Pulsar Group on GDPR

Corporate Entity

This General Data Protection Regulation Evidence Pack covers the following corporate entities:

  • Pulsar Group (formerly Access Intelligence)
  • Access Intelligence Media Comms (AIMC) trading as Vuelio
  • Access Intelligence Media Data (AIMD) trading as Vuelio
  • Fenix Media trading as Pulsar
  • ResponseSource Ltd

All operating from 10 Bloomsbury Way, London WC1A 2SL

In this document, these corporate entities will be collectively referred to as “Pulsar Group”

1. Introduction to GDPR

The EU General Data Protection Regulation (EU GDPR) came into effect on May 25th, 2018 and reshaped the data protection laws of all 28 countries in the European Union. This affected the operating procedures and systems of all organisations which process personal data. On 31st December 2020, the UK left the EU (“Brexit”) and retained EU GDPR in domestic law, but the UK now has the independence to keep the framework under review.

The UK General Data Protection Regulation (UK GDPR) is part of the new data protection landscape that includes the Data Protection Act 2018 (the DPA 2018). The UK GDPR sets out requirements for how organisations need to handle personal data. The UK GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. The key principles, rights and obligations remain the same.

Pulsar Group deal with a large quantity of personal data and closely follows this legislation; as such, we are fully prepared to meet the requirements outlined within the Regulation and can demonstrate safe and secure personal data management practices across all areas of the business.

Article 5 of the Regulation sets out the principles relating to the processing of personal data: how it should be processed, for how long, which restrictions are needed, and details of the safeguards which are in place to prevent misuse. The Data Controller and Data Processor both need to demonstrate full compliance with the Regulation – to evidence this, Pulsar Group has prepared this document to communicate our position on the major points of the GDPR and to provide ready context for Clients interested in their own preparedness.

Article 6 of the GDPR states that personal data processing can only take place if one (or more) of six legal bases defined within the Regulation has been established by a Data Controller.

Clients are Data Controllers in their own right and are processing personal data in our products for their own purposes.

We are also Data Controllers when we collect and update personal data in our products, using Legitimate Interests as the legal basis for the provision of this data for Clients to communicate with these individuals.

However, we would be a Data Processor for any personal data the Client added to the product. This personal data would be processed using Contract as a legal basis and according to formal data processing agreements between both parties.

ICO registration certificates are as follows:

2. Data Protection by Design and by Default

One of the core guiding principles of the General Data Protection Regulation is the requirement for “data protection by design and default”. Outlined in Article 25 of the Regulation, this is demonstrated through Pulsar Group’s commitment to implementing a framework of appropriate technical and organisational measures which will ensure effective data protection, and only undertaking the processing of personal data that is necessary for a specific task at a given time. Technical measures include designing out any potential software or development vulnerabilities, limiting access to personal data repositories within all Pulsar Group platforms, security and penetration testing of applications, as well as providing means for the Client to comply with their own personal data retention and disposal requirements.

3. Data Protection Impact Assessments, Risk Mitigation and the Confidentiality, Integrity and Availability of Information

Data Protection Impact Assessments (DPIA) are highlighted within the GDPR as necessary when the controlling or processing of personal data is likely to present a high risk to the rights and freedoms of a data subject. The Data Controller is required to conduct and record these assessments prior to commencing the processing of personal data, and in doing so will highlight and mitigate any risks that need to be addressed.

Pulsar Group have undertaken Data Protection Impact Assessments (DPIA) against all key data processing activities and these will be reviewed annually (at a minimum) to ensure that they remain current and relevant. In addition, Pulsar Group reviews the confidentiality, integrity and availability of all data under its control, and records those reviews in formal risk assessments which are externally validated as part of our ISO 27001 certification.

4. External Validation

GDRP certified badge

Trust between Data Controllers and their selected Data Processors is of paramount importance, which is why Pulsar Group remains committed to demonstrating full regulatory compliance with all applicable legislation, regulations and standards.

In respect of the changes to Article 27 following Brexit, Pulsar Group partnered with GDPR Local, to offer data subjects living in the EU a local representative. A team of external DPOs then reviewed our data protection policies, processes, and records. Pulsar Group was approved to meet GDPR compliance requirements.

Pulsar Group is ISO/IEC 27001 certified. This is an international standard for Information Security Management that demonstrates an ongoing commitment to apply the most rigorous risk management model to protect information and data belonging to both our clients and the Group.

Cfa have audited Access Intelligence to UKAS requirements of ISO 27001The standard forms the basis for effective management of confidential information and the application of information security controls. It recognises an ongoing commitment to review systems and suppliers, identify risks, assess implications and put controls in place for data security. This includes auditing all systems, information assets, operational processes, legal and regulatory requirements, and an ongoing training programme to strengthen the organisation’s expertise in risk management and data security.

