Lambda's GDPR compliance a Data Processing Agreement
Last Amendment Date: November 1, 2019
Last Review Date: May 1, 2022
Lambda Solutions GDPR Information Sheet
Table Of Contents
Lambda’s Approach to Working with Customers Who Require GDPR Compliance 4
Examples - Difference between Data Controllers and Data Processors 6
Lambda Solutions Data Processing Agreement Overview 7
Features to Support GDPR Compliance 7
Lambda Solutions Legal Information 10
Contact Information
Corporate Headquarters
Suite 200-110 West Hastings
Vancouver, BC V6B 1G8, Canada
U.S.
Seattle Downtown Business Center
1700 7th Avenue, Suite 1200
Seattle, WA 98104
Call +1.877.700.1118 to speak with a representative
Visit our website at lambdasolutions.net
Email us at sales@lambdasolutions.net
Lambda’s Approach to Working with Customers Who Require GDPR Compliance
Lambda Solutions offers Customers who require GDPR compliance a Data Processing Agreement and in addition the LMS provides features to help the Customer manage their GDPR Compliance.
Lambda Solutions has implemented security and data protection technology, features, procedures, and policies to ensure your data is safe plus secured in the cloud and remains private.
Summary
- Data Processing Agreement
- LMS Features for an organization to help manage compliance
- Lambda Security and Privacy measures
GDPR Background
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018.
Scope
If an organization processes the personal data of EU citizens or residents, or if they offer goods or services to such people, then the GDPR applies to the organization even if they are not in the EU.
The fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.
Key GDPR Terms
The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:
Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.
Data subject — The person whose data is processed. These are an organization's customers or site visitors.
Data controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers or email service providers.
Data Protection Principles
If an organization is process data, they have to do so according to seven protection and accountability principles outlined in Article 5.1-2:
Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Examples - Difference between Data Controllers and Data Processors
GDPR distinguishes between Controllers and Processors for accountability. As a result, each receives different assigned roles for compliance. For example, if the Data Subject exercised the right to request their data, the Controller would access it from their servers or from the Processor they contracted to handle the data.
The relationship between Lambda Solutions and a Customer (Organization) often takes the form of the Customer acting as the Data Controller and Lambda Solutions as the Data Processor.
Below are some generalized examples to help illustrate the difference between a Data Controller and Processor. In short, the Customer decides what information is collected and how it is used and Lambda processes and stores the data.
Example 1:
A retail website (Controller) collects email addresses and other personal data provided by visitors and customers for sales and marketing purposes. All the data collected is then sent on to Marketing Firm (Processor) for use in email marketing, SEO, and social media campaigns.
If the Retailer (Controller) provides the data and the instructions to the Marketing Firm (Processor), then the Retailer is the data controller and the Marketing Firm is the data processor.
If the Retailer provides the data and leaves the Marketing firm to come up with the means of processing the data, then both the Retailer and Marketing Firm are the data controllers and the Marketing Firm is also the processor.
Example 2:
A Bank (Controller) collects the data of its clients when they open an account, but it uses a third-party Organization (Processor) to store, digitize, and catalog all the information collected by the Bank. The third-party Organization processing the information could be a datacenter, CRM solution, or document management company.
Lambda Solutions Data Processing Agreement Overview
Lambda Solutions has a data processing agreement (“DPA”) which is between Lambda Solutions and the Customer and applies to Personal Data provided by the Customer and each Data Controller in connection with their purchase and use of the Lambda Suite (Lambda Store, Lambda Learn, and Lambda Analytics) as a service from Lambda identified collectively as the “Cloud Service”. It states the technical and organizational measures Lambda uses to protect Personal Data that is stored in the production
Cloud Service. This Data Processing Agreement is a supplement to and made a part of the Consulting Services Terms and Conditions (“Agreement”).
For more information please see or request a Data Processing Service Agreement from your Account Executive at Lambda Solutions.
