bksb Limited GDPR statement for bksbLIVE 2 – 04/02/20
bksb Limited are committed to ensuring the security of our customer’s data and have taken great efforts to implement technical and organisational measures to ensure data is secure from unauthorised access. Following the introduction of the new GDPR regulations in May 2018, this document outlines some of the actions and measures we have put in place to ensure compliance.
- Appointed a data protection officer. Our data protection officer is Ian Lilliman and can be contacted either by telephone (01623 413333) or by email at firstname.lastname@example.org.
- Carried out a DPIA and identified our lawful basis. As per the requirements of organisations that process large volumes of data, we have carried out a data protection impact assessment and documented the findings. Where we have used legitimate interest as our lawful basis, we have carried out a 3-part legitimate interest test to ensure the processing is a) necessary for the purpose, b) be reasonably expected by the data subject, and c) the interests of bksb Limited do not override the interest of data subjects.
- Breach reporting and data subject access requests. In line with the requirements of GDPR Article 33 (2), we have implemented new breach reporting and data subject access request policies together with the relevant forms.
- ISO27001 (information security). Our information security management system is certified to ISO27001:2013.
- The following information provides an insight into some of the measures we have implemented with regards to our compliance with Article 32 (Security of processing) of GDPR.
- Information Commissioner’s Office Certificate. bksb limited is registered with the Information Commissioner’s Office under the registration reference: ZA042176.
a) Compliance with Article 32 (Security of processing), para 1 of GDPR
i. Consideration of pseudonymisation and encryption. Passwords are encrypted for security reasons. Passwords are not visible to the Processor nor any of its sub-contractors (such as Amazon AWS) engaged in the delivery, management or monitoring of the system. Connection between you and bksb Limited systems are encrypted using https protocol.
ii. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and related services. Our systems, policies and procedures are regularly reviewed in accordance with the ISO27001 (Information Security) standards. We use an Amazon-approved third party to a) monitor our systems 24/7/365 for issues that may cause a disruption to service and b) manage the timely deployment of server patches and other related updates. We hold 3 months’ worth of backups in encrypted format (in a separate UK-based location) in the event of a need to restore an account.
iii. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. bksb Limited maintains a Business Continuity Plan to safeguard against events which may cause disruption to its business and the services it delivers. This is regularly reviewed in line with our (ISO27001) quality management system.
iv. A process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing. bksb Limited carry out penetration tests every 4 months to determine the effectiveness of the security measures we have in place and this feeds back into our (ISO27001) quality management processes. All other security policies and procedures are reviewed and audited every 12 months in accordance with our quality management framework.
b) Compliance with Article 32 (Security of processing), para 2 of GDPR
i. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to data transmitted, stored or otherwise processed. Change management processes in place to control changes to the system, anti-virus and firewall protection in place to prevent against malicious web requests or other unusual activity, multi-factor authentication to prevent unauthorised access, backups are encrypted. Access to key systems also restricted via IP address. System monitored 24/7/365 by Amazon-approved third party for issues that may cause a disruption to service. Daily (encrypted) backups to alternate UK-based location.
c) Compliance with Article 32 (Security of processing), para 3 of GDPR
i. Adherence to an approved code of conduct referred to in Article 40 (GDPR) or an approved certification mechanism as referred to in Article 42 (GDPR) may be used as an element by which to demonstrate compliance with the requirements set out in para 1 of GDPR – see above. Our information security management system is certified to ISO27001:2013.
d) Compliance with Article 32, para 4 of GDPR
i. The Processor to ensure that anyone acting on their behalf does not process any of the Data unless following instructions from the controller unless they are required to do so under English law. Company data protection, IT & Information policies in place. All staff are DBS checked and have confidentiality clauses in their employment contracts. System access controlled through permissions and multi-factor authentication.