GDPR Statement

Compliance Overview

With GDPR and PECR coming into force as of 25th May, we have been working hard to consult with businesses to provide guidance to them on how they should best work towards compliance with these two EU regulations. Further to this, in the background, we have been working hard to bring ourselves into compliance well before the 25th May.

We are also registered with the ICO as a controller and processor under the terms of the DPA (Data Protection Act) providing assurance to our clients that we take this responsibility very seriously.

 

Sub-Processors

In line with the regulation, we are required to inform you of any other processors involved in the processing of your data. In our day-to-day operations, the vast majority of our information is stored on our internal systems here in our offices. We have sought and have recorded assurances from other processors, where they are used; and they are as follows:

• We use Google for some project-related information: Google Privacy Policy

For our hosted services we use the following processors:

• Amazon AWS (UK and Ireland Regions): Amazon AWS GDPR Policy
• Digital Ocean: Digital Ocean Privacy Policy
• OVH: OVH Privacy Policy

 

Hosted Services

Where we provide hosting services to our clients we act as data processors on behalf of our client who are data controllers under the terms of the regulation.

Data Controllers are required to seek assurances from data processors that data processing is being carried out in a manner where “reasonable technical and organisational measures” are being taken to secure the data being processed. Data Processors are required to provide this information on request. To this end, please see below the following series of statements to satisfy this requirement.

 

Technical Measures

All hosted services are protected by multiple layers of protection. Every server is protected by a hardware firewall that only passes genuine traffic destined for specific services. Access to critical services are disabled and restricted as necessary.

Each server is further protected by an additional software firewall and physical DDOS appliance. The software firewall is configured to only allow relevant network services.

Further to this, each CMS website is protected by a software-based Web Application Firewall to provide protection against common vulnerabilities etc. We also employ intrusion detection systems on the servers that are monitored for unusual behaviour.

Website files, databases and other data relating to the website, underlying content management system files, version and so on are the sole responsibility of the customer.

Find Digital are responsible for the security of the Operating System and firewall configurations alongside updating software on the servers only.

 

Website Development and Design Services

Where you have contracted Find Digital to design or build a website or web application for you, we are neither data controllers nor data processors with respect to the function and data collection that you provide for on your site/application.

In these circumstances, the client is acting as a Data Controller and the company hosting the site is acting as a processor and the Controller should seek written assurances from the processor around the measures being taken to secure the data.

 

Technical IT Services

Where you have contracted Find Digital to consult upon, build, and deploy internal IT systems, Find Digital is not responsible for the way in which these systems are used and, as Data Controllers it is your responsibility to ensure that your IT systems and the organisational policies and procedures are compliant with the regulation. Find Digital is willing to assist with this in whatever way possible.

 

Third-Party Hosted Services

Where you have taken advice from Find Digital who have recommended and/or referred you to a third-party processing service, such as O365 or Jungledisk, Find Digital act as neither processors nor controllers with respect to these data processing systems. The Data Controller should seek written assurances from the processor about the measures being taken to secure the data.

 

Internal Systems

Technical Measures

We have multiple layers of physical and logical security in place on our premises. Our building is secured with multiple layers of key-based access with registered key holders and controlled access to keys. Our building entrance is secured with pin entry and door locks, and the building is alarmed and monitored 24x7x365 with on-site proactive security guards on-call.

Access to data on our internal systems is restricted according to business need and each user has a unique password and username and all systems are logged and monitored for unusual behaviour 24×7. We employ a full suite of anti-malware systems and all updates and patches are applied and checked regularly by our internal team. Our network is protected by a controlled and monitored hardware firewall. Each computer has software firewalling enabled and controlled.

We have multiple logging and monitoring systems internally that continually monitor and record successful and unsuccessful access to data stored on our systems.

 

Data Collection Policy Statement

Find Digital act, variously, as either / or data controller and data processor for our clients in line with the definitions in the regulation. Find Digital is located at U46D, New Forest Enterprise Centre, Toon, Southampton SO40 9LA with a phone number of 023 8098 0692 and a contact email address of [email protected]. Our website with privacy policy is located at https://finddigital.co.uk.

We do not have to appoint a DPO as stipulated under the terms of the regulation, but any enquiries on this matter should be addressed to the [email protected] email address.

We collect data in order to provide quotes to prospective clients and to fulfil contractual requirements. This information may be retained for up to 7 years for financial recording reasons as required by regulators. Further, data may be retained for the purposes of client communication, the marketing of similar services and for regulatory or legal defence reasons until such time as these details would no longer be relevant or required. If this contractually necessary information is not provided we will be unable to satisfactorily communicate with clients and so be unable to act effectively on any requests from such clients.

This data will be in the form of names, email addresses, telephone numbers and other contact details such as Instant Messaging account names, IP addresses and possibly other online identifiers.

We do not sell or transfer data onwards to other recipients, nor do we transfer data to third countries or international organisations that do not have an adequacy agreement.

Data subjects have the right to request objection, access, deletion, alteration, restriction of processing, withdrawal of consent, and data portability. We do not engage in profiling or automated decision making. To exercise these rights please contact us using the details provided above.

Data subjects also have a right to raise a complaint with the UK supervisory authority (the ICO) and their contact details can be found online.

 

Disclaimer

Nothing on this statement constitutes legal advice. Specialist legal advice should be taken in relation to specific circumstances.

The contents of this site are for general information purposes only. Whilst we endeavour to ensure that the information in this statement is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.

We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material.