All information in this document sets out our compliance and use of personal data held in accordance with GDPR legislation. As an CCTV service provider, we supply support for a number of clients with either contracted support agreements or on an ad-hoc basis, which will require us to gather information relating to the clients to be able to support them. This will include data that we obtain from clients directly and data about the company that we obtain from other organisations.
This document sets out what personal or company information data that we hold, why we process or control that data, who we share this information with, and your rights in relation to the data we hold.
GDPR’s focus is on protecting the individual privacy rights of EU citizens, and compared to previous EU privacy legislation greatly expands the definition of what constitutes personal, private data to include not just financial, government and medical records, but also genetic, cultural, and social information. Businesses must now gain the explicit consent of an individual before using their personal data, and must also honour their “right to be forgotten”, i.e., to have all personal data held by the business to be deleted at the user’s request. Usually, this would apply at the end of any contracted term or where support is no longer required for the purpose of supporting the client/customer.
We must also meet a number of new requirements to demonstrate our ongoing compliance with GDPR, appointing one individual responsible for the company’s GDPR issues (the so-called “Data Protection Officer”), reporting on any and all data breach incidents, and storing personal data within the physical confines of the EU.
What information do we process in relation to you or the company?
We will collect, hold and share limited information about you or the company in order to provide our services acting as your support provider.
- Personal information (such as name, business address, potential home address if required, business and mobile numbers, email address)
- Login credentials (such as email access, server management, admin rights for PCs, Router and switch access, wireless control access, CCTV camera access)
- Remote management for PC control in order to remotely fix any such problems that occur
- Financial details (such as bank account details for billing purposes)
We may also require third party information in order to support certain products or equipment from you.
Where do we get your data from?
We obtain all the information from you as a client when you agree for us to provide support for your business, whether that be via support agreements or on an ad-hoc basis.
We may also obtain information from you from other sources in order to provide support, this is generally only via your businesses authorisation.
Why do we use your company or personal data?
We will process or control your data for the following reasons (not all would be applicable):
- To provide remote or on-site support for your business, including any staff within the business we need to hold data to be able to assist in the resolution of any such reported technical related problems
- To provide CCTV connectivity
- To provide internet connectivity to the premise
- To provide remote support
- To provide or obtain additional services including technical advice and/or support for your business
- To communicate support or sensitive information relating to the company
- To enable payments invoiced monthly via our online payment system
Whilst the majority of processing of personal data we hold about the business will not require your consent, we will inform you if your consent is required and seek that consent before any processing takes place.
To understand GDPR as it relates to data storage and data protection, it is useful to understand the following basic terminology:
A citizen of the EU who is identifiable by their personal data. This may include a consumer making an online purchase, a user on an IT resource system, a citizen accessing online services and so on: any individual providing personal information to use some type of services.
A commercial business like a cloud service provider that acts as a contractor to a controller, i.e., another business serving EU citizens that captures sensitive data on individuals. Examples include application hosts, storage providers, and providers of cloud services like backup.
Right to be forgotten
The right of every EU citizen “to have his or her personal data erased and no longer processed.” Individuals may request the deletion of all of their personal data stored on a controller’s servers and/or on their system management system.
A business operating within the EU — or outside of the EU but dealing with EU residents — that captures sensitive data about EU residents in the course of its operations. This includes a provider accepting online orders, addresses, and payment information from consumers, this also extends to customer records for any service related request.
“Any information relating to an identified or identifiable natural person.” This is more broadly defined by the EU than other governments and includes the EU citizen’s name, email address, social media posts, physical, physiological, or genetic information, medical information, location, bank details, IP address, cookies, cultural identity, etc.
Personal data breach
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Businesses must report every data breach incident to “the supervisory authority” within 72 hours of becoming aware of it.
Privacy Protection Failures
Our ability to attest to the privacy, integrity, accessibility, and erasure of personal data relies in part on our ability to protect against and recovery in personal data and backup. These failures fall into three categories:
- Device failures— the physical failure of any storage hardware component, including disk drives, storage controllers, and data centres.
- Security breaches— failures due to forceful, malicious attacks on IT infrastructure, including networks, servers, applications and endpoints, including those by malicious insiders, online criminals, and hostile state actors. Example include: a ransomware attack that applies unbreakable encryption to contents of a hard drive and demands an online payment in return for the decryption key.
- Logical or soft failures— failures due to human errors, Examples include: the accidental deletion or overwriting of files in the course of executing a backup procedure, accidental file data corruption due to a bug or error in a script or business application; accidental deletion of a hard drive’s master boot record.
Your rights of Personal Data we hold
In addition to protecting against various types of data protection failures, and reporting to EU authorities when breaches occur, we as controllers have a number of obligations to the users whose personal data we are storing. Controllers must support the ability of users to:
- Access, read and edit their personal data
- Easily delete their personal data, either directly or with a simple request to us
- Export their personal data in an easily-readable format
Complying with user requests may not always be simple. For example, it is easy to address clear-cut requests like, “Delete my mailbox and its entire contents”, not so easy to comply with more complex or ambiguous requests, like “Delete all my information from any backups, this will inevitably will be overwritten when the backup cycle repeats.”
GDPR Requirements for Data Protection and Storage of data
We as a business have additional obligations which we must meet, these include:
- Offer sufficient guarantees that our services meet GDPR technical and organisational requirements
- Eschew the use of subcontractors to support service contracts between the processor and our clients (controllers) without the express consent of the controller
- On termination of a service contract or solution, remove all client data from their cloud and/or data centre infrastructure, and provide sufficient proof that we have done so
- Report data breach incidents to the regulatory body.
The EU is serious about enforcing compliance, wielding the threat of painful financial penalties for businesses that cannot demonstrate their compliance or are caught in clear violation of GDPR rules protecting user privacy. For example, failing to maintain written records, to implement various technical and organisational measures, and/or to appoint a Data Protection Officer can cost the offending business a fine of €10 million or 2% of annual global revenue (whichever is greater). Broadly speaking, to achieve GDPR compliance in the areas of data storage and data protection, processors and controllers should only use services solutions that meet the following technical requirements:
- Data subject control of personal data storage location.
- Ability to modify personal data. We should be able to easily copy, modify and delete personal data at the request of data subjects.
- Data export in a common format. We should be able to export personal data in a common and easily usable format.
- Right to be forgotten. When data is no longer relevant to its original purpose, data subjects must be able to demand that a controller erase their personal data on request.
- Data portability. Data subjects must be able to obtain and reuse their personal data for their own purposes by transferring it across different IT environments. This requires the ability to download personal data in an easily portable format.
- Data Protection Officers. One employee who owns ultimate responsibility for GDPR compliance, known as the Data Protection Officer
As part of our day to day activities, it’s normal practice to use third party providers to deliver some of the services that we offer, such as anti-virus or email client as an example. As such, it’s our responsibility to use providers that fully comply with the new legislation and work with us to protect any data that we may use in order to provide such services.
Below is a list of service providers we use to deliver some of our services, not all services listed would be applicable to all our customers and would only be used as general information. The important element is to demonstrate our responsibility for GDPR compliance and our commitment to only use providers that have clear policies in place to protect IPSTech and our customers.
Microsoft Office365 – Email, OneDrive, Exchange, SharePoint, Skype for Business
All the information is correct at time of publishing and if and when new services are introduced IPSTech will fully comply with our responsibilities to ensure we comply with GDPR.
We are confident that we are fully compliant in readiness for when the General Data Protection Regulation (GDPR) becomes law in the UK on 25th May 2018. If you require any further information or have any questions regarding data protection, please feel free to contact our data protection officer.