The GDPR has become a global standard for data protection. In order to support our EU clients with their own compliance with this regulation, BUNCH (as a data processor) has undergone a full GDPR compliance transformation.
In short, yes. While BUNCH is a Hong Kong incorporated entity with production centers in the Philippines, and although our clients are not always located in the EU, a number of our clients store personal data from customers from all over the world (including EU citizens). In this regard, BUNCH is required to comply with GDPR in order to become a eligible vendor for certain services involving personal data such as customer support, outbound sales and other specialised tasks. In most cases, our services do not involve any personal data at all. In all cases, we do not hold or store any personal data from supporting client campaigns. Accordingly, under the GDPR, BUNCH falls into the category of a data processor and not a data controller (see below).
The GDPR distinguishes between the roles of a data 'controller' and a data 'processor' – each having different compliance requirements. The GDPR defines a controller as an entity that determines the "purposes and means" of the data processing and/or stores or holds personal data may arise of individuals from the EU. A processor, on the other hand, is defined as an entity that "processes personal data on behalf of the controller”.
As a service provider, BUNCH holds no personal data. Our clients own their data at all levels. Clients maintaining data ownership in accordance with their own internal policies as well as strict obligations of confidentiality are at the foundation of BUNCH’s data protection policy (even prior to GDPR compliance). Our specialists only access information through our client’s software platforms, and nothing is stored locally on or in our remote servers (or otherwise). BUNCH is therefore a data processor and complies with GDPR in such capacity.
Since May 2018, we have been transforming our processes in order to comply with the GDPR at the data processor level. We take data protection seriously and therefore we saw GDPR compliance as the logical (and indeed, necessary) next step in order become an eligible vendor for global clients who store or otherwise control personal data of EU citizens.
Besides our ongoing commitment since ‘day one’ of creating and maintaining a data-sensitive culture (including compliance with local laws in Hong Kong and the Philippines, as applicable), our GDPR compliance milestones to date have included the following measures:
With the help of third party auditors, we will complete our transformation process and technical implementation of all the above policies and procedures before August 15, 2018.
The above being said, GDPR compliance is very much an ongoing commitment and process. There is no ‘end-point’ where compliance is achieved and can be put aside. It is necessary to keep reviewing and updating our procedures, security measures and processing activities to ensure that on a day-to-day basis our practices comply with the GDPR requirements and any upcoming amendments thereto. BUNCH is very much committed to doing so and working with our existing affected clients to ensure that our compliance meets (and hopefully exceeds) their own internal standards as regards the GDPR.
The GDPR outlines the processes and requirements to better ensure the data protection of EU citizens, but it does not require an external audit to certify compliance with the GDPR. Nevertheless, as previously noted, we believe in the value of becoming a certified GDPR-ready vendor and we are discussing terms with a reputable audit firm in the UK and planning to have it ready by Q3 2019.
If you collect, store or hold personal data of European citizens and require vendors to have access to that information, you will need to first ensure your own compliance with the GDPR as a ‘controller’ and then ensure that any vendors you appoint are compliant with GDPR as processors or controllers (as applicable).
On the other hand, if you only manage public domain data or work with project data such as software product development, GDPR compliance may be less onerous.
Nowhere. As noted above, BUNCH does not store any personal data from client campaigns whatsoever. Our GDPR-ready workstations store no local information, and local files are deleted after every session. We are a cloud-based company and we do not store any client information (including personal data of our client’s users etc) on our remote servers.
Last update: January 2, 2019