Privacy Policy
Information Security, Personal Data, GDPR
With the new GDPR regulations coming into effect on 25th May 2018 our customers, resellers and potential customers will be interested to know how we look after data and in particular personal data and how we keep things secure generally.
In some cases, customers may have a legal obligation to provide details of data protection policies.
This article sets out in high level terms how we deal with data protection and information security as well as providing what we hope will be useful details to help customers answer compliance questions. However, more detail can be found in our privacy policy here. Our Information Security Policy and other related documents can be made available upon request.
Our Approach to Information Security
It’s very easy for a company to make claims about how safe your data is with them, but with so many household name companies having data breaches how can you be certain this is really the case?
For obvious reasons we do not want to disclose on a public website the technical details of all our security measures beyond stating that all data and systems are protected behind industry standard firewalls. Data is encrypted as it passes through the Internet, and all data is backed up to a second secure data centre.
Common questions in relation to GDPR
GDPR replaces the Data Protection Act and will apply from 25th May 2018. As all current EU legislation is being brought into UK law it will continue after Brexit.
GDPR applies to Data Controllers and Processors and for the most part we at Southern Electronic Services Ltd (T/A SES Computers) are the data processors and our customers who use applications and storage on our platform are the data controllers.
While we have dozens of set procedures as part of our Information Security processes, too numerous to detail here, we have noted some procedures that may be particularly relevant in relation to GDPR.
Data security and audit trail
Outside of specific applications we will set file and folder security on your behalf. There are two key points to how this is managed.
- All permissions change requests have to be sent via an email to our helpdesk. Here they are logged and a permanent audit trail is recorded for the request and when it was actioned. This information can be provided to the customer on request.
- All permissions changes have to be requested by an authorised company contact, this will be the primary or technical contact by default.
Deletion of data
Under GDPR individuals have a right to request that personal data about them is deleted. Live customers, as the data controllers, are usually responsible for managing their own data and documents. In the situation where a customer wishes to cancel their service with us the following actions are taken.
- Cancellations have to come from the authorised contact and via an email to our helpdesk, again to capture the audit trail.
- Data is deleted from the server or attached storage at a date agreed with the customer contact. This is again recorded in the helpdesk system for audit purposes.
- Data on our backup systems will age out after 20 days.
Data Protection Guidance from the ICO
The Information Commissioners Office has produced useful guidance for companies who are impacted by GDPR This guide is available here.
Within this guidance the ICO sets out 12 steps to help businesses prepare for GDPR. To help our customers we’ve provided some information below in line with these 12 steps.
1 – Awareness
All Directors, Managers and key decision makers at Southern Electronics Services Ltd are aware of GDPR and appreciate the impact on our customers and our own business
2 – Information We Hold
As data processors we are required to “process” our customer’s data which will likely included personal data. We are already required to audit the information we hold and have policies in place to ensure we comply with data protection principles.
For our core services we don’t use any other third parties to process data, all data is held on our own hardware in UK data centres. We will also hold personal information relating to our customers, for example email addresses and phone numbers. Details of any information we hold will be provided following an email request to our helpdesk from the authorised customer contact.
3 – Communicating privacy Information
Our privacy policy is available here
4 – Individuals’ rights
Most of the rights of individuals in relation to personal data such as the right to rectification or the right to erasure fall within the responsibility of the data controller i.e. our customers.
Where we hold information about customer contacts we will process any requests for rectification, erasure etc. following email to our helpdesk. We can also provide copies of any data we hold in csv format free of charge.
5 – Subject Access Requests
In the most part requests about personal data will go to the data controller i.e. our customers.
As above any requests for information about personal data we hold about our customers can be emailed to our helpdesk.
Further information on this is available in our privacy policy.
6 – Lawful basis for processing personal data
Our privacy policy sets out our basis for processing personal data about our customers. The basis upon which our customers hold data about other individuals will be their responsibility to justify as data controllers.
As above any requests for information about personal data we hold about our customers can be emailed to our helpdesk.
7 – Consent
Consent to use personal data will in general be the responsibility of our customers as data controllers.
Where we hold personal data about our customers, such as email addresses and phone numbers this is used for one of three purposes:
Commercial – the usual requirement to email things like invoices and reminders.
Support – we occasionally need to email or call customers in the event of planned maintenance or incidents that may affect their systems. We also email automated alerts to customers for example where disk space is running low.
Marketing – Customers in the past have been given the option not to receive marketing communication or newsletters during the initial sign-up process. Following the introduction of GDPR this will change to a double opt-in process to ensure customers having given consent to receive this type of communication.
8 – Children
As a Business to Business company we do nott hold customer information where the customers are children.
Our customers may hold that information, and as data controllers will be responsible for compliance with that area of the legislation.
9 – Data Breaches
We have systems in place which will detect and block hacking attempts via attacks on our firewalls. If a data breach occurred this would be reported to affected customers and the Information Commissioners Office. However, many data breaches are as a result of individuals at an organisation (or recently left) obtaining access using social engineering techniques. For this reason, requests for password changes, security changes or for accounts to be enabled/disabled have to be requested by the authorised customer contacts.
10 – Data Protection Officer
We have a named Data Protection Officer who is responsible for the administration of the above, and for auditing our processes.
11 – International
We operate solely within the UK and all data is held in data centres in the UK. While we own and operate all the hardware in the data centres.
Start your tech journey with us
Join over 200+ tech companies already using SES Computers