of consent to process children’s data as in the provision of information services (internet/social media/gaming), where it is proposed to be reduced from 16 years under the GDPR to 13 years under the UK Data Protection Bill 2018. Those under 13 will need parental/guardian consent: BROOKNIGHT will require their clients as Data Controllers to confirm consent prior to any processing activity being carried by BROOKNIGHT and our Sub Data Processors.
We have also taken note of the change in the Data Protection Bill to bring about under English Law the new offences of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data and the altering of records with the intent to prevent disclosure.
BROOKNIGHT is working towards a programme of change to implement the GDPR regarding our products and services. BROOKNIGHT offer a set of software and service systems to the Retail, Health, Leisure, and Hospitality Sectors, and it is acknowledged that some of our solutions hold a volume of personal and special categories of data. Where our solutions are deployed and sit within our clients’ IT infrastructure, they are protected by and under our clients IT, Information Security and Data Protection compliance controls. Where our solutions are hosted by BROOKNIGHT we shall comply with this position statement and the provisions of GDPR and the forthcoming UK Data Protection Act 2018.
While BROOKNIGHT is not required to have a Mandatory Data Protection Officer under GDPR, we have decided to appoint one on a voluntary basis. You are also referred to our GDPR product Statement found on the BROOKNIGHT website which gives more details in relation to GDPR compliance and our software products.
End.
Brooknight Security Limited – 1st May 2024
If you are interested to learn more about our Risk Management Consulting services, or would like to discuss needs for your business, please get in touch using the form below.