GDPR Statement – IC Group LP
Effective: May 25, 2018
What is it?
The General Data Protection Regulation (GDPR), is a European privacy law approved by the European Commission in 2016 and effective as of May 25, 2018. The GDPR is an attempt to strengthen and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and remove personal data.
The GDPR’s data protection principles include requirements such as:
Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.
Personal data should only be collected to fulfill a specific purpose and it should only be used for that purpose. Organizations must specify why they need the personal data when they collect it.
Personal data should be held no longer than necessary to fulfill its purpose.
People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization.
Why is it important?
GDPR adds some new requirements regarding how companies should protect individuals’ personal data that they collect and process. IC Group LP (“ICG”, “IC Group”) is committed to ensuring that the rights of individual data subjects are respected. To this end, we have implemented, improved, and will continue to review, numerous stringent technical and organizational measures to protect all personal information processed by IC Group.
Training and Awareness
We are committed to providing ongoing training to our employees, contractors, and agents with regard to data protection awareness, and our obligations to customers and data subjects.
We will continue to develop our internal awareness training program and policies, to ensure that everyone at IC Group understands and remains up to date on our responsibilities.
All data processed by IC Group will be done on one of the lawful bases allowed by the GDPR: consent, contract, legal obligation, vital interests, public task or legitimate interests.
Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be recorded and stored.
Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent will always be clearly available.
IC Group shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Individual Data Subject’s Rights – Data Access, Portability and Deletion
IC Group is committed to helping our customers meet the data subject rights requirements of GDPR. These include individuals’ rights to access, correct, and erase their personal information, to restrict or object to the processing of their personal information, and to have us transfer personal information in a portable format.
Accuracy: We will take reasonable steps to ensure that personal data is accurate.
Return or destruction of data: We shall consider what data should/must be retained, for how long, and why. We have processes in place to routinely and securely dispose of personal data that is no longer required. When personal data is deleted, this is done in such a manner that the data is unrecoverable.
Please note that the exercise of these data subject rights may be subject to certain restrictions for regulatory or legal reasons. However, you do have the right to complain to a supervising authority about our practices.
IC Group expects our vendors to have measures in place which are no less stringent than those required by our customers (with regard to such matters as staff training, data retention, data destruction, data access and breach reporting), and we require this to be expressed contractually.
Data Security and Data Protection Impact Assessments
IC Group management and employees shall continue to demonstrate support for data protection legislation and promoting a positive culture of data protection compliance.
We shall maintain an appropriate data protection policy, and we will conduct regular assessments of the data protection measures we have in place.
We understand that it’s essential to continue to identify, assess, and minimize data protection risks. This is an ongoing process. We will continue to execute our risk assessment process as we evolve and expand our services.
IC Group is proud to be Payment Card Industry Data Security Standard (PCI DSS) certified as a Level 1 Service Provider. We have achieved and held our PCI compliancy annually, year over year, since 2011. This means that we undergo independent audits of our data center, processes, and procedures by accredited Qualified Security Assessors (QSA) to verify our compliancy. This annual effort allows us to offer hardened networks and systems, secure processes and procedures, and peace of mind to our customers as we host their programs and data.
We will always ensure that access to personal data is limited to personnel who need access and appropriate security is always in place to avoid unauthorized sharing of information.
Appropriate back-up and disaster recovery solutions are also in place.
We have a breach management and communication plan in place. In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, IC Group will promptly assess the risk to people’s rights and freedoms and take the appropriate actions.
Let us know
We are working with our customers to answer any questions and address any concerns regarding how we protect personal data. If you have any questions, please don’t hesitate to reach out.