GDPR at Assemble

Assemble is committed to providing a secure and trusted service by implementing and adhering to compliance policies. After 15 years’ experience working with the Public Sector, we have worked hard to become equipped for the toughest standards.

GDPR: Overview

GDPR at Assemble

Our platform

What you should know

What are we doing?

Here at Assemble, we’ve been reviewing and updating our internal data processes and worked hard to make sure we're fully compliant. We began to dedicate internal resources to the GDPR in January 2017, over a year before the deadline. We did this because we value our customers (and their users) rights to privacy. As you can imagine, we’ve been getting lots of questions about GDPR and our approach to GDPR, we've highlighted some of the answers below.

Assemble: Protecting your data

We take security seriously; our success depends on it.

We need to make sure your data is secure, and protecting it is one of our most important responsibilities. We’re committed to being transparent about our security practices and helping you understand our approach.

Where do we stand?

Information security is critical to our business, our robust Information Security Management System (ISMS) is designed to control information assets appropriately, assess risks and build a culture of security at Assemble.

Assemble is committed to GDPR compliance and part of this commitment is to help our customers through their GDPR compliance journey by providing them with robust privacy and security protections. We currently comply with a range of requirements, policies and controls, to ensure we have vigorous measures in place to protect users’ data.

Assemble welcomes the GDPR as an important step forward in unifying data protection requirements across the EU and as an opportunity for Assemble to expand our commitment to data protection. We have closely analysed the requirements of the GDPR, and we’ve worked hard to develop functionality to make compliance easier for you. We are also on the journey to independent certification for ISO 27001:2013, the international standard for information security.

We encourage you to verify that our security practices meet the most widely accepted standards and regulations. After 15 years’ experience working in the public sector we have achieved a range of certifications. As a G-Cloud 12 supplier, we’re one of the selected, trusted providers of cloud software and services to government. We’re also Cyber Essentials accredited – a government backed and industry supported scheme that helps business to protect themselves against the ever growing threat of cyber attacks.

We value the confidence you've put in us and work hard to maintain that trust. For more information about the actions we are taking please see below.

Ben Hayes

CEO, Assemble

Our approach to the GDPR

Frequently asked questions, answered.

Is Assemble a data processor or a data controller?

For our customers, we act as a data processor - we process your personal data on your behalf, in accordance with our Terms and Conditions.

You are the owner of your data, we do not mine your data for advertising or marketing purposes. We only use the provided data to supply the services of Assemble.

How do you comply with the requirements of the GDPR principles?

Article 5 of the GDPR "Principles relating to processing of personal data" requires:

Lawfulness, fairness and transparency

We will process any personal data we collect in a fair, lawful and transparent manner; and in accordance with individuals’ rights.

As a customer of Assemble we will only process the personal data entered into the system in accordance with our Terms and Conditions.

Purpose limitations

We will only collect personal data for specified, explicit and legitimate purposes. Data we collect will not be used for any other purposes other than what you have been made aware of.

As a customer of Assemble we will only process personal data entered into the system for the purpose of providing you our service and in accordance with our Terms and Conditions.

Data minimisation

We will only collect personal data that is needed, adequate and relevant for the specific purpose.

As a customer of Assemble you are responsible for ensuring that the data you hold about your volunteers/employees is limited to what is needed, adequate and relevant for the specific purpose. Features and controls exist in our platform to help facilitate this.

Accuracy

To the best of our ability we will ensure that any personal data we collect is accurate, kept up to date and correct.

As a customer of Assemble you are responsible for ensuring that the data entered into the system about your volunteers/employees is accurate and kept up to date. Our systems are designed to maintain a high level of integrity, meaning that your data will remain as entered and unchanged. Self-service functionality exists in the application to encourage volunteers to keep personal information up to date.

Storage limitations

We will only keep personal data we collect for as long as it is needed, in addition, you have the right to request erasure of your individual data.

Based on parameters set by customers, Assemble will retain data accordingly before they begin to be processed for deletion. Customers can specify a timeframe (based on their specific policies of when legal justification for keeping personal data has expired) and we then proceed to automatically anonymise data.

Integrity and confidentiality

We will process all personal data we collect in a manner that protects it against unwanted modification, disclosure or unlawful processing.

We take a risk based approach to ensure that our systems have the appropriate technical and organisational controls to safeguard the integrity and confidentiality of all personal data.

Accountability

Processes are recorded, implemented and reviewed on a regular basis. All staff are trained and appropriate technical and organisational measures are taken to ensure and demonstrate compliance. We are creating and improving security features on an ongoing basis. As part of our Information Security Management System (ISMS), Assemble is developed to incorporate privacy-by-design and privacy-by-default methodologies, making sure whenever we develop or introduce new systems, privacy and security requirements are considered at every stage.

Where is my data stored?

Your data is stored on the EU clusters of Amazon Web Services (AWS) - none of your data leaves the EU. Featuring state of the art environmental security controls, it’s one of the best and most renowned in the world, so rest assured your data is safe.

Will I be notified in the case of a breach?

How do you handle subject access requests (SAR)?

How do you process data portability requests?

How do you handle data erasure?

Customers (Data Controller) - If you choose to close your account or your subscription expires we will store your customer data for 30 days (the retention period) to give you time to extract the data or renew your subscription. After this 30-day period, we will disable the account and commit to deleting all data under our control. Volunteers/employees (Data Subject) - Assemble works with its customers to help facilitate data erasure requests. Assemble makes it easier to locate and identify the personal data you collect across your organisation. With our search functionality, every person, message, application, and document in Assemble is archived, indexed, and available through search. Customers are in control of the data stored in their instance of Assemble. Based on parameters set by customers, Assemble will retain data accordingly before they begin to be processed for deletion. Customers can specify a timeframe (based on their specific policies of when legal justification for keeping personal data has expired) and we then proceed to automatically anonymise data. As noted in the GDPR (Provision 28), “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. We will remove the user’s name, email address, contact information and other unique identifiers from the system. To prevent confusion and preserve the history of an account, some form of record will still exist for reporting/auditing purposes. Applicants - In line with the principle of ‘data minimisation’, when collecting personal data during the recruitment process, ensure that as an organisation you are requesting only what is ‘adequate, relevant and limited to what is necessary’, and that you have a full understanding of exactly why that data is required. If an applicant requests to have their data deleted, functionality exists in the application to remove all personal data associated with the applicant.

How do you ensure you meet with the privacy by design requirements?

See how the Assemble platform offers features and tools to make the process of satisfying GDPR obligations easier here.

Data Protection Registration

We have a strong track record on data protection. As a company we are registered with the Information Comissioner’s Office (ICO). This means we are contractually committed to delivering our services in compliance with the Data Protection Act (DPA).

ICO Registration Number: Z9806829

Looking for more information?

If you have any further questions, feel free to reach out to us

Disclaimer

Please note that this information is intended to provide helpful guidance to customers on the GDPR and not as a solution or legal advice. We encourage each organisation to undertake their own steps to ensure compliance.