Lexonis and GDPR

What is GDPR?

The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive (DPD) and came into effect on 25th May 2018. The purpose of GDPR is to strengthen the protection of personal data of EU citizens and to increase the obligation on organisations who collect or process personal data through a unified data privacy policy.

Lexonis and Data Protection

Lexonis maintains, and regularly reviews, a complete register of all the personal information data that it either controls, or processes on behalf of other controllers, and of all suppliers acting as processors, or sub-processors of this data. Against this register are stored additional details about the data storage location, lawful basis for processing and what data subject rights apply to what sorts of record.

Overview of Lexonis and GDPR

Lexonis has undertaken a detailed analysis of its obligations as a data controller, and identified areas in which it can, as a data processor, support its clients to fulfil their data controller responsibilities. Lexonis has built its whole GDPR compliance process into its ISO 27001 certified Information Security Management System (ISMS) to ensure a cohesive, best practice approach to information security and ongoing, independent scrutiny of its data security practices.

What is Lexonis doing about GDPR?

Data Controller/Processor

Lexonis applications store and process data provided by individuals (users) designated by the clients for whom the application has been set up. As such, Lexonis acts as a Data Processor for the client Data Controller. Lexonis applications are designed to support clients in meeting their responsibilities as Data Controllers.

The GDPR additionally lays out a set of requirements which must be included in all contracts governing data processing. Lexonis has drawn up a number of GDPR-compliant addenda which are included in all contracts. Additionally, Lexonis, as part of its ISO 27001 certified Information Management System, carries out regular supplier reviews to ensure that its sub-processors adhere to equivalent contractual standards.

Lawful Basis for Processing

Where Lexonis acts as a Data Controller, it only stores and processes personal information according to an appropriate lawful basis for doing so. Where Lexonis acts as a Data Processor it only processes personal information in accordance with written instructions from the relevant Data Controller. Clients acting as Data Controllers will need to provide their own separate lawful basis for providing this data for processing (legitimate business interests, consent etc.).

Data Subject Rights

The GDPR provides protection for a number of rights for individuals with regard to their data. Lexonis applications are designed to support, where possible, Data Controllers in meeting these requirements. These rights and Lexonis’ position regarding them are described below:

  • The Right to be Informed: Not relevant. As Data Processors Lexonis cannot provide the relevant assurances/information in the place of the Data Controller.
  • The Right of Access: Information held about a user can always be accessed by users via self-service.
  • The Right to Rectification: Incorrect information held about a user can be corrected by the user accessing the site and editing the data, or by a Customer Administrator doing so.
  • The Right to Erasure: Lexonis applications support a Force Delete of Users. This will delete all data associated with the user record.
  • The Right to Restrict Processing: Lexonis application user records can be set to Inactive by a Customer Administrator. Inactive users cannot log in and are only visible through the Admin-only list of Users (i.e., not shown in reports, analysis reports, to Managers etc.).
  • The Right to Data Portability: User records and their associated assessment profile can be exported into Microsoft Excel format by a Customer Administrator.
  • The Right to Object: Not relevant. No user data held by Lexonis applications belongs to any of the categories under which individuals can object to their data being processed in this way.
  • The Right not to be Subject to Automated Decision-Making: Not relevant. Lexonis applications do not undertake any automated decision-making which produce either legal, or similarly significant results.

Data Breach Processes

As part of Lexonis’ ISO 27001 certified ISMS, Lexonis operates a documented Information Security Incident process to detect, report and investigate breaches of personal data. In the event of a data breach Lexonis will inform the Information Commissioner’s Office and the client with details of the breach, and with further information about corrective action, root cause analysis and future preventative action as relevant.

Data Protection by Design

Lexonis’ ISO 27001 certified ISMS ensures that data protection is integrated into all aspects of business operations. Of particular relevance are controls relating to the Development Lifecycle, Hosting Requirements and Cryptography, covering security-minded design, development according to principles of secure engineering, security testing during Quality Assurance, secure hosting facilities and encryption of data-at-rest and in transit.

Data Protection Officer

Ben Hedges is Lexonis’ designated Data Protection Officer, and is a member of its Information Security Committee.

GDPR and Your Business

Every business is different, and your business requirements under GDPR may differ to those for other companies. There are a number of official resources that provide useful information regarding GDPR which you may find useful:

Information Commissioner’s Office on GDPR

European Commission Data Protection Policies

EU GDPR Portal Site