ISO 27001 recognises the Group’s exceptional standards in data management and security. This benefits all clients who can rely on the Company’s ability to store and process sensitive data in a secure way underpinned by robust systems, increased business resilience, and exceptional management processes.

In addition, Pulsar Group use specialist external third parties to undertake regular security and penetration testing of our platform, systems and applications.

5. Data Subject Rights

A key provision of GDPR is the expansion of the rights of data subjects to access, track, correct, restrict and erase their personal data which may be in the possession of a data processing organisation.

Within the GDPR there are several significant rights afforded to data subjects:

a. The right of access by the data subject – The data subject can request from the Data Controller a confirmation as to if personal data concerning them is being held. If that is the case, the data subject can then request details of the information, including the purpose of the data processing, details of where it has been disclosed, the period for which the personal data will be stored, etc.

b. The right to rectification (correction of data held) – The data subject can obtain from the data controller the correction or completion of any inaccurate or incomplete personal data that is being held about them.

c. The right to erasure (‘right to be forgotten’) – The data subject can request deletion of their personal data in certain situations, for example where the data has been processed unlawfully, is no longer needed for the purposes for which it was originally gathered, a legal obligation applies, or simply where the data subject has withdrawn their consent.

d. The right to object to processing – The data subject can request that the data controller ceases processing of their personal data where the accuracy of the data is contested, the processing is unlawful, and where the use of the data is no longer necessary.

e. The right to restriction of processing – The data subject can request that the data controller restricts the processing of their personal data where the accuracy of the data is contested, the processing is unlawful, and where the use of the data is no longer necessary.

f. The right to data portability – under certain circumstances, the data subject can request an export of their personal data from the data controller directly to them, or from the controller directly to another data controller.

In each of these cases, Pulsar Group will be enhancing the technical functions within the platforms to assist the applicable Data Controller in meeting their obligations.

– Pulsar Group Privacy Policy

6. Data Processing Agreements

Data processing terms are included in all contracts with clients and suppliers.

Under the GDPR, Data Controllers must only process personal data with clear documented instructions regarding authorised processing activities.

If the processing involves international data transfers to a country without an adequacy decision from the EU this is called a Restricted Transfer. In this case, Pulsar Group will ensure that the Data Processing Agreement (DPA) will also include Standard Contractual Clauses (SCCs) or the UK’s International Data Protection Agreement (IDTA), to add extra protection to the data once transferred out of the UK/EU.

Pulsar Group will not undertake any personal data processing activities on client data that’s not described within the Client’s documented instructions. To this end, Pulsar Group has incorporated documented instructions pertinent to our platform and delivery of services in our Terms and Conditions to aid in uniformity of processing; in contrast to holding thousands of separate (and disparate) documented instructions, we can ensure a consistent experience for clients and reduce any risk of error.

The Client should conduct any Data Protection Impact Assessments (DPIA) and risk assessments that are necessary in connection with the personal data processing activity, and be prepared to share the results with Pulsar Group if requested to demonstrate compliance.

7. Resilience, Testing and Security Controls in Place

The Pulsar Group – including its brands Vuelio, ResponseSource and Pulsar – has achieved the ISO/IEC 27001 certification. This is an international standard for Information Security Management that demonstrates an ongoing commitment to apply the most rigorous risk management model to protect information and data belonging to both the Group and its clients. For more information about security certifications please see our Trust Centre.

Pulsar Group’s main resilience objective is to ensure that we deliver our availability commitments as recorded within each Client’s contracted Service Level Agreement.

Products are hosted on cloud infrastructure, with automatic scaling and replication in multiple isolated locations in place to minimise Client service disruption in the event of a service-affecting incident.

Pulsar Group also has an established set of business continuity scenarios mapped out and is ready to implement these if a situation so requires.

Security testing is carried out on a regular basis by internal and external teams to test aspects of operational preparedness and the management of potential risks, threats and vulnerabilities. We conduct regular penetration tests and risk assessments of our physical and digital security controls in line with the requirements of our Information Security Management System (ISMS).

Pulsar Group maintains separate development and test environments away from its production environments and follows secure development, testing and change control principles that are designed to prevent information security incidents.

Pulsar Group’s ISMS is ISO 27001 certified and has embedded policies, processes and procedures throughout the organisation to ensure compliance with the organisation’s information security and data protection requirements. Pulsar Group delivers a framework of regular internal audits and risk assessments to drive continuous improvement by identifying and developing all aspects of information security across the business. The controls established in the ISMS deliver a robust framework of governance and protection, not just for Pulsar Group, but for our Clients and any associated data subjects.

