Information Security, Personal Data, GDPR

As the GDPR regulations came into effect on the 25 May 2018 our customers, resellers and potential customers will be interested to know how we look after data and in particular personal data and how we keep things secure generally.

In some cases, customers may have a legal obligation to provide details of data protection policies.

This article sets out in high level terms how we deal with data protection and information security as well as providing what we hope will be useful details to help customers answer compliance questions.   However, more detail can be found in our privacy policy here.  Our Information Security Policy and other related documents can be made available upon request.  This article is provided as a resource, but does not constitute legal advice. We encourage you to speak to a legal practitioner in your area to learn how the GDPR may affect your organisation.

Our Approach to Information Security

It’s very easy for a company to make claims about how safe your data is with them, but with so many household name companies having data breaches how can you be certain this is really the case?

The approach we’ve taken is to have our data protection policies, processes and procedures externally reviewed and verified by a trusted and approved body.  In 2014 we started the process to become certified for the ISO 27001 Information Security Management System.  We were awarded the certification in 2015 and have been successfully audited annually ever since to ensure we continue to meet the standards of the ISO organisation.

For obvious reasons we don’t want to disclose on a public website the technical details of all our security measures beyond stating that all data and systems are protected behind industry standard firewalls, data in encrypted as it passes through the Internet, and all data is backed up to second secure data centre.  Within our data centres there are a number of technical and physical security measures, as well as protection from fire and flood.   More information about our data centre security and resilience features are available here.

Common questions in relation to GDPR

GDPR replaces the Data Protection Act and applied from 25 May 2018.  As all current EU legislation is being brought into UK law it will continue after Brexit.

GDPR applies to Data Controllers and Processors and for the most part we at Cardium Outsourcing Ltd (T/A Your Office Anywhere) are the data processors and our customers who use applications and storage on our platform are the data controllers.

While we have dozens of set procedures as part of our Information Security processes, too numerous to detail here, we have noted some procedures that may be particularly relevant in relation to GDPR

Data security and audit trail

Outside of specific applications we will set file and folder security on your behalf.  There are two key points to how this is managed.

• All permissions change requests have to be sent via an email to our helpdesk.   Here they are logged and a permanent audit trail is recorded for the request and when it was actioned.  This information can be provided to the customer on request.
• All permissions changes have to be requested by an authorised company contact, this will be the primary or technical contact by default.

Deletion of data

Under GDPR individuals have a right to request that personal data about them is deleted.   Live customers, as the data controllers, are usually responsible for managing their own data and documents.   In the situation where a customer wishes to cancel their service with us the following actions are taken.

• Cancellations have to come from the authorised contact and via an email to our helpdesk, again to capture the audit trail.
• Data is deleted from the server or attached storage at a date agreed with the customer contact.   This is again recorded in the helpdesk system for audit purposes.
• Data on our backup systems will age out after 20 days.
• Data held by us about our customers e.g. contact details will be deleted off our systems within 14 days of the customer leaving the platform.
• Financial data about our customers i.e. invoices etc. will be held for 7 years in line with UK financial regulation.

Data Protection Guidance from the ICO

The Information Commissioners Office has produced useful guidance for companies who are impacted by GDPR  This guide is available here.

Within this guidance the ICO sets out steps to help businesses prepare for GDPR.  To help our customers we’ve provided some information below in line with these steps.

Awareness

All Directors, Managers and key decision makers at Cardium Outsourcing Ltd are aware of GDPR and appreciate the impact on our customers and our own business

Information We Hold

As data processors we are required to “process” our customer’s data which will likely included personal data.   As part of our ISO 27001 certification we are already required to audit the information we hold and have policies in place to ensure we comply with data protection principles.

For our core services we don’t use any other third parties to process data, all data is held on our own hardware in UK data centres.   The exception to this is where we resell services such as cloud backup services.   In this instances the data is held in UK data centres.

We will also hold personal information relating to our customers, for example email addresses and phone numbers.  Details of any information we hold will be provided following an email request to our helpdesk from the authorised customer contact.

Some information will be held with 3rd parties outside of the UK/EU this includes the use of an electronic document signing service.    To mitigate the risk, we have implemented a process so that once a document is complete the document will be copied and stored in our systems and deleted from the Electronic sign up system.

For the purposes of bulk emailing for support notification of planned maintenance, service related incidents, or “opted-in” newsletters or marketing material we may use a 3rd party mailing service located outside of the UK in the USA.   Data held on this service will be limited to name, business email address and company name of the specified contacts.

Communicating privacy Information

Our privacy policy is available here

Individuals’ rights

Most of the rights of individuals in relation to personal data such as the right to rectification or the right to erasure fall within the responsibility of the data controller i.e. our customers.

Where we hold information about our customer contacts we will process any requests for rectification, erasure etc. following email to our helpdesk.  We can also provide copies of any personal information we hold format free of charge.

Subject Access Requests

In the most part requests about personal data will go to the data controller i.e. our customers

As above any requests about personal information we hold about our customers can be emailed to our helpdesk.

Further information on this is available in our privacy policy

Lawful basis for processing personal data

Our privacy policy sets out our basis for processing personal data about our customers.   The basis upon which our customers hold data about other individuals will be their responsibility to justify as data controllers.

As above any requests for information about personal data we hold about our customers can be emailed to our helpdesk

Consent

Consent to use personal data will in general be the responsibility of our customers as data controllers.

Where we hold personal data about our customers, such as email addresses and phone numbers this is used for one of three purposes:

Commercial – the usual requirement to email things like invoices and reminders.

Support – we occasionally need to email or call customers in the event of planned maintenance or incidents that may affect their systems.  We also email automated alerts to customers for example where disk space is running low.

Marketing – Customers in the past have been given the option not to receive marketing communication or newsletters during the initial sign-up process.  Following the introduction of GDPR this will change to a double opt-in process to ensure customers having given consent to receive this type of communication.

Children

As a Business to Business company we don’t hold customer information where the customers are children.

Our customers may hold that information, and as data controllers will be responsible for compliance with that area of the legislation.

Data Protection by Design and Data Protection Impact Assessments

Our certification for ISO 27001 covers these specific areas.  As mentioned earlier our Information Security Policy or specific procedures in relation to ISO 27001 are available on request.

Data Protection Officer

As with 10 above the requirement for a data protection officer under GDPR is mirrored in the requirements within ISO 27001

International

We operate solely within the UK and all data is held in data centres in the UK.   While we own and operate all the hardware in the data centres, the data centre operators are also certified for ISO 27001.

Further Information

This article is meant as a general guide but please contact us if there is any specific information you require.

Useful Links:

Cardium Outsourcing Ltd – Privacy Policy: https://www.yourofficeanywhere.co.uk/privacy/

How safe are Hosted Desktops article: https://www.yourofficeanywhere.co.uk/info-hub/how-safe-are-hosted-desktops/

Hosted Desktop Data Security article: https://www.yourofficeanywhere.co.uk/info-hub/hosted-desktop-data-security/

ICO guide to GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

IT Pro Magazine – What is GDPR? Everything you need to know: https://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know-8