RM and Transition
to the GDPR

The General Data Protection Regulation (“GDPR”), which comes into force on 25 May 2018, is a regulation which is intended to strengthen and unify data protection for individuals within the European Union. It will introduce new responsibilities for Controllers and Processors, increase the rights of data subjects and have far tougher sanctions than the current Data Protection Act, which it will supersede.

This statement outlines RM’s approach and commitment to GDPR compliance.

RM has always taken its responsibilities towards data protection seriously. RM is the Controller for some sets of data, including but not limited to its employee data and data of its consumer customers. It is also the Processor for customers, suppliers and other third parties; managing and processing their personal data. Both these roles will see increased accountability and compliance under the GDPR.

Since early 2017, RM has been undertaking preparations in order to become fully GDPR compliant in good time for May 2018. RM has established the RM GDPR Working Group, with membership drawn from across the RM Group, to oversee the transition work. The purpose of the RM GDPR Working Group is to: (a) examine existing security and data protection systems and processes; (b) identify the collection, usage, storage and disposal of personal data; and (c) report progress to the Group Security & Business Continuity Committee, which acts on behalf of the Board on all matters relating to security and data protection governance.

The Information Commissioner’s Office (“ICO”) has issued a number of guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”. RM is using this guidance to structure its approach to the GDPR and data protection in general, and where necessary, will make the appropriate updates to policy and/or practice. RM will continue to review its approach to GDPR compliance in accordance with any guidance issued by the ICO in the future.

RM is, where necessary, amending its activities and associated policies and procedures in order to comply with the GDPR, following a thorough assessment by the RM GDPR Working Group.

For the purposes of this statement, “RM” and “RM Group” means RM plc (Reg No. 01749877), RM Education Ltd, RM Results (trading division), The Consortium for Purchasing and Distribution Ltd, TTS Group Ltd and West Mercia Supplies (trading division). See the latest RM plc Annual Report for further details about RM.

GENERAL FAQs

Q. Does RM have plans to change and reissue contracts/terms and conditions before May 2018 in light of the change in data protection legislation?
A. RM is using the ICO’s transition guidance to review its legal and contractual obligations and will make any necessary amendments to policy or practice. As part of this work, we will be updating both our Privacy Policy and the Terms & Conditions relating to our products and services. These changes will be completed by 25th May 2018.

Additionally, we are conducting a review of existing negotiated contracts and, should any amendment be required, we will engage with customers and suppliers to agree such changes.

Q. Is RM’s Privacy Policy compliant with the GDPR?
A. RM is using the ICO’s transition guidance to review its legal and contractual obligations and will make any necessary amendments to policy or practice. As part of this work, we will be updating our Privacy Policy, which will be uploaded onto our website on or before 25th May 2018.

In addition, during 2018 the PECR (Privacy and Electronic Communications Regulations), which sets additional requirements for how organisations use cookies, will be replaced by the ePR (e-Privacy Regulation). RM will make any required amendments to the Cookies Policy and practice in the light of this legal change.

Q. Are RM’s processes relating to obtaining and managing consent compliant with the GDPR?
A. The ICO has issued a number of guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”.

RM is using the ICO’s guidance on consent to review how it obtains and manages consent. Where current practice is deemed not to be compliant with the GDPR, it will be changed.

Q. Is RM’s use of cookies compliant with the GDPR?
A. RM is using the ICO’s GDPR transition guidance to review its legal and contractual obligations and will make the necessary amendments to policy or practice, including how we use cookies on our websites and customer-facing platforms. Where current practice is deemed not to be compliant with the GDPR, it will be changed. Our Cookies Policy is also being reviewed and will be updated as appropriate.

In addition, during 2018 the PECR (Privacy and Electronic Communications Regulations), which sets additional requirements for how organisations use cookies, will be replaced by the ePR (e-Privacy Regulation). RM will make any required amendments to the Cookies Policy and practice in the light of this legal change.

Q. Does RM have a Data Protection Officer?
A. RM has appointed a Data Protection Officer, who can be contacted at dataprotection@rm.com

Q. Does RM have a Data Protection Policy?
A. The Data Protection Policy can be downloaded here.

Q. Where does RM store customer data?
A. RM stores customer data in secure data centres within the EEA.

Q. How long does RM retain customer data?
A. RM retains customer data in accordance with contractual requirements, its Privacy Policy and product Terms and Conditions. In addition, specific products allow customers to determine and implement their own data retention periods for their data.

Q. How does RM ensure compliance with individuals’ rights under the GDPR?
A. RM’s Data Protection Policy summarises RM’s approach. If, for example, an individual or customer believes that their data held by RM is inaccurate in some way, then RM will investigate this, and where required, rectify any confirmed inaccuracies. Processes for data retention, data erasure, data rectification, etc. may vary between different products and services.

