The new EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and will impact every organisation which processes personal data of EU citizens. It introduces new responsibilities, empowers businesses to be accountable for their processing of personal data as well as enabling EU citizens to protect their privacy and control the way their data is processed. Even though the UK will be leaving Europe, the GDPR still applies and will replace the UK's Data Protection Act 1998 when it comes into force.
Understanding the real, specific issues at stake in European regulations is not always an easy task, especially when the regulation in question contains 99 articles, 173 recitals and numerous lines of guidance on how it will apply. Understanding these issues is nonetheless essential in order to avoid any risks that may arise from an excessively broad or imprecise interpretation of your organisation’s regulatory obligations. A proper understanding of the terms defined below is therefore essential: Personal data: any information relating to an identified or identifiable real person. An identifiable real person is defined as any real person who can be directly or indirectly identified. Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, transmission, storage, conservation, extracting, consultation, use, disclosure by transmission and so on. Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
For detailed information about the GDPR and data protection, visit the Information Commissioner's Office website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Your GDPR responsibilities
When you use our services to store or process your personal data (including customer's or user's data), you are the Data Controller and we are a Data Processor. This will be true for any personal data you place on our servers either directly, via a hosted website or by use of any of our other services.
The GDPR requires you, as a Data Controller, to ensure that any Data Processor services you use to process personal data are GDPR compliant. This means that when you use any of our services to process your personal data you need to carry out due diligence on our services and ensure certain contractual terms are in place.
This GDPR statement is our way of helping you meet these GDPR regulatory requirements and to offer you assurance that we take GDPR and the security of your personal data as part of the everyday running of our services.
Our GDPR commitment
WebProject are committed to ensuring our business, services and internal processes are GDPR compliant. We use a consultant to advise us on elements of our services and how the GDPR changes impact our compliance. As such, this GDPR Statement provides our assurances to GDPR compliance.
By the GDPR implementation deadline, we will have put in place: Employee data protection training to ensure all staff understand their role in data protection compliance Updated internal policies relating to data protection and responsibilities within our businesses for ongoing GDPR compliance Check all our systems, processes and services to ensure they meet the requirements of GDPR, particularly around security of data and our use of any external third party services Processes to ensure ongoing compliance past the GDPR deadline Updated terms and conditions of services that meet the contractual requirements of GDPR in the Data Controller – Data Processor relationship
Our services are compliant because: We have fully assessed our own GDPR compliance both in terms of the services we offer to our customers and in terms of our own internal policies and procedures We have appropriate technical and personnel protocols in place to ensure the security of your data We carry out due diligence against any sub-processors or other third party processors we use to ensure their GDPR compliance (such as data centres) We only allow specific members of staff access to our servers and what access that is available, is limited to specific circumstances We do not transfer your data outside the EEA (all our services are hosted in the Europe) Our staff are trained in GDPR compliance and understand their responsibilities for managing the systems that process your personal data
Our role as a Data Processor
You are the owner of the data you submit to our services (whether they are hosted on your premises or on our servers).
When your data is placed on our servers, you are the Data Controller and WebProject, the Data Processor. We do not access the data you store on our services and any processing (as a Data Processor) is only in terms of the hosting services we provide to you. We do not use your data for any processing of our own.
We do not share or provide access to any of your data with third parties unless required to do so by law. Where law enforcement or other authorised parties request access to our servers, we follow strict internal policies for dealing with such requests in line with existing UK law. Furthermore, the third parties are required to demonstrate they have a lawful reason to access the data and under what authority.
Your data is stored on our own servers. This hardware is located, in the following Europeanian datacenters: OVH RBX1 - France, Roubaix OVH RBX2 - France, Roubaix OVH RBX3 - France, Roubaix OVH RBX4 - France, Roubaix OVH RBX5 - France, Roubaix OVH Erith - United Kingdom, London Security of infrastructures: OVH is committed to ensuring optimal security for its infrastructures. This includes implementing a security policy for information systems, and meeting the requirements for multiple standards and certifications (PCI-DSS certification, ISO/IEC 27001 certification, SOC 1 TYPE II and SOC 2 TYPE II certificates, etc.).
As for backups stored in the Microsoft data centres in Durham, London, and Cardiff;
None of your data is stored or transferred outside the Europe and therefore not transferred outside the EEA.
All our employees keep up to date with all technical aspects of security and ensure the ongoing security of our servers and systems. This means that any security patches are applied to our systems as a matter of priority and any changes or updates to our own systems are done so, always, with data protection and privacy in mind and where appropriate, in discussion with our customers. Where we have an agreement in place with our customers to do so, we also maintain the security of our customer's own servers or hosted applications.
Access to servers
Remote admin access to our servers is strictly restricted to key personnel within our Technical Support team. Our team will access a server only to resolve an issue reported by the client. Or to ensure that the Managed Hosting Service Level opted for by a client is met.
Data centre staff have physical access to the servers, but we have strict protocols in place to ensure they only do so, if requested by a member of our technical support team and such a request will only be in cases when they need to carry out a visual check of a server or carry out physical maintenance on the server itself.
All WebProject employees are trained and made aware of their responsibilities under GDPR. This includes their responsibilities with regards to access, security and processing of any personal data stored on our servers.
Third party processors
As your data processor we use a number sub-processors to provide our services. Details of the sub-processors we use with regards to your data are listed below. All sub-processors have been verified as either GDPR compliant or committed to being GDPR compliant by the 25th May 2018.
1) Amazon Sendgrid provide us with reliable email sending infrastructure. When emails are sent out from Secure Client Area (such as a support ticket emails, invoices emails, any account emails or a contact form messages), we use Amazon SES to send them.
2) Microsoft 365 Microsoft 365 provide us with business email accounts. We send copies of transactional emails to internal email accounts for logs and accountability.
3) Maxmind We may use basic information, such as your IP address to monitor activity on our ordering system, for example, we may check your IP address against worldwide spam databases to see if the IP address has been used for illegal activities. This involves our automated systems passing your IP address. Currently we use MaxMind for our online fraud checks. We do not pass your name, address, telephone number, or any other personal information to any third parties. We do not distribute your email address to any third parties.
Changes to our approach
Should our approach to any aspect covered by this statement change we will make sure, where your data is impacted, that we notify you within a reasonable timeframe and in line with any contractual terms in place between us.
In the unlikely event of a breach occurring (as defined in the GDPR) we will notify you within 48 hours of the breach coming to our attention. This will be enough time for you to consider your requirements, under GDPR, for reporting the breach to the ICO and Data Subjects.
We help you to comply with GDPR
Our approach to our own compliance also helps you comply with your own GDPR compliance requirements. This statement should go some way to explain our approach to GDPR compliance. By using our services, you can be assured that your use is GDPR compliant.
Furthermore, if required we will assist you or the Information Commissioner's Office with any query relating to the GDPR compliance of our services.
Data protection contact
Any questions, queries or requests for further information regarding our GDPR compliance should be sent to WebProject, 9 Orchard Road, Steveage, Hertfordshire SG1 3HD Email: [email protected] Tel: +44 (0) 2034 328891 Fax: +44 (0) 2036 032006