Totalmobile – our approach to Data Protection on Brexit

The transition period for Brexit ended on 31st December 2020. This statement outlines Totalmobile’s approach to Brexit and our continued commitment to data protection.

The GDPR came into effect on 25 May 2018 across all Member States of the European Union and the European Economic Area (“EEA”). It is now generally recognised that the GDPR significantly increases compliance and accountability standards for organisations, as well as strengthening the enforcement powers of regulators and the rights of individual ‘data subjects’. The GDPR is concerned with the processing of personal data. ‘Personal data’ is any information which can directly or indirectly identify an individual, and ‘processing’ is anything which an organisation does with personal data, including merely storing it.

The UK has adopted the GDPR into law, under the Data Protection Act 2018 (the DPA). Provisions for the GDPR as well as the DPA continue to remain in force, post Brexit.

How does Data Protection apply to Totalmobile?

Totalmobile processes the personal data of its clients, partners, employees, business contacts, office visitors etc. We undertake these processing activities in the role(s) of independent controller, processor and/or joint controller depending on the work and line of business in question. We have put in place systems and controls in line with the differing requirements on these respective categories and have advised our teams accordingly. We have worked hard to build a comprehensive data protection compliance programme, ensuring our internal business units are continually educated and assessed regarding our compliance. We are dedicated to working with our clients to help ensure that we and you meet our respective regulatory requirements.

How does Totalmobile meet the requirements of Data Protection?

Even before the GDPR and DPA came into force, Totalmobile took data protection and privacy very seriously. We have specific resources assisting the various corporate and business teams with their compliance to help ensure managing privacy risk is at the heart of everything we do. The following summarizes the primary data protection compliance efforts that have been implemented by Totalmobile as part of the GDPR compliance programme:

  • Development of a governance structure for oversight of GDPR compliance, including but not limited to the creation of a Privacy Steering Committee and a Privacy Working Group;
  • Appointment of a Data Protection Officer supported by a network of professionals necessary to meet our compliance needs (where required);
  • Review of our externally-facing privacy notices, data protection policies, and our procedures for GDPR and DPA compliance including, for example, the data subject request procedure;
  • Implementation of an internal education and awareness programme through creation of internal training materials, resources and points of contact and a comprehensive data protection training programme (see below);
  • Compilation of records of data processing and Data Protection Impact Assessments; and
  • Coordination with clients, partners and suppliers (acting as processors or sub-processors) to update existing contracts and contract templates. We are committed to ensuring ongoing compliance in line with the principles of Brexit, to fully embed a culture of privacy within our organisation and continually review and enhance our systems, controls and processes.

Our Data Protection Officer is Scott Boyle, scott.boyle@totalmobile.co.uk.

What technical controls does Totalmobile have in place to protect the security of personal data?

Totalmobile maintains appropriate security measures for both personal data and confidential company and client data globally. We adhere to Information Security Standards to mitigate against the risk of a compromise to the confidentiality, integrity, and availability of our information assets. For example:

  • client data is held on systems with physical access controls that meet or exceed industry standards for security;
  • Totalmobile standard encryption tools are implemented where personal data is transmitted across public networks and portable handheld devices; and
  • third party suppliers are assessed based on various criteria such as type of service and data handled.

How does Totalmobile deal with security incidents?

Totalmobile has a global Cyber Security Incident Response Plan (“CSIRP”) for identifying and managing cyber security threats, including those with the potential to adversely affect information security and data privacy, globally. The CSIRP defines the roles and responsibilities of our stakeholders involved with responding to cyber security events, severity levels, and threat categories, and outlines a process for incident management, including escalation and communication procedures to supervisory authorities, data subjects, and clients, as appropriate. The CSIRP is reviewed and tested annually.

Does Totalmobile transfer or hold any client data outside of the EEA?

Totalmobile is a multi-disciplined organisation operating numerous business activities related to mobile workforces. At this time, all of our data is held within the EEA, however, we inevitably work with organisations who do transfer data outside of the EEA. When making these transfers, we will take steps to ensure that such personal data is adequately protected and transferred in accordance with the requirements of data protection law, including case law. For example, as part of its privacy compliance framework, Totalmobile carries out Transfer Impact Assessments where data is transferred outside of the EEA and additionally puts in place the European Standard Contractual Clauses.

The EU has agreed to delay transfer restrictions related to personal data for at least four months, which can be extended to six months, from 31st December 2020. The UK Government are seeking adequacy decisions from the European Commission and in the event that an adequacy agreement is not reached, Totalmobile are committed to putting in place alternative safeguards.

 

 

What education and training does Totalmobile provide to employees?

We ensure that new employees receive information on and training in adhering to data protection legislation and Totalmobile policies. Current employees receive this training at least annually with the aim of refreshing their knowledge, informing them about any new requirements and sharing common experiences. The training includes a particular focus on key elements such as recognizing and reporting a potential personal data breach, recognizing and properly addressing a data subject request, and the proper methods for transfers of personal data outside of the EEA.