Over the last year, like many of you, we have been understanding the impact of the General Data Protection Regulation, due to come into force on 25th May 2018.
This document is to give you an outline of what initiatives we have progressed and put in place, or will be in place by the given date.
Internal Project Team
We established a GDPR project team from staff across the company to provide a variety of experience and skills. This team have been involved in reviewing our internal processes and practices, identifying areas needing change or improvement to meet the project scope. To enhance our understanding and analyse those processes, we also brought in consultancy from an external provider.
The team have produced a number of blog articles, like ‘What is the GDPR?’ and ‘How the GDPR effects you: Consent’, along with documents like our GPDR guide to aid you in preparing for 25th May.
Our platforms and networks are securely designed. Security practices include perimeter firewalls, strong encryption, secure data centre premises, access control lists, network monitoring software and staff awareness training. Our latest penetration test by an external expert company was completed at the end of April 2018.
Procedures are governed by recognised standards like ISO 27001 : 2013 registration and Cyber Security certification.
Our data centres, where client data is stored and processed, are in the UK. No data is transferred outside of the EU.
Data held for business processes, e.g. for servicing client contracts, personnel data or sales and marketing activities, has been reviewed and revised where necessary to meet GDPR specification for data held by way of permission or legitimate interest. Privacy notices and marketing subscription forms have also been reviewed and brought into line with GDPR specification.
To enable our clients to better adhere to tighter data control, we introduced a number of enhancements. These are designed to aid client data processes and, where optional, are strongly recommended:
- Completely Delete Recipient Record and all associated data (read more…)
- Revised Data Handler Role – to better define who can view recipient data
- Separated and Removed Standard User Role – for greater granularity of role assignment
- Added Form Handler CAPTCHA Setup and process handling – for better web form security
- Added auto-deletion of inactive records – to remove recipient records you are no longer communicating with, reducing the amount of unnecessary data you hold in your account. This optional feature allows you to set a time frame where recipient data is permanently deleted when it meets the following criteria:
- Recipient has not been imported in to Maxemail within the selected time period
- Recipient has not been sent an email within the selected time period
- Recipient has not opened an email within the selected time period
- Recipient has not clicked an email within the selected time period
Our staff are only granted access to work with any client data by that client. Access is granted once permission is received via email and is for a limited time as specified by that permission.
Having attained ISO 27001 : 2013 registration in May 2017, we have a strong ISMS and procedures. From staff training and system access control to software development and system design, security is at the forefront of every decision.
A Data Processing Provision addendum has been added to our service contracts. This is circulated to and to be signed by all current clients where a data processing agreement is not already in place. This includes the agreement that data will only be processed for the purposes stated by a client within the processing provision and service agreements, with the flexibility for changes to that purpose by authorised persons of that client.
Our Data Protection Policy has been revised to include GDPR references and specification.
Our Data Breach Procedure has been revised within our Business Continuity Plan to ensure it meets GDPR specification.
The details contained in this update should provide enough detail to demonstrate and explain how we have reacted to the changes brought in by the GDPR. If you have any questions about this document or require other information about our approach to the GDPR, please get in touch:
Tel: 01327 811884