KORMAN COMMUNITIES GDPR STATEMENT

Introduction

The new EU General Data Protection Regulation (GDPR) goes into effect on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organization which holds or processes personal data. GDPR introduces new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.

Korman Communities is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards including ISO 27001 and PCI-DSS. Korman Communities with our team of experiences business analysts, consultants and digital specialists will comply with applicable GDPR regulations when they take effect in 2018, as a data processor and a data controller, while also working closely with our partners and service providers to meet contractual obligations of GDPR.

Korman Communities has three main areas of focus in preparing for GDPR overseen by its internal cross-functional team:

1. Compliance

Building on existing security and business continuity management systems and PCI-DSS certification, we will also meet ISO 27001, and ISO 22301 standards, to ensure our own compliance.

Korman Communities is working towards robust ISO-based Management Systems (ISMS) and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements within the ISMS using internal and external advisors. Led by our Security & Compliance Team, updated information security policies and procedures will build on existing PCI-DSS compliant management systems as the foundation of our Information Control and Classification policy, informed by gap analysis and data protection risk assessments and supported by communication and training programs.

Compliance will be supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.

The GDPR requires that data controllers define how data processors use the data they get from controllers. These requirements belong in our contracts with Partner Service Providers. Korman Communities partners store data in secure data centers based outside of the EU, and the GDPR allows this as long as we agree to and follow standard contractual clauses that guarantee the security and privacy of that data. Korman Communities has included language in our SaaS agreements, which provides the necessary information and includes the required contractual clauses. It is required in all current and future Korman Communities Partners Service Providers.

Korman Communities Security and Compliance Team will inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, provide necessary security and ongoing delivery of objectives.

In many areas the hosted services provided by Korman Communities already conform. As data processor, the company is undertaking risk assessments to include more detailed consideration of the data types we hold and a data protection impact analysis of personal information stored and processed. Policies such as incident response plans and backup data retention will be reviewed and updated.

2. Korman Communities Customer Data and Control

The volume of data handled by organizations is growing and is captured, processed and stored on an increasing number of devices and networks. Requirements such as data protection impact assessments, active mitigation of risks and evidence of risk management measures require organizations to develop a more disciplined approach to customer data, especially those with personal data spread across many locations and/or systems with varying levels of personal data quality and ownership.

Korman Communiites is confident, that personal and transactional data can be located and anonymized or erased, in order to respond to requests to delete, rectify, transfer, access or restrict the processing of data.

Furthermore, we are investing in the management of consent to ensure a simple, but informed experience that will build trust with Customers.

3. Korman Communities Internal Processes, Procedures and Training

As organizations work towards GDPR compliance, ensuring updated policies, procedures and guidelines for the collection, management and protection of Personally Identifiable Information must be a priority and continuous. Korman Communities standard operating procedures (SOP's) are constantly being updated to reflect the requirements of GDPR. Additionally, employee training is being enhanced and employees at every level are being trained to ensure they understand and have the tools to comply with GDPR standards.