May 22, 2018

GDPR Frequently Asked Questions

General

Does the company have data protection guidelines / a data protection policy?

Yes, please see: https://www.easywebgroup.co.uk/privacypolicy/

We also have a GDPR General Statement which can be found here: https://www.easywebgroup.co.uk/gdpr/

Please describe what measures have been taken by the company to comply with the GDPR

We have reviewed all our business processes and procedures. Updating them to reflect the changes in legislation from DPA to GDPR.This includes the following:

  • Full risk assessment on all data collection and processing.
  • Our staff have been trained and we have also updated our induction process to train new staff.
  • Reviewed and created new processes in the business in line with data security protocols.
  • We have appointed a Data Protection Officer.
  • We have created a data breach log
  • We have updated our privacy policy
  • We have created a company deletion policy
  • We have reviewed all supplier relationships
  • New features have been developed in our Applicant Tracking System to ensure customers can be compliant
  • Contracts have been updated with employees and suppliers

Does the company have a formal data protection officer?

Yes. We have appointed a Data Protection Officer, Stephen Grainger. He is a company Director and a full-time employee based at our Head Office in Strixton, Northants.

You can contact him via stephen@verticality.co.uk

At what location is the company’s processing taking place?

Processing takes place at our Head office in Strixton, Northants and at Data centres across the EU.

In what form (e.g. computer programme, database, physical frame etc) and what location (both relating to your organisation as well as in a geographical sense) personal data stored?

All data is stored within the EU we utilise Amazon Web Services Data Centre in Dublin. All paper copies are kept to a minimum. We have a clear desk policy, all paperworkonly leaves site by our secure shredding partner.

Does the company transfer any personal data outside the EEA?

No personal data is transferred outside of the EEA, with the exception of one supplier who supports us with software development. This supplier is based in Pune, India.
We have reviewed our relationship with this key supplier, reduced their access to data and implemented a new contract with Standard Contractual Terms to ensure compliance with GDPR.
The following technical and security measures have been implemented by the single sub-processor we use:

  • Separation of Production / Development / Staging environments using different AWS (Amazon Web Services) accounts.
  • Use AWS CloudTrail service to audit and monitor AWS usage.
  • Data encryption when transmitting.
  • Directory / Auth service to validate a user’s access to backend servers.
  • Hardening of the Bastion / VPN servers to make sure they are never compromised.
  • Obfuscation of sensitive data while being written to logs.
  • Two-way encryption of all sensitive information at the point of contact.

What independent assurance have you had or do you have planned specific to GDPR compliance?

We have conducted a full analysis of our data management processes and policies by an external 3rd party consultant. This has provided us the reassurance that we have taken all the necessary steps to ensure we are compliant. However, we plan to closely monitor the implementation of this new legislation to ensure we have correctly interpreted how it will be exercised and we will adapt our processes and policies when we identify an issue.

Erasure of Data & Subject Access Requests

Does your organisation have documented data retention policies and procedures to ensure data is appropriately retained and deleted in a timely manner?

Yes. Where we are acting as the data controller we will follow the data retention policies listed in our privacy policy. Where we are acting as a data processor we configure our Applicant Tracking Software to automatically delete any data subject’s data once the customer’s retention period is about to be exceeded. This is all managed automatically and statistical reports are available to show the number of records that have been cleanse/deleted from the system.

How will erasure of data be carried out?

Erasure of personal data will be completed by us, when requested by either the customer or the data protection subject.

Specific individual requests will be completed manually. We will delete all personally identifiable information (PII) from all of our systems within 48 hours of the request.

However, our applicant tracking system will automatically erase all PII data once the permission to hold date has been exceeded. The date that this action is triggered on is aligned to the length of time the customer has informed the data subject they will hold their data for within their customer’s privacy policy.

What policies or procedures does your organisation have to deal with data subject access requests, upon receiving instruction from the controller?

All subject access requests where we are acting as the data controller should be sent to our data protection officer (Stephen Grainger). He will conduct a review to see if the data subject’s data is held outside of the client’s applicant tracking system. Our data management processes are such that it would be highly unlikely that any of the data subject’s data would be held outside of the client’s applicant tracking system. The client (Data Controller) has access to all of the data subject’s data on the applicant tracking system and our technical team can show the client how to download/extract this data to respond to a SAR.

Data Security

If the company provides IT infrastructure (hardware/software) as part of its delivery, please summarize to what extent the requirements of Art. 25 GDPR are fulfilled (e.g. support of data minimization and privacy by design/default).

We have reviewed our processes to ensure we are only collecting the minimum amount of data that is necessary. Furthermore, this data will only be held for the minimum amount of time. Enhancements have been made to systems to ensure maximum security from a data perspective.

We also plan to regularly review these processes to continually improve them.

Customers using our Applicant Tracking System have access to a set of GDPR specific features that we have made available to help customers to secure their data in a manner.

Are the employees that have access to personal data subject to written confidentiality undertakings?

Yes, all employees have a set of commitments that are detailed in a signed agreement that is separate to their employment contract and these are also covered in our employee training.

Please describe any GDPR training that the company’s employees have received.

All staff have undergone GDPR training that was delivered by an external consultant. All staff are trained on induction and every two years (or sooner if there is a major change in legislation).

Please describe how you protect and encrypt data whilst in transit and whilst being stored.

Physical data does not leave our Head Office building in Strixton, Northants. With the exception of the collection of data that is to be shredded by our secure 3rd party provider. Digital data is protected by two factor authentication and the disabling of flash drives on all pcs/laptops. All laptops/pcs are subject to comprehensive password management policies and state of the art firewall technology.

