CounselLink and the General Data Protection Regulation

CounselLink and the General Data Protection Regulation

Our commitment to data protection

A new data protection law in the European Union (EU), the General Data Protection Regulation (GDPR) is effective May 25, 2018. LexisNexis Legal & Professional sees compliance with GDPR as part of our long-standing commitment to responsible data privacy and security practices.

GDPR Readiness

We recognize that materials that our customers choose to store in CounselLink may contain personal data subject to the GDPR. We are committed to supporting our customers in meeting their GDPR obligations. For example:

Contracts

As part of our GDPR program, we are making available to our customers, suppliers and other partners updated contract clauses to help ensure the parties meet GDPR contractual requirements before the GDPR enforcement date.

Data Subject Rights

CounselLink provides mechanisms either in-app or via our customer support team to help our customers respond to and fulfill data subject requests as required under GDPR.

Data Protection Officer

We have appointed a Data Protection Officer to support our businesses in scope of European data protection laws.

Data Security

Our current security processes, features and posture, described here, ensure that we are well positioned to satisfy our responsibilities to implement appropriate technical and organizational measures under GDPR. Additional measures include:

Comprehensive Physical and Logical Security

CounselLink has a flexible role and permission approach to enable fine grained access control over customer data. The system is designed to ensure that only authenticated users have access to the customer data that they are authorized to see, while they are authorized to see it. All data is encrypted in transit, using the latest transport layer security (TLS) protocols, to and from CounselLink, and is encrypted at rest, with FIPS140-2 Level II compliant self-encrypting disks. Furthermore, all data backups are encrypted and stored securely off-site. User documents stored on CounselLink are also encrypted prior to storage.

CounselLink is hosted in primary and secondary (fail-over) Tier 3 data centers. Each data center provides redundant power and network service, climate control and fire suppression. Physical access to the buildings and CounselLink equipment is monitored by around-the-clock security personnel and closed circuit video cameras. Access to data center equipment requires 2-factor authentication using card key and biometric scan.

Policies, Standards and Guidelines

The CounselLink security team uses automated continuous monitoring designed to optimize availability. Monitoring and management includes proactive monitoring of the data center environment, servers, network, security systems and all service components of the CounselLink firewall on a 24/7/365 basis, and expedient restoration of service when component failures occur. We maintain redundant, backup or spare equipment for key components such that service outages are less likely to occur due to individual component failures.

Audit and Compliance

LexisNexis maintains a robust, comprehensive audit and compliance regimen that includes reviewing access permissions, logs and change control. This program measures and monitors the effectiveness of the governance, risk and control (GRC) processes. Furthermore, the CounselLink solution and data centers are audited annually, by independent third-party auditors. CounselLink maintains an annual SSAE16 audit report, while each data center maintains a SOC 2 audit report, based upon the Trust Services Principles of Security, Availability, Processing Integrity, Confidentiality and Privacy.

Questions

If you have any questions about the LexisNexis GDPR program, please reach out to your LexisNexis account representative or contact our Data Protection Officer at DPO@lexisnexis.co.uk.