S&S IT Consultants Ltd.Data Protection Policy - 1st Edition (May 2018)
Systems & Smiles aims to provide technology services to businesses. Although we don’t have a commercial relationship directly with individuals, we do hold what could be considered “personally identifiable information” about the employees of our clients together with data that is or may be processed by us on your behalf as part of your business. Such data is within the scope of the GDPR. This Policy details the data we hold, who has access, the measures we take to protect it, and how we dispose of it when do not need any further access to it.
Who do we keep data on?
For clients on our ongoing support plans we hold data about each named employee on the account, in addition to any other people involved in the provision of the service (for example, an account management contact who works in a remote office and is not covered under the support plan).
For all the other services we provide (including enterprise services, projects, event support) we only hold data for the people involved in the service provision.
We also hold data on people who’ve contacted our new business team with an interest in our services.
The people we hold data on are the “Data Subjects”, using the terminology of the GDPR. In our relationship with our clients we act as “Data Processors” and the client is the “Data Controller”.
We do not store data held by you in the process of your business however from time to time we may be required as part of our services to you to “process” some of the data held by you. Our access to such data is only for the purposes of technical support. We do not make any copies or hold any such data that we may have processed in the provision of our technical support.
What data we hold and why
At a minimum, we hold the following data about a person (we call this “Default Information”):
Company email address
This data are necessary for effectively providing our service: we can’t provide support to a person if we don’t know their name, if we can’t get in touch with them and we don’t know which company they’re from.
In addition, we may store the following data, if a person or their company choose to share it with us (we call this “Additional Information”):
Job title and department: this helps us in providing our service effectively, for example, being able to find all the users in the design department, and message them about an update to a particular piece of design software
Gender: which aids in addressing our messages accurately and respectfully when the person’s gender isn’t clear from their name
Photo: this helps us in picking out a particular person in an office when one of our team may not have visited before
Personal phone number: may be provided to us in cases where a person does not have a company issued phone, or if they do not have access to it (for example, when travelling)
Personal email address: may be provided in cases where a company email address is not working.
Personal physical address: may be provided in the event a visit to their home is necessary (for example, in troubleshooting a home office setup).
At any time, a particular person can log on to our Dashboard and view all the data we hold about them, and permanently remove any Additional Data they don’t feel comfortable with us holding.
Lawful Basis For Processing
Using terminology from the GDPR, we use “Legitimate Interests” as our lawful basis for processing the information we store.
We group the people about whom we hold data by their company, and by their job function (specifically we categorise people as “Tech Contacts” and/or “Operational Contacts” and/or “Accounts Contacts” and/or “New Business Contacts”). As detailed above, for each person we mark data “Default” (name and email) and “Additional” and handle each differently.
Who Has Access
By default, our Operations, Infrastructure and Senior Management teams have access to the information about all people across clients.
Individual members of our support, enterprise and projects teams (which may include freelancers and contractors) have access granted to each client (and by extension all
their employees) when they are onboarded on to that client’s support team, or when they start a project for them.
Our Accounts team has access to all people categorised as “Accounts Contacts”.
Our New Business and marketing teams only have access to “New Business” Contacts.
In the event a client cancels their service with us, we offer to provide a copy of the data we hold to them, in a format of their choice (typically as a PDF). This data is provided using a secure link, and upon confirmation that the data has been received by you, it is deleted permanently from our systems. In doing so all centrally held personal data is removed.
In the event a person leaves a client of ours, any “Additional Information” we hold on that person is permanently deleted within 24 hours of their last day (this process happens automatically).
We retain the “Basic Information” we hold on a previous employee for up to 7 years after their last day (this process happens automatically), since having records of previous employees can be necessary in continuing to provide our service effectively. Some examples include:
A request by a current employee to “Forward Kevin’s emails to me”. To do this we must know Kevin’s email address (and confirm that Kevin was a previous employee). (Obviously whether or not we would fulfil this request would be down to the company’s IT policy, and outside the scope of this document).
Updating a company IT policy that references “Kevin Fortune” as a contact - it’d help to know Kevin’s job title and department in order to find the person who has taken over Kevin’s role.
When wiping an old computer for disposal, and we may find a user profile for Kevin Fortune. Knowing he is a previous employee and what department he was in can help in determining what should be done with that data.
In both of these cases, despite our best efforts to remove everything, the nature of certain systems make it unfeasible or impossible to remove every trace of personal data. As such there may be personal data that remains on our systems which may include:
• Email/support ticket correspondence between a person and our support team will show a persons name and company email. We do not send personal data over email, however people may include personal information when contacting us (for example, including their personal phone number in an email signature).
Historic invoices and billing statements may display the name of the person they were sent to. These are immutable and must be retained for tax purpose.
Internal chat logs may reference a person’s name. There is no way to redact names from these logs.
Copies of deleted data may exist on backups. Backups are maintained of our entire system: encrypted and stored as single files. Removing one person’s data is not possible.
Right To Access
The data we hold as “Data Processors” is made available to each person via our Dashboard, so that a live copy of their data can be accessed (and revoked) at any time. This data is also made available to nominated people at our client allowing them to fulfil data access requests for their current and past employees. We do not fulfil access requests from previous employees of clients (or previous clients) directly, since we have no means of verifying whether Kevin Fortune is indeed Kevin Fortune from Example Company. Regardless, we make the address firstname.lastname@example.org for anyone to ask questions about their data, and processes in place to handle each type of request.
Data SecurityWe take a number of steps to ensure personal data is kept secure.
All systems we use, use data encryption at rest and in transit.
All endpoints used by our team are encrypted, require complex passwords, auto
lock, have firewall and other malware protection enabled.
All critical business systems are protected by a central single sign on solution,
with multi factor authentication enabled.
Our production database utilises strict access controls to ensure users (and
Systems & Smiles staff) are only able to access the data they’re authorised to
Intrusion detection systems active on all production servers We maintain a
permanent audit trail showing who has been granted access to each client, when the access was granted, and by whom. In addition, we keep logs when “Additional Data” about people is accessed, and by whom.
Our incident management procedure includes notifying the tech and operational contacts at our clients within 72 hours of a breach, and its potential impact.