What policies, procedures and tooling are in place to ensure only the appropriate users have access to relevant categories of data required for their use?

All laptops are secure by two factor authentication. We use Active Directory to ensure users only have access to data that they are authorised to see.

Do you have any material outsource providers or subcontractors (sub-processors) that handle personal data on your behalf? If so, what are the activities you undertake to ensure they are GDPR compliant e.g. transfer mechanisms, contracts, safeguards etc.

The following technical and security measures have been implemented by the single sub-processor we use:

  • Separation of Production / Development / Staging environments using different AWS (Amazon Web Services) accounts.
  • Use AWS CloudTrail service to audit and monitor AWS usage.
  • Data encryption when transmitting.
  • Directory / Auth service to validate a user’s access to backend servers.
  • Hardening of the Bastion / VPN servers to make sure they are never compromised.
  • Obfuscation of sensitive data while being written to logs.
  • Two-way encryption of all sensitive information at the point of contact.

Are all individuals with access to business applications, systems, networks and computing devices authorised before they are granted access privileges?

Yes. This is managed by our network manager. Access to internal systems is only available to employees. Access to each client’s applicant tracking system is controlled by our technical team where there is a formal process for each customer to provide written authorisation for each user they which to provide or remove access to the system.

Is wireless access subject to authorisation, users and computing devices authenticated, and wireless traffic encrypted?

We operate two WiFi solutions, A Guest Network and an Internal Network

The Guest Network Operates with a WPA/WPA2 (PSK) on a TKIP or AES Encryption, This wireless network is completely segregated from our core infrastructure network via the use of VLAN traffic isolation.
The Internal Corporate WiFi Network also operates with a WPA/WPA2 (PSK) on a TKIP or AES Encryption, The network credentials are not publicly available and are only issued to staff that have a legitimate need for corporate WiFi access.

Are email systems protected by a combination of policy, awareness, procedural and technical security controls?

Our email is hosted by Microsoft via its Office365 Platform. The platform/the solution provider confirms to many government and regulatory requirements on security and data protection including and conforms to ISO27001 standard.

In addition to the built in Microsoft security standards we have also implemented Multi-factor Authentication controls to secure access to any of these hosted products.

Our Office365 platform has undergone a hardening process to ensure audit controls and security standards are in place to meet our business requirements.

In addition to external security our internal security on Password policies & procedures also outlines current government best practice standard on password controls (complexity, password lengths, change standards etc).

All policies and procedures not just exclusive to IT matters are made available to all staff and appropriate training is conducted to ensure they are maintained and relevant.

What procedures are in place to identify, assess and mitigate any risks relating to your cloud based platforms

General threats
We hide our servers from the general public using load balancers which makes us almost immune from snooping. The load balancers will only expose two separate ports which will mean an attacker would need in depth knowledge of the application to craft an attack. Also as we check the company ID in the payload and match this to the domain name, if one company does fall victim to an attack then they will not be able to access data belonging to another ATS.

Backups
All of our databases are periodically backed up by cron or AWS RDS to AWS S3 buckets. We do not host any systems onsite. All backups are stored offsite at AWS’s data centres in London and Ireland.

Pen Testing
We conduct an extensive one-week full system pen testing once a year using a professional penetration testing company. Our developers also are very security minded and will patch fixes for any of the latest threats which will affect us. Due to the nature of our architecture our threat vector is very low and does not change much from release to release.

Please describe how your organisation segregates its own data from third party data (i.e. through logical (e.g. access controls, virtualisation, cabinet, room) or physical means (e.g. dedicated infrastructure)).

We use a “multi tenant database” design pattern on our databases. This means the data for multiple Applicant Tracking Systems is stored in the same Database(s). We use the ATS id field to segregate the data and every request is validated. Any request for data not belonging to the ATS is actively denied and logged.

Data Breaches

Please describe the company’s preparations to detect and report personal data breaches.

All employees have been trained to understand what constitutes a breach and how to report a breach.

Regular audits will take place to ensure data is being handled in a compliant manner.

Is a Data Incident Management plan available to ensure all incidents which can lead to disruption or loss of IT services are recorded properly and can be traced to a resolution? Is it kept up to date and ensures timely and effective response to incidents and can be traced to a resolution?
Explain procedures in place to notify the controller in question if a breach occurs.

We maintain an incident log which records all incidents which could affect the delivery of our software service to our customers. All incidents are fully investigated with resolutions communicated to customers. If a data breach occurs our policy is that we ensure our data points are secure, report the breech internally as process to the Data Protection Officer and data subject(s) without undue delay. We will then notify the ICO within 72 hours.

Once we have established the parties involved, through thorough investigation of the data breach, we will seek statements of truths and signed affidavits that the information/data has been deleted irretrievably and will not be accessed or utilized. Closing the breach.

We will review our internal processes and policies regularly and if there is any level of breach we will make the necessary changes to the associated technology & processes. We will then communicate with all relevant parties our new operating practice and the measures taken to secure the data and how this will protect it from any subsequent risks of breach.

Have you had any data breaches or large scale data losses in the last 12/24/36 months?

No

Data Management

Please describe the governance structure for Data Management that is in place to assess and manage data risks (incl. monitoring and reporting undertaken).

Our Data Protection Officer conducts regular reviews of Data Protection processes. Quarterly assessments of all data assets are scheduled and carried out by our DPO.

If you have a question that isn’t answered here we’d be happy to hear from you. Get in touch here.