Q. How will RM respond to a Subject Access Request from a customer?
A. Where a data subject makes a SAR, or a Controller asks RM to support them in responding to a SAR, the response will be determined by a number of factors, e.g. the nature of the data to be retrieved and the type of system or systems in which the data is stored. RM’s SAR process takes account of the revised timescales and obligations under the GDPR.

Q. Does RM share customer data with third parties?
A. Customer data is shared with third parties where this is required by contracts or is necessary to provide specific services. The details of where data is shared is set out in the Privacy Policy and in product Terms and Conditions.

Q. What technical and non-technical controls does RM use in order to ensure data security?
A. RM has a Group Information Security Framework, based on ISO 27001, the international standard for information security management. In addition, a number of business units are certified to ISO 27001:2013.

A wide range of technical controls are used, including but not limited to: 

  • Data encryption
  • Anti-virus and anti-malware software
  • Network monitoring
  • Access management 
  • Vulnerability scanning and penetration testing
A wide range of non-technical controls are used, including but not limited to: 
  • Physical security controls at RM offices
  • Security policies, including Data Classification & Handling, Data Protection, etc
  • Security training
The implementation of such controls may vary between specific products and services.

RM Education

Q. What is RM Education doing to ensure that it is compliant with the GDPR?
A. RM Education is part of the RM Group and is participating in a Group-wide GDPR Transition Programme. This Programme is using the ICO’s guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”. For further information on this, please refer to the General FAQs section.

RM Education applies a range of data protection and information security controls in accordance with Group security policies. In addition, ISO 27001:2013 certification is maintained by two of its business areas; Connectivity Services and RM Unify.

During 2018, a new Group Information Security Framework is being implemented across the RM Group, including RM Education. Adherence to the Framework will be audited by a central compliance function.

Product queries

Q. What is RM doing to ensure that RM Integris supports compliance with the GDPR?
A. For details on RM Integris please click here.

Q. What is RM doing to ensure that RM Unify supports compliance with the GDPR?
A. For details on RM Unify please click here.

RM Results

Q. What is RM Results doing to ensure that it is compliant with the GDPR?
A. RM Results is a trading division of the RM Group and is participating in a Group-wide GDPR Transition Programme. This Programme is using the ICO’s guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”. For further information on this, please refer to the General FAQs section.

RM Results’ e-assessment and data management business is based on long-term contracts with a range of governmental and non-governmental organisations. These contracts set out specific requirements for data protection and information security. Where necessary contracts will be updated to reflect the replacement of the Data Protection Act 1998 by the GDPR.

As a data management business, data security is critical to RM Results. RM Results is certified to ISO 27001:2013, the international standard for information security management. The certification covers all products and services. Key suppliers, such as scanning partners and hosting providers, are also certified to ISO 27001:2013.

Further information on specific products and services is available on request.

TTS Group Ltd (“TTS”)

Q. What is TTS doing to ensure that it is compliant with the GDPR?
A. TTS is part of the RM Group and is participating in a Group-wide GDPR Transition Programme. This Programme is using the ICO’s guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”. For further information on this, please refer to the General FAQs section.

TTS applies a range of data protection and information security controls in accordance with Group security policies. In addition, TTS ensures that it maintains PCI DSS compliance in order to protect card payments.

During 2018, a new Group Information Security Framework is being implemented across the RM Group, including TTS. Adherence to the Framework will be audited by a central compliance function.

The Consortium for Purchasing and Distribution Limited (“The Consortium”)

Q. What is The Consortium doing to ensure that it is compliant with the GDPR?
A. The Consortium is part of the RM Group and is participating in a Group-wide GDPR Transition Programme. This Programme is using the ICO’s guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”. For further information on this, please refer to the General FAQs section.

The Consortium applies a range of data protection and information security controls in accordance with Group security policies. In addition, The Consortium ensures that it maintains PCI DSS compliance in order to protect card payments.

During 2018, a new Group Information Security Framework is being implemented across the RM Group, including The Consortium. Adherence to the Framework will be audited by a central compliance function.

West Mercia Supplies

Q. What are West Mercia Supplies doing to ensure they are compliant with the GDPR?
A. West Mercia Supplies is a trading division of the RM Group and is participating in a Group-wide GDPR Transition Programme. This Programme is using the ICO’s guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now”. For further information on this, please refer to the General FAQs section.

West Mercia Supplies applies a range of data protection and information security controls in accordance with Group security policies. In addition, West Mercia Supplies ensures that it maintains PCI DSS compliance in order to protect card payments.

During 2018, a new Group Information Security Framework is being implemented across the RM Group, including West Mercia Supplies. Adherence to the Framework will be audited by a central compliance function.

Enquiries

All enquiries about individual GDPR matters should be made to our Group Data Protection Officer.
Please email dataprotection@rm.com

back to top button Let's talk