Features to Support GDPR Compliance
Lambda Learn (LMS) has features designed to help customers ensure their learning management platform supports their compliance with the EU General Data Protection Regulation (GDPR). The LMS has features designed to makes it easy for end users to understand what their data will be used for, who will have access to it, and provide consent to site policies regarding the usage of their personal data (such as opting into receiving marketing emails and receiving notifications when their data will be passed to third parties). With LMS, administrators can create, publish and update multiple consent policies and track when end users have agreed to a particular version of a given policy. This makes it easier for administrators to monitor active policies and identify who may need to agree to a new policy version if circumstances change. This will also ensure that data handling and processing is transparent enough to abide by the new regulations, protecting organizations and end users alike.
Lambda Learn GDPR Features
Site Policy
The Site Policy feature will allow organizations to create a site-wide use policy that users must review and agree or decline - with all responses recorded. Versioning allows organizations to update policies as required, and users are able to visit a dedicated Site Policy page and amend their agreement if necessary.
Data Access and Export
Administrators will have the ability to export all data that is linked to a given user, with the option to review the data prior to transmitting to the individual. This export file will allow the individual to review what type of personal data is processed within their LMS site and reconcile this information with their version of the Site Policy. For example, from the exported file, a user will be able to see that the platform is processing items such as quiz answers, feedback responses, course enrolments, progress and completions, site logins etc.
Data Portability
While the data export feature will provide all user data in a consistent format that allows for porting of data, existing functionality within LMS allows key learning data to be exported in a more ‘human readable’ format, via the Report Builder and Record of Learning areas.
Data Retention and Deletion
The LMS will provide administrators with the ability to create and manage multiple ‘Purge Types’. Each Purge Type will have an individual configuration, specifying the retention, deletion or anonymization requirements of various user data types throughout the system. Users may have a Purge Type applied to their account so their data will be processed in accordance with an organization’s data retention requirements.
Security Overview
At Lambda, we understand that security is very important for information systems like an LMS, especially as applications start to move to more of a cloud based infrastructure. To ensure security across all aspects of the hosting infrastructure Lambda has developed its own security best practices to be ISO 27001 certified. Additionally, Lambda works in conjunction with Amazon Web Services robust hosting infrastructure to provide secure world class service.
At a physical security level, Lambda Solutions utilizes AWS as a secure and state of the art hosting provider. AWS heavily controls access to its hosting locations through the use of professional security and video surveillance, intrusion detection and other electronic security measures. All visitors and contractors are required to present identification, sign into the facility and be escorted by authorized staff during their visit. The data center’s climate is monitored in real-time to ensure the facility is operating as effectively and securely.
AWS also provides a variety of sophisticated network layer security measures including firewall and strong encryption to ensure its customers are fully secured, when using their systems. AWS is fully compliant with industry standards including SOC1 (SSAE16), SOC2 and; SOC3 among others.
In addition to AWS’ physical and network security, Lambda Solutions deploys Intrusion Prevention and Detection systems which monitor our systems for malicious activity. In the event of an intrusion, Lambda’s Operations and Support representatives are immediately notified so they can begin isolating and resolving the issue.
At the application security, Lambda Solutions ensures that the LMS instance is kept up to date with the latest security and stability patches. All major and minor updates are included with Lambda’s hosting package giving clients the peace of mind that the LMS platform is secure and up to date. Lambda also includes an SSL certificate (Domain Validated certificates (DV)) which is used to secure web traffic and authentication with the LMS.
Access to the LMS backend system is restricted to authorized Operations personnel only through the use of private key authentication via an SSH connection. All LMS systems can only be accessed through this connection restricting access to the hosting platform.
As a final measure of ongoing security, Lambda Solutions performs periodic penetration tests to the LMS instances via a 3rd party application. This system helps Lambda to effectively monitor its systems and ensure that our LMS platform is fully secured.
Lambda Solutions Legal Information
Lambda Solutions was founded on the vision of providing superior customer service. Put simply, we set out to become a company that was easy to do business with. Our unique customer service philosophy extends to all we do, so to make it easier to work with us, we make our legal information easily accessible at https://www.lambdasolutions.net/company/legal