GDPR Compliance

The General Data Protection Regulation (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.

Primarily addressing the export of personal data outside the EU. The GDPR aims to give control back to citizens over their personal data and to simplify the regulatory environment by unifying the regulation within the EU.

It was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period.

5pm Compliance

5pm have been compliant with large parts of the GDPR prior to the regulations coming into place. In those areas where 5pm is not complaint currently, actions are underway to ensure compliance by 25th May 2018. More details can be found in the roadmap below.

GDPR Roadmap

Relevant GDPR ArticleSummaryActions to be taken - Progress
Articles 1, 2, 3, 4General summary & scope5pm have read & understood
Article 5Principles relating to processing of personal data

5pm have made sure that key decision makers are aware that the law is changing and identified areas that could cause compliance problems under the GDPR.

5pm employees who handle personal data of other employees or customers will receive training in order to ensure that they handle changes in accordance with GDPR.

Article 6Lawfulness of processing: the following conditions that must be satisfied for the processing of personal data to be lawful.
  1. Consent from individual
  2. Contract with individual
  3. Compliance with a legal obligation
  4. Vital interests
  5. Public task
  6. Legitimate interest

5pm has:

  1. Audited the use of personal data to assess what lawful processing grounds it currently relies on and whether they remain valid under the GDPR
  2. Train staff so that they are aware of legal processing grounds.
  3. Begun the process of obtaining renewed consent
Article 7New legislation around the consent of the individual for the organisation to hold his/her personal data. Consent must be:
  1. Unbundled
  2. Active opt-in
  3. Granular
  4. Named
  5. Easy to withdraw
  6. Documented

5pm has reviewed methods for seeking, obtaining and recording consent to ensure compliance.

Implemented explicit and affirmative consent through check boxes and clear privacy policies.

5pm have audited all the actions that users can take, from the signup to account deletion, and ensure that each step complies with new laws of consent.

Article 8

Children’s data consent

5pm are awaiting clarification from DPO

Article 9

Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information (physical or mental), sexual orientation.

5pm do not collect or process this information and will not do so.

Article 10

Sensitive Personal Data relating to criminal convictions and offences or related security measures.

5pm do not collect or process this information and will not do so.

Article 11

Processing which does not require identification

5pm will examine every data subject’s request with respect. However in cases where we can prove that the data subject cannot be identified, data subject's rights and 5pm's actions will be limited.

Articles 12-14

Privacy Notices must be given at the time that the data is obtained from the subject.

5pm are currently modifying their booking process to include clearer links to their privacy policies.

Articles 15-23

Rights of the individual to:

  1. access their information;
  2. have inaccuracies corrected;
  3. have information erased;
  4. prevent direct marketing;
  5. prevent automated decision making and profiling;
  6. data portability.

5pm will enable employees and customers to request their personal data processed by the company. Trained personnel will respond to requests within the 1 month timeframe. Users will be able to request exclusion form any personalisation.

Article 24

Definition of a Controller

5pm acts as a data controller and will comply with the guidelines.

Article 25

Data Protection by design and by default

Several guidelines will be applied during the software development process:

  1. Training
  2. Design - all design decisions will take into account the GDPR
  3. Coding will use approved tools and frameworks
  4. Testing - test whether data protection and security requirements are implemented
  5. Maintenance - 5pm should be prepared to respond to incidents, personal data breaches, faults and attacks, and be capable of issuing updates, guidelines, and information to users and those affected by the software
Article 28

Definition of a Processor

5pm will comply with the legislation when processing data and ensure that any third parties are GDPR compliant

Article 30

Record keeping all personal data processing activities shall be recorded.

Article does not apply to 5pm as number of employees is less than 250. That said, implementation of the rest of this roadmap should see 5pm comply with this article.

Article 33-34

Data Breaches

5pm will ensure that there are procedures in place to detect, investigate and report on any personal data breaches within 72 hours of becoming aware of it.

Article 35-36

Data protection impact assessment and prior consultation

Not applicable as data processing done by 5pm is not considered high risk.

Article 37-39

Appointment of DPOs

Does not apply to 5pm but 5pm will train relevant staff in data protection matters

Article 40-43

Codes of conduct & certifications

5pm will comply with appropriate Codes of Conducts and Certifications including PCI-DSS

Article 44-50

Cross-border data transfer

As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an "adequate" level of data protection. A current list of "approved countries" is available here.

5pm will:

  1. Identify and map all cross-border data flows.
  2. Examine and assess for each of these flows whether (i) the receiving country is an EEA Member State or deemed "adequate", (ii) if not, whether any "appropriate safeguards" have been put in place, and/or (iii) if not, whether any specific derogations apply.
  3. Adhere to approved code of conduct / certification mechanisms.
Article 51-99

Remaining articles give guidance information on:

  1. Independent Supervisory Authorities
  2. Cooperation and Consistency
  3. Remedies, Liability, and Sanctions
  4. Provisions relating to specific data processing situations
  5. Delegated Acts and Implementing Acts
  6. Final provisions

5pm have read and understood these guidance articles.