Compliance Overview
With GDPR (management of user data) and PECR (communicating with users using their data) coming into force as of 25th May, we have been working hard to consult with businesses to provide guidance to them on how they should best work towards compliance with these two EU regulations. Further to this, in the background, we have been working hard to bring ourselves into compliance well before the 25th May.
We already had many of the foundations of compliance required under the regulation pre-built into our existing practices and systems to maintain an information security management system (ISMS). An ISMS is a set of interrelated elements that organisations use to manage and control information security risks and to protect and preserve the confidentiality, integrity, and availability of information. These elements include all of the policies, procedures, processes, plans, practices, roles, responsibilities, resources, and structures that are used to manage security risks and to protect information.
We take the responsibility of our clients’ data very seriously.
Sub-processors
In line with the regulation, we are required to inform you of any other processors involved in the processing of your data. In our day to day operations, the vast majority of our information is stored on our internal systems here in our offices. We have sought and have recorded assurances from other processors, where they are used; and they are as follows:
We store some sales and leads data, client contact information, server and database information and technical information required to work on client sites in a hosted CRM (HighRise) ( https://help.highrisehq.com/sales/gdpr/ ).
We record and track client tasks on an enotions’ hosted ticketed and Service Desk platform (JIRA). Information related to specific tasks and associated sites is stored alongside a ticket number and additional information to help complete the tasks. ( https://www.atlassian.com/blog/announcements/atlassian-and-gdpr-our-commitment-to-data-privacy )
We use GoogleDocs to share joint project documents. ( https://cloud.google.com/security/gdpr/ )
We use Dropbox to back up some project related information and files. ( https://www.dropbox.com/en_GB/security/GDPR )
We use CampaignMonitor to send newsletters and client-wide announcements to clients (for enotions) and on behalf of clients (for their business). Client names and emails are stored on their secure servers. If you use us and our system for your own email newsletters, we will have contacted you to make sure you have requested ‘opt-in’ from your subscribers to continue to contact them. This action is your responsibility. ( https://www.campaignmonitor.com/trust/gdpr-compliance/ )
For our hosted services we use the following processors:
1&1 internet (UK) ( https://www.1and1.com/digitalguide/websites/digital-law/general-data-protection-regulation-new-rules-for-businesses/ )
Amazon AWS (UK and Ireland Regions) ( https://aws.amazon.com/compliance/gdpr-center/ )
Vidahost (UK) ( https://www.vidahost.com/legal/privacy-policy#terms )
Fasthosts (UK) ( https://www.fasthosts.co.uk/terms/privacy-notice )
OVH (UK) ( https://www.ovh.co.uk/personal-data-protection/gdpr.xml )
Digital Ocean (UK) ( https://www.digitalocean.com/security/gdpr/ )
We automatically back up all client sites (although the frequency of backups does vary depending on client requirements). For this we use rsync.net (Switz) ( http://www.rsync.net/resources/regulatory/hipaa.html )
Hosted Services
Where we provide hosting services to our clients we act as data processors on the behalf of our client who are data controllers under the terms of the regulation.
Data Controllers are required to seek assurances from data processors that data processing is being carried out in a manner where “reasonable technical and organisational measures” are being taken to secure the data being processed. Data Processors are required to provide this information on request. To this end, please see below the following series of statements to satisfy this requirement.
Organisational Measures
We already have the foundations of compliance pre-built as the technical and organisational measures required to meet the test of “reasonable technical and organisational measures” required under the regulation.
We are a small team. Access to the administrative portions of the hosting infrastructure are restricted solely to those within it requiring access.
Technical Measures
All hosted services are protected by multiple layers of protection. Every server is protected by a hardware firewall that only passes genuine traffic destined for specific services. Access to critical services are disabled and restricted as necessary.
Each server is further protected by an additional software firewall and physical DDOS appliance. The software firewall is configured to only allow relevant network services.
Website files, databases and other data relating to the website, underlying content management system files, version and so on are the sole responsibility of the customer.
We are responsible for the security of the Operating System and firewall configurations alongside updating the WHM/CPanel software on the servers only.
Website Development and Design services
Where you have contracted us to design or build a website or web application for you, we are neither data controllers nor data processors with respect to the function and data collection that you provide for on your site / application.
In these circumstances the client is acting as a Data Controller and the company hosting the site is acting as a processor and the Controller should seek written assurances from the processor around the measures being taken to secure the data.
Technical IT Services
Where you have contracted us to consult upon, build, and deploy internal IT systems, we are not responsible for the way in which these systems are used and, as Data Controllers it is your responsibility to ensure that your IT systems and the organisational policies and procedures are compliant with the regulation. We are willing to assist with this in whatever way possible.
3rd Party Hosted Services
Where you have taken advice from us or recommended and / or referred you to a 3rd party processing service, such as MailChimp or HighRise, we act as neither processors nor controllers with respect to these data processing systems. The Data Controller should seek written assurances from the processor around the measures being taken to secure the data.
eNotions Internal Systems
Organisational Measures
We already have the foundations of compliance pre-built as the technical and organisational measures required meet the test of “reasonable technical and organisational measures” required under the regulation.
We are a small team. Access to the administrative portions of the hosting infrastructure are restricted solely to those within it requiring access.
Technical Measures
Whilst digital content is held in different secure online locations (see sub-processors), physical copies of client details are stored in a single physical location, with physical and logical security in place. The location is secured with multiple layers of key-based access with one key holder. The building is secured and populated almost 24x7x365.
Access to data on our internal systems is restricted according to business need and each eNotions user has a unique password and username and all systems are logged and monitored for unusual behaviour 24×7. We employ a full suite of anti-malware systems and all updates and patches are applied and checked regularly by our internal team. Our network is protected by a controlled and monitored hardware firewall. Each computer has software firewalling enabled and controlled.
We have multiple logging and monitoring systems internally that continually monitor and record successful and unsuccessful access to data stored on our systems.
Data Collection Policy Statement
eNotions Ltd is registered at Crown Chambers, Bridge Street, Salisbury, SP1 2LZ with a phone number of 01722 712699 and a contact email address of info@enotions.co.uk. Our website with privacy policy is located at www.enotions.co.uk
We collect data in order to provide quotes to prospective clients and to fulfil contractual requirements. This information may be retained for up to 7 years for financial recording reasons as required by regulators. Further, data may be retained for the purposes of client communication, the marketing of similar services and for regulatory or legal defence reasons until such time as these details would no longer be relevant or required. If this contractually necessary information is not provided we will be unable to satisfactorily communicate with clients and so be unable to act effectively on any requests from such clients.
This data will be in the form of names, email addresses, telephone numbers and other contact details such as Instant Messaging account names, IP addresses and possibly other online identifiers.
We do not sell or transfer data onwards to other recipients, nor do we transfer data to third countries or international organisations that do not have an adequacy agreement.
Data subjects have the right to request objection, access, deletion, alteration, restriction of processing, withdrawal of consent, and data portability. We do not engage in profiling or automated decision making. To exercise these rights please contact us using the details provided above.
Data subjects also have a right to raise a complaint with the UK supervisory authority (the ICO) and their contact details can be found online.
Disclaimer
Nothing on this page constitutes legal advice. Specialist legal advice should be taken in relation to specific circumstances.
The contents of this page are for general information purposes only. Whilst we endeavour to ensure that the information on this email is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.
We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material.
If you have any further questions, please contact us at info@enotions.co.uk