Pulsar Group maintains a data retention policy and supporting schedule, to make certain that personal data is only retained for as long as is necessary to carry out the specific data processing task that is required.

Pulsar Group products provide tools for the Client to manage their own data retention requirements. At the point at which the data is no longer needed, the data can be highlighted and securely erased, with the backups securely overwritten after 28 days. After this time, we are not able to perform any data recovery requests for our Clients.

8. Staff Access and Responsibilities

Pulsar Group carefully selects and recruits personnel to ensure the highest possible standards of professionalism and to screen any potential security risks before they could impact the business. Personnel are subject to vetting and, where applicable, police security checks. All staff are required to sign formal non-disclosure agreements as part of their onboarding process alongside their contractual terms of employment.

Pulsar Group takes training and awareness regarding information security and data protection seriously. Staff are trained during their induction process on a variety of information security topics with a separate breakout session addressing GDPR compliance. Pulsar Group also undertakes role-specific training to cover relevant threats that may be encountered by various positions throughout the organisation, as well as running annual refresher training courses and ad-hoc sessions to address situations that have arisen and require the business’s action.

Pulsar Group employs a principle of minimum access, such that staff are only afforded access to the data necessary and the tools required to complete the tasks required of their role. If this needs to be changed, management approval is requested to decide whether a different level of access should be granted and on what basis. Pulsar Group undertakes regular reviews of the access granted to all users to determine whether it is in line with their current role, as well as reviewing access and activity logs.

9. Sub-Processors

As part of Pulsar Group’s commitment to transparency, Pulsar Group will disclose its use of approved sub-processors, assigning work to them within strict contractual boundaries. We will always declare any sub-processors used for a Client and we will communicate the mapping of the data flow of personal information to and from them. When changing sub-processors, Pulsar Group will update this list not less than 4 days in advance of the date on which the change of sub-processor is affected. All sub-processors are carefully selected, and are subject to ongoing checks and validations to ensure that they have GDPR-compliant information security processes and data protection practices that are no less stringent than our own.

Our contracts with sub-processors include key clauses to ensure acceptable standards of information security and data protection. If suppliers are processing data outside of UK/EU, or another country deemed to have “adequate” data protection laws by the EU, we will add further agreements in the form of either Standard Contractual Clauses (SCCs) or an International Data Transfer Agreement (IDTA).

Pulsar Group maintains a register of Sub-Processors, available at http://www.pulsargroup.com/trustcentre/sub-processors/

10. Record Keeping

Outlined in Article 30 of the Regulation are the Record keeping responsibilities of both the Data Controller and the Data Processor. Pulsar Group manages Record Keeping and Retention periods for Pulsar Group’s data and for the Data Controller’s use of the Vuelio, Pulsar and ResponseSource Platforms. Pulsar Group’s record-keeping responsibilities include keeping records as per below:

  • Client Contracts with specific Data Processing Instructions
  • Supplier Contracts and Supply Chain Risk Management
  • Internal and External Audit Reports
  • Data Processing Impact Assessments (DPIAs)
  • Software Testing Reports
  • Data subject rights requests (DSARs)
  • Privacy Policies – version controlled, and tracking
  • Client service cases (including their content and status information).
  • Records of ownership
  • Staff training in matters of Information Security and Data Protection
  • Access control information for physical locations
  • Application access logs
  • Data breaches, security events (real or simulated)
  • Penetration testing reports and results
  • External reports to relevant supervisory authorities

11. Information Commissioner’s Office (ICO)

Pulsar Group is committed to ensuring that its Clients receive the highest standard of assistance in the event of an information security incident or data breach affecting personal data. Data Controllers should report such incidents to the Information Commissioner’s Office (the UK’s supervisory authority) within 72 hours of becoming aware, and communicate details of the incident to the affected data subjects. Our Data Protection Officer heads an internal team who are responsible for investigating and reporting any information security incidents and ensures that these reports are provided to the appropriate Client promptly. Pulsar Group operates to an internal deadline of 24 hours from breach discovery to make a full report available to the Client. The incident report provides the following information where applicable:

  • Date and time of incident, date and time of incident discovery and reporting
  • Nature of incident; categorisation and description of the personal data involved
  • Description of incident
  • Disclosure of any data processors, sub-processors or third parties involved with the breach
  • Breakdown of immediate actions and resolutions, including steps to reduce further breaches
  • Root cause analysis
  • Supervisory Authority notification actions undertaken
  • How data subjects have been affected

12. Data Protection Contact

As part of Pulsar Group’s commitment to data protection and operational improvement, we have appointed a Data Protection Officer who oversees all GDPR, ISMS and information security governance activities. External parties, individuals and data subjects can get in touch via:

Adam Palmer
Data Protection Officer
[email protected]