Kontrolit GDPR Data Compliance Statement
The new EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and will impact every organisation that processes personal data of EU citizens. It introduces new responsibilities, requires businesses to be accountable for their processing of personal data and enables EU citizens to protect their privacy and control the way their data is processed.
Even though the UK will be leaving Europe, the GDPR still applies and will replace the UK’s Data Protection Act 1998 when it comes into force.
Data protection definitions
Personal data is defined as any information that relates to an identifiable living individual. It also includes data that can identify an individual when used collectively with other sets of data. Typical examples of personal data are: name, telephone numbers, home address, online identifier, IP address, email address, etc.
“Processing data” can be defined by any action relating to an individual’s personal data, including collection, recording, organising, structuring, storing, using, etc. Processing methods can be paper-based, non-digital systems as well as automated, digital methods.
- A Data Subject is the individual whose personal data is being processed
- A Data Controller is the organisation which determines how personal data is processed
- A Data Processor is typically a third party organisation which processes data on behalf of a Controller, e.g. a marketing company used by an organisation to send out marketing materials)
The Information Commissioner’s Office website provides a detailed guide to GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
Your GDPR responsibilities
You are a Data Controller and Kontrolit is a Data Processor when you use our services to store or process your personal data (including customers’ or users’ data). This will be true for any personal data you place on our servers either directly, via a hosted website or by use of any of our other services.
As a Data Controller you are required by the GDPR to ensure that any Data Processor services you use to process personal data are GDPR compliant. This means you must carry out due diligence when you use any of our services to process your personal data.
We want to assure you that the security of your personal data and GDPR compliance is an important part of Kontrolit’s services. This GDPR statement can help you comply with your own GDPR regulatory requirements.
Our GDPR commitment
As a UK company, Kontrolit is committed to ensuring our business, services and internal processes are GDPR compliant.
By the GDPR implementation deadline, we will have put in place:
- Employee data protection training to ensure all staff understand their role in data protection compliance
- Updated internal policies relating to data protection and responsibilities within our businesses for ongoing GDPR compliance
- Check all our systems, processes and services to ensure they meet the requirements of GDPR, particularly around security of data and our use of any external third-party services
- Processes to ensure ongoing compliance past the GDPR deadline
- Updated terms and conditions of services that meet the contractual requirements of GDPR in the Data Controller – Data Processor relationship
Our services are compliant because:
- We have fully assessed our own GDPR compliance both in terms of the services we offer to our customers and in terms of our own internal policies and procedures
- We have appropriate technical and personnel protocols in place to ensure the security of your data
- We carry out due diligence against any sub-processors or other third-party processors we use to ensure their GDPR compliance (such as data centres)
We only allow specific members of staff access to our servers. Access is limited to specific circumstances.
We do not transfer your data outside the EEA (all our services are hosted in the UK)
Our staff is trained in GDPR compliance and understands responsibilities for managing the systems that process your personal data.
Our role as a Data Processor
You are the owner of the data you submit to our services.
When your data is placed on our servers, you are the Data Controller and Kontrolit, the Data Processor. We do not access the data you store on our services and any processing (as a Data Processor) is only in terms of the hosting and software services we provide to you. We do not use your data for any processing of our own.
We do not share or provide access to any of your data with third parties, unless required to do so by law. Where law enforcement or other authorised parties request access to our servers, we follow strict internal policies for dealing with such requests in line with existing UK law. Furthermore, the third parties are required to demonstrate they have a lawful reason to access the data and under what authority.
We take care of our servers, with corporate-standard reliability assured through regular maintenance, software upgrades, bug fixes, virus protection, patches and backups carried out on your behalf.
Our role as a provider of software
A new module to assist with data compliance was made available in April 2018 for our KIT4 platform. More information about this can be found on our Blog and Help sites.
Please note that updating your website alone to use the new module does not make you GDPR compliant. We urge you to consider how you manage data in your business and update your documented processes and policies accordingly.
Where your data is stored on our own servers, it is stored on our own server hardware. This hardware is located in the UK, at Braham Street London, with backups stored with Microsoft Azure located in Western Europe. None of your data is stored or transferred outside of the EEA.
Our employees keep up to date with all technical aspects of security and ensure the ongoing security of our servers and systems. Security patches are applied to our systems as a matter of priority and changes or updates to our systems are done with data protection and privacy in mind.
We also maintain the security of our customer’s own servers or hosted applications where we have an agreement in place with them to do so,
Access to servers
Remote admin access to our servers to carry out work is strictly restricted to key personnel within our Technical Support team.
We have strict protocols in place to ensure that data centre staff only have physical access to the servers if requested by a member of our Technical Support team. Such a requests will only be made when a visual check of a server is required or or to carry out physical maintenance on the server itself.
Kontrolit employees are trained and aware of their responsibilities under GDPR, including access, security and processing of any personal data stored on our servers. Security and data governance are covered on our company Intranet and actively discussed as part of regular meetings to ensure all staff are up-to-date.
Other than the data centres who host our servers, Kontrolit does not use any third-party suppliers or services that would have access to, or process, any data you process on our servers.
Strict protocols (as set out above) are in place regarding data centre staff access to our servers.
Changes to our approach
We will make sure that we notify you within a reasonable timeframe and in line with any contractual terms in place between us, should our approach to any aspect covered by this statement change, where your data is impacted.
If a breach occurs (as defined in the GDPR) we will notify you within 48 hours of the breach coming to our attention. This will allow you time to consider your requirements, under GDPR, for reporting the breach to the ICO and Data Subjects.
We help you to comply with GDPR
Our approach to our own compliance also helps you comply with your own GDPR compliance requirements. This statement should go some way to explain our approach to GDPR compliance.
Furthermore, if required we will assist you or the Information Commissioner’s Office with any query relating to the GDPR compliance of our services.
Data protection contact
Any questions, queries or requests for further information regarding our GDPR compliance should be sent to Data Protection Officer, Kontrolit, Yeovil Innovation Centre, Copse Road, Barracks Close, Yeovil, Somerset, BA22 8RN