This document outlines the GDPR principles we operate by, which have been mentioned below.
Lawfulness, Fairness and Transparency: We process data with data subjects’ interests in mind and ensure that we approach processing activities with transparency to maintain fairness in what we do. This way we can be sure that we are processing data lawfully, fairly, and in a transparent manner. We have a robust process in place to allow us to deal efficiently with any access requests we may receive.
Purpose Limitation: Data will be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes.
Data Minimisation: Data will be kept adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Data Accuracy: Data accuracy is very important to us and we train our staff to ensure they are keeping everything up to date and maintaining data to a high standard. Every reasonable step will be taken to ensure that any inaccurate personal data is erased or rectified without delay, having regard to the purposes for which they are processed.
Storage limitation: We will not keep data for longer than is necessary and only keep data if there is a lawful basis that allows fair retention. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to the implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals. When we do need to remove data from our possession, we do so by using industry-approved standards so the disposal or anonymization is thoroughly compliant.
Integrity and Confidentiality: All data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing against accidental loss, destruction, or damage, using appropriate technical or organizational measures. We hold data on secure systems. Information security and integrity are key to our smooth operation and we have a dedicated cybersecurity team who protect our systems and support us in the event data may become compromised.
Accountability: We are committed to the principles of the GDPR by adopting the concept of ‘data privacy by design’ within our operational model. We remain accountable by having detailed policies and systems in place to oversee our overall compliance to data protection regulations including the management of access rights requests. Our policies are regularly reviewed and updated, and our staff is periodically trained on data protection and security throughout the year.
- Software applications are managed through a standard Agile software development methodology. Once a change is completed, end-to-end testing is performed to ensure the accuracy of the change and the existing system functionality.
- Only approved software is managed and patched centrally and permitted on user machines which are managed through Software Centre.
- All operating systems in place are fully supported and patched.
- No sensitive information would be stored on non-compliant systems.
- Internal systems can only be accessed within the secure Corporate network.
- All databases, software, and hardware/devices are protected with high levels of encryption. Encryption keys are managed with strict policies and procedures. The key is stored in a secure location which is only accessible to database admins.
- On our equipment, all patches are governed by the change control process which includes evaluation, testing, and deployment.
- We update systems when the time is appropriate to ensure we are always using the most advanced technical and organizational tools out there.
- Data is backed up daily and a data restore process has been tested.
- Measures are in place to ensure that the business can continue to function should a compromise occur.
- Performance monitoring and file integrity monitoring is in place to ensure our business continuity plan can take full effect and complies with the GDPR rules.
- A standard build procedure ensures that all default admin and back door accounts are removed.
- Regular Network monitoring identifies any non-compliance to data loss prevention controls.
- Penetration testing at the application and network level is carried out on a regular basis.
- We may use cloud storage facilities for processing and storing data and when we do this, we ensure that the security is maintained and tested regularly.-
- All networks have firewalls, antivirus, and malware protection in place which is deployed on all endpoints to detect, alert and neutralise any threats.
- Any applications accessible from the internet are constantly safeguarded to prevent the existence and exploitation of web application vulnerabilities such as cross-scripting or SQL injection.
- All internet access is controlled by a dedicated web filtering appliance that restricts the types of traffic and URLs.
- Firewalls and monitoring control and monitor traffic entering and leaving the organisation.
- All contractual IT security requirements are in place with any third parties we use which ensures the relationship remains subject to GDPR compliance.
- When sharing data with third parties for joint purposes, we will have a documented arrangement setting out respective roles and responsibilities with regard to data protection matters, including who individuals can contact if they want to complain or exercise any of their rights under the UK GDPR.
- Where necessary, our contract with them includes Data Processing Terms or terms are built into our products terms and conditions.
- We also use alternative data protection safeguard mechanisms where appropriate in the form of standard contractual clauses where required.
- When using a data processor to share personal data with a third party for it to store or use on behalf of the company, a binding contract will be made to commit the data processor to certain standards, including with regard to security, the engagement of further ‘sub-processors’, to meet the GDPR obligations with regard to individual rights and accountability requirements.
- Christie Silvani’s data is segregated from other third-party customer data.
- All staff are screened prior to their engagement and interviews are face to face where possible.
- All staff gets an induction about the importance of confidentiality, and then provide training about the practical aspects of data protection i.e. using secure passwords, destroying documents, etc. Security training will be as part of their induction which is reinforced periodically during training sessions and presentations.
- All our staff’s CV statements and qualifications are checked for validity before the offer of employment can commence.
- Each staff member is issued with a Guideline for the association which we regularly review and update where necessary.
- We update our staff when additions and updates are made.
- A restrictive covenant is signed by staff prior to employment and a confidentiality agreement is signed on the first day of employment.
- When an employee leaves the business, all accounts and access are suspended immediately, blocking all access to our systems and buildings.
- A clear desk policy is in place across the group and staff know to lock screens when they are away from their desks for any period.
- If there are physical documents that need to be delivered, then trusted courier service will be used. (Secure delivery of confidential documents).
- For digital documents that need to be sent to a third party, either email or a file-sharing program will be used. When using a file-sharing program, the documents will be encrypted and will be ensured that a trusted service provider is used.
- We operate policies for data security for our remote and field workers so that integrity is always maintained.
- Staff is not permitted to store any data via removable media (USBs) or on device hardware.
- Confidential waste bins and shredders are placed across the facility to ensure the safe disposal of documents.
- We offer lockable document storage cabinets in a locked room so that access to confidential documents and files unrestricted to authorized staff only.
Data Retention and Disposal
All data retention is handled in line with our retention policy. We are committed to taking a practical approach in line with legal, contractual and commercial requirements relating to the ownership, retention, and disposal of information relating to our business activities within the UK and Ireland. We tend to keep our client data for 6 years until the contract end date.
As a company, we have made a conscious effort to become more digitally focused and we steer away from paper records wherever possible.
If you have any further queries about any topics raised in our GDPR Compliance document please contact us at 020 3286 5030 or send us an email at email@example.com.