Frequently Asked Questions (FAQ) about Resilience Institute’s (Resilience) GDPR Compliance
The General Data Protection Regulation (GDPR) is a comprehensive European data protection law that provides greater data rights for individuals and increases compliance responsibilities for organizations. At its core, the GDPR grants EU residents greater control over their personal data and gives national regulators new powers to impose significant fines on organizations that breach this law.
Resilience is committed to complying with applicable data protection laws. Our commitment to GDPR includes keeping users’ information safe, secure and private is among our highest priorities at Resilience.
Resilience is taking a global approach to the GDPR to help ensure users benefit from increased control and clarity, which is in line with our commitment to putting our users first and working every day to maintain the trust they put in us. You can learn more about how we comply with GDPR by the FAQs below.
- Identity and contact details of the data controller. Resilience also includes contact details for the Data Protection Officer.
- The purposes of personal data processing and the legal basis for processing
- Recipients, or categories of recipients, of the personal data such as data processors.
- Details of data transfers outside New Zealand, including how the data will be protected.
- The retention period for the data, the criteria used to set this time period.
- A statement that an individual has a right to access and to transfer data to another controller (right of data portability), to rectify, erase and restrict processing of their personal data, to object to processing and, if processing is based on consent, to withdraw consent.
- A statement that an individual has a right to file complaints to a supervisory authority.
2. What Types of Personal Data is Being Collected and Processed?
3. What are Users Rights Under the GDPR?
Users have the following rights under the GDPR:
- Right to Information
- Right to Access
- Right to Object
- Right to Rectification
- Right to Erasure
- Right to Restrict Processing
- Right to Data Portability
4. Does Resilience Have a Subject Access Request (SAR) Process in Place?
Resilience has a formal subject access request process in place. Designated employees who have roles and responsibilities handle the SAR process. SAR process demonstrates what action was taken for each request, providing an auditable log of organization actions. This helps to demonstrate accountability, transparency, and management of the SAR process.
5. Does Resilience Keep a Record of Processing Activities?
Resilience keeps a record of processing activities of regular/core business functions as part of a Record of Processing Activities.
Resilience documents the following information:
- The name and contact details of the organization (and where applicable, of other controllers, your representative, and data protection officer).
- The purposes of data processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of transfers to third countries, including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of technical and organizational security measures.
6. What is Resilience’s Legal Basis for Processing Personal Data?
Resilience has identified the lawful basis to process personal data that is held. Resilience elects to use the “legitimate interest” and “consent” as identified as the lawful basis to process personal data. Resilience does not process special categories of personal data.
Resilience keeps records of how and why consent was given. Resilience is able to demonstrate the following:
- Who consented
- When they consented
- What they were told at the time
- How they consented
- Whether they have withdrawn consent
7. What Sub-processors are Used to Carry out Resilience services?
Resilience has a list of sub-processors.
8. Does Resilience Process Children’s Data?
Children’s data is not collected or processed, except in limited pilot programs within New Zealand, with permission and duly authorized by school authorities and parents.
9. Does Resilience Implement Incident Management Program?
Yes, Resilience has an Incident Management Program in place. We will promptly inform you of incidents involving your customer data in line with the data incident terms in our agreements with you. We maintain and continue to invest in advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help you identify and respond to security or privacy events without delay and with available information.
Resilience also notifies data protection authorities of a personal data breach within 72 hours of becoming aware of it. When notifying data protection authorities of a data breach, this will include describing the nature of the personal data breach, the categories and approximate number of data subjects concerned, and the categories and approximate number of data records concerned.
10. Has Resilience Implemented Data Protection by Design?
We are well placed to meet the security requirements of the GDPR. Our services are backed by robust, state-of-the-art technical and organizational safeguards, dedicated security and privacy teams, and our program is reviewed by third-party auditors. Key areas in building data protection into development of systems and processes include: transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability, the ability to search for extract, correct/update, delete, restrict processing of personal data, the ability to identify individuals who have access to (and have accessed personal data) and third parties who have been provided with personal data (including an ability to access personal data).
11. Are Data Protection Impact Assessments Being Completed?
We already have processes to build privacy into our products from the very earliest stages, and we are continually evolving our practices, including Data Protection Impact Assessments, to meet worldwide requirements including those in the GDPR around Privacy by Design and Privacy by Default.
12. How to Contact Resilience’s Data Protection Officer?
13. Is an International Transfer Safeguard Implemented?
Territories outside of the European Economic Area (EEA) are classed as “third countries.” Transfers to third countries are only permitted in specific circumstances, the most straightforward being where the European Commission has determined that the country has an adequate level of data protection. This is referred to as a data transfer to a third country on the basis of ‘adequacy.’ New Zealand is recognized as a country that has an adequate level of protection, which currently benefits from an adequacy decision.