Bodyshocker takes data protection and people’s privacy very seriously and we are committed to our clients’ data security and to comply with GDPR data protection laws.
The General Data Protection Regulation (GDPR) creates consistent data protection rules across the EU. The GDPR become effective as of 25th May 2018 and applies to companies based in the EU, as well as companies around the world who provide or offer goods or services, and those who process data from or about people in the EU.
Preparations have been underway since March 2017 to ensure that our services comply with GDPR and to give you the peace of mind that your client data is safe and secure.
We are committed to transparency, control and accountability.
- Transparency: Our Data Sharing Agreement and data privacy policies will remain the single consolidated place that maps out the ways in which we process client personal data in accordance with GDPR legislation.
- Control: We undertake Privacy Impact Assessments (PIA) for each of our processing operations on a regular basis and provide in-depth data security training to all Bodyshocker employees. Service providers are required to sign our Data Sharing Agreement and are subject to regular spot checks to ensure GDPR compliance.
- Accountability: We undertake quarterly risk assessments and are audited each year by the British Assessment Bureau, which includes updating our existing compliance program to ensure that we are adequately documenting our GDPR reviews and compliance procedures. We are also registered with the ICO the UK GDPR regulators.
In practical terms, we have implemented the following:
Data Transfer and Storage
- All personal customer data transferred between ourselves and our clients or service providers is done through ShareFile. ShareFile encrypts all data in transfer and at rest. They use servers within the EU and are members of the US_EU Data Shield Agreement.
- Internally, all client personal data is stored within an access restricted and encrypted environment. All personal computers that require access to personal data to fulfil client processing are also encrypted.
- Client personal data is only shared with service providers once they have signed our Data Sharing Agreement and are happy for us to undertake spot checks on their data procedures to satisfy us that they have adequate GDPR-compliant processes.
- All client personal data is systematically destroyed within 30 days following processing completion and recorded in the data transfer deletion log.
- All Bodyshocker employees receive data security training and regular GDPR updates to ensure a good working knowledge of data risks and compliance procedures.
- No personal data can transfer internally via email or memory stick.
- Any hard copies of personal data are securely shredded by a registered document shredding service.
- Auto screen saver locks and forced password changes are in place on all computers.
What this means for business
You can continue to use Bodyshocker as your supplier in the same way you do today, safe in the knowledge that we are committed to compliance with the laws that apply to data privacy and GDPR legislation.