Risk Ledger and the GDPR
GDPR Data Protection Act 2018
Written by Haydn Brooks
Created on March 16, 2020
Modified on November 24, 2020

About

This paper provides information about compliance with GDPR (the Data Protection Act 2018) for organisations implementing the Risk Ledger platform.

On-boarding process and inviting suppliers

During the onboarding process, Clients are asked to provide a list of their suppliers and contact email addresses for Risk Ledger to send invites to. At this stage Risk Ledger is the data processor (with the client being the data controller) and the data is processed using the legitimate interest lawful basis for processing.

As we only collect a small amount of personal data that will have a minimal impact on the data subjects privacy (email and name of the point of contact at the supplier) and the data is to be used in an expected way (for sending an invite to onboard the supplier onto the platform) the legitimate interest lawful basis is appropriate and direct supplier consent is not required. The assessment for this is provided at the end of this page.

This is no different from an organisation using a CRM tool, supplier management tool, or payments tool to manage their supply chain.

After supplier on-boarding

Once the supplier has completed their on-boarding with Risk Ledger, Risk Ledger becomes the data controller. All organisations on the Risk Ledger platform will have agreed to our platforms Terms and Conditions and Privacy Notice (as such the contract is between each supplier and Risk Ledger and no longer involves the client) and given consent to have their personal data stored on the platform.

Within the platform no data is shareable until the organisations have consented to sharing it. For example, if a client makes a connection request to a supplier, the supplier has to accept the connection request (thereby consenting to the sharing of the information) before any data is shared.

Legitimate Interests Assessment (LIA)

This LIA has been completed to record the reasoning behind the legitimate interest basis for processing personal data during the supplier onboarding process for clients using Risk Ledger. The questions have been taken from the ICO template.

Part 1 – Purpose Test

  • Why do you want to process the data?
  • What benefit do you expect to get from the processing?
  • Do any third parties benefit from the processing?
  • Are there any wider public benefits to the processing?
  • How important are the benefits that you have identified?
  • What would the impact be if you couldn’t go ahead with the processing?
  • Are you complying with any specific data protection rules that apply to your processing (e.g. profiling requirements, or e-privacy legislation)?
  • Are you complying with other relevant laws?
  • Are you complying with industry guidelines or codes of practice?
  • Are there any other ethical issues with the processing?

The personal data requested of each client is the name and email of a point of contact at each Supplier that is to be included in their assurance programme. The data will be processed to send invites out to the relevant points of contact to allow their organisations to join the Risk Ledger platform.

Processing the data increases the speed at which assurance can be collected from each supplier and offers each supplier with a tool to help reduce the number of assurance questionnaires they must complete each year. If we could not go ahead with the processing, we would have no way of inviting organisations onto our platform which is critical for the functioning of our business.

There are no specific data protection rules (other than those covered under the Data Protection Act 2018) that apply to our processing activities. All relevant laws are complied with, and we also comply with industry best practice with regards to both security and privacy. There are no ethical issues associated with the processing.

Part 2 – Necessity Test

  • Will this processing actually help you achieve your purpose?
  • Is the processing proportionate to that purpose?
  • Can you achieve the same purpose without the processing?
  • Can you achieve the same purpose by processing less data, or by processing the data in another more obvious or less intrusive way?

Processing the personal data enables us to send invites to organisations inviting them to use our platform, Risk Ledger. We take the minimum amount of personal data required to fulfil this processing activity (name and email) and could not achieve this objective without processing the data in some way.

The processing is proportionate to the purpose (the data is used to send an invite and is not stored on our systems for longer than 1 month).

Part 3 – Balancing Tests

Nature of the Personal Data

  • Is it special category data or criminal offence data?
  • Is it data which people are likely to consider particularly ‘private’?
  • Are you processing children’s data or data relating to other vulnerable people?
  • Is the data about people in their personal or professional capacity?

The only data we collect is a user’s name and email address. This data is not likely to be considered private by the individuals, and we only process it for the specific purpose of inviting them onto our platform.

Reasonable Expectations

  • Do you have an existing relationship with the individual?
  • What’s the nature of the relationship and how have you used data in the past?
  • Did you collect the data directly from the individual? What did you tell them at the time?
  • If you obtained the data from a third party, what did they tell the individuals about reuse by third parties for other purposes and does this cover you?
  • How long ago did you collect the data? Are there any changes in technology or context since then that would affect expectations?
  • Is your intended purpose and method widely understood?
  • Are you intending to do anything new or innovative?
  • Do you have any evidence about expectations – eg from market research, focus groups or other forms of consultation?
  • Are there any other factors in the particular circumstances that mean they would or would not expect the processing?

No direct existing relationship exists between the individuals and Risk Ledger until they have completed our sign-up flow. We only use the data to invite them onto our platform. Once they have completed the sign-up flow they will have agreed to our Terms and Conditions and Data Privacy Notice and we will be the data controller for any personal data collected at that point (the only personal data we collect is an authorised user’s name, email, and mobile number).

The data was obtained from each supplier’s clients and they will have been told via an email about the process and have been given the option to ignore the invite email and opt-out of using the Risk Ledger platform. Our intended purpose and methods are widely understood and in no way poses a risk to the privacy of each individual.

Our data processing does not include any new or novel techniques.

Likely Impact

  • What are the possible impacts of the processing on people?
  • Will individuals lose any control over the use of their personal data?
  • What is the likelihood and severity of any potential impact?
  • Are some people likely to object to the processing or find it intrusive?
  • Would you be happy to explain the processing to individuals?
  • Can you adopt any safeguards to minimise the impact?

The impacts of a data breach are minimal as the only data we hold are subjects’ names and business email addresses, both of which are generally not considered private information. Individuals will not lose any control over the use of their personal data.

The likelihood and severity of any impact are low. The data is likely not going to be found intrusive and Risk Ledger would be happy to explain this processing to individuals in full.

All relevant safeguards have been adopted – the data is encrypted, and strong identity and access management controls are applied. The platform undergoes frequent security testing and Risk Ledger is cyber essentials certified.

Outcome

Can you rely on legitimate interests for this process? Yes

LIA completed by: Haydn Brooks, CEO, 10/02/2019. Updated 16/03/2020.

No DPIA is needed.