GDPR Compliance

Langdon Customs and Excise Solutions Ltd – Commitment to GDPR

Langdon UK GDPR Policy

The UK General Data Protection Regulation (UK-GDPR) is the data protection law that applies to the United Kingdom. It is a modified version of the European Union’s General Data Protection Regulation (EU-GDPR) and is designed to ensure the protection of individuals’ personal data.  Langdon is committed to respecting this commitment and will enforce and act accordingly, in all matters.

In respect to Langdon’s activities: Whenever GDPR legislation applies to our clients, they are deemed The Controller of the personal data included on the Langdon Platform, and Langdon is deemed The Processor. As such, both Langdon and our client must comply with their respective obligations under GDPR accordingly. One side of these obligations relates to the controller processor relationship, while the other side relates to the controller obligations vis-å-vis the data subject, typically the user of the Langdon Platform (i.e. employees, contractors and partners of our clients).

We expect our clients and their users to comply with all applicable laws and regulation in connection with the use of the Langdon platform, in particular making sure, that our clients have all rights and consents necessary to allow Langdon to use and process such data.

Key Points:

  • Consent: The UK-GDPR requires that organizations obtain explicit consent from individuals before processing their personal data.
  • Data Protection Act (DPA) 2018: The DPA 2018 has been amended to incorporate the EU-GDPR requirements, creating a new UK-specific data protection regime.
  • UK-GDPR: The UK-GDPR is nearly identical to the EU-GDPR, but is independent UK legislation governed and enforced by UK data protection agencies.
  • Data Protection Agency: The Information Commissioner’s Office (ICO) is the UK’s independent data protection authority responsible for enforcing the UK-GDPR.
  • Data Breaches: Organizations must report data breaches to the ICO within 72 hours of becoming aware of the breach.
  • Data Protection Officer (DPO): Organizations must appoint a DPO if they are processing sensitive data or have a large number of employees.

Changes to the UK-GDPR:

  • Cookie Consent: The UK-GDPR requires websites to obtain explicit consent from users before processing their personal data through cookies and third-party trackers.
  • Data Protection by Design: Organizations must implement data protection by design and default, ensuring that personal data is protected from the outset.
  • Data Subject Rights: Individuals have the right to access, rectify, erase, restrict processing, object to processing, and data portability.
  • Data Protection Impact Assessment (DPIA): Organizations must conduct a DPIA when processing personal data that poses a high risk to individuals.

Fines and Penalties:

  • Fines: The ICO can impose fines of up to £17 million or 4% of an organization’s global turnover, whichever is greater, for non-compliance with the UK-GDPR.
  • Penalties: Organizations can face penalties for non-compliance, including warnings, reprimands, and even criminal prosecution.

Best Practices:

  • Data Protection by Design: Implement data protection by design and default to ensure personal data is protected from the outset.
  • Data Subject Rights: Ensure individuals have the right to access, rectify, erase, restrict processing, object to processing, and data portability.
  • Data Breach Response: Develop a data breach response plan to ensure timely reporting and mitigation of data breaches
  • Data Protection Officer (DPO): Appoint a DPO to oversee data protection compliance and ensure data protection by design.

Langdon’s top 6 priorities for GDPR compliance.

Langdon have identified 6 priorities to ensure compliance with GDPR legislation and below we explain the Langdon position relating to these priorities:

1. Determine your role under the GDPR

      As a software solutions provider, Langdon is processing data on behalf of its Clients using the Langdon Platform; therefore Langdon is seen as a data processor under the GDPR. In light of existing data privacy laws and data security measures generally expected from a global cloud service provider such as Langdon, we have already implemented an information security program consisting of policies and procedures to help ensure that Langdon is acting in accordance with current and new compliance requirements when providing our services.

      2. Appoint a Data Protection Officer

        The GDPR will require some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is known as sensitive personal data on a large scale. At Langdon we have appointed a Senior Manager to this role.

        3. Demonstrate accountability in all processing activities

          Langdon has implemented an information security program consisting of policies and procedures that define how system information is entered, managed, and protected. Langdon’s current information security program is further specified in our Master Subscription Agreement (MSA) as well as our Data Processing Agreement (DPA). In particular, Langdon commits to monitor, analyse and respond to security incidents  in a timely manner in accordance with Langdon’s standard operating procedure, which sets forth the steps that Langdon employees must take in response to a threat or security incident. Langdon continues to invest in a growing global security capability.

          4. Check cross-border data flows

            GDPR permits personal data transfers inside and outside of the EU/UK subject to compliance with defined conditions, including conditions for onward transfer. When a Client contracts with Langdon, we can enter into a Data Processing Agreement (DPA) with applicable Clients. In the DPA, we agree with our Client on the terms for the compliant processing of Client personal data, including the description of our security and data privacy policy and the EU standard contractual clauses.

            5. Prepare for data subjects exercising their rights

              Within the Langdon Platform, our clients use the personal data of their users to interact with each other in order to better manage their data analytics. As such, our clients will look to Langdon as service provider and data processor to offer functionalities within the Langdon Platform that enable our Clients to achieve compliance. Our internal product design processes are focused on the user and their positive and productive experience on the Langdon Platform. In light of GDPR, Langdon periodically reviews the Langdon Platform features in order to validate that the Langdon platform provides the required functionalities to our clients.

              6. Staying current

                Ensuring the privacy and security of our client’s data is an ongoing commitment for Langdon. We will continue to update this document to reflect any GDPR-related developments. As a service provider, Langdon is committed to supporting our Clients in their compliance activities, and to this end, we will use the Information Commissioners Office (ICO)  for reference and guidance, in regards to all matters concerned.