IT Centric Data Protection Policy – GDPR Compliance

Information for Customers 

IT Centric – Roles & Responsibilities

  • IT Centric’s role as a Managed IT Service & Support provider is to manage the network infrastructure, physical servers, workstations, laptops and other IT devices and the primary software and systems that operate on them.
  • The primary and important exception to this is where a software platform is managed and supported by a third party (eg Sage, Mailchimp, Xero etc). It is the responsibility of the customer to ensure any such software managed by the 3rd party is GDPR compliant and for those 3rd parties to inform you (the customer) if their systems are breached.
  • IT Centric is responsible for the offsite backup and management of customer data for security purposes. IT Centric accepts its responsibility to report any breaches in the security of this backed up data through its 3rd party providers to you the customer, with undue delay. The management of the content of this backed up data is still the responsibility of the customer.
  • All customer data backed up by IT Centric is encrypted on the customer site before being uploaded to an online cloud storage location. It can only be unencrypted back at the original backup location, making this a highly secure method of protecting our customers data.
  • With regard to data management, the customer (& not IT Centric) is responsible for managing the personal data it holds and any access & retention policies and procedures relating to this. IT Centric does not access or alter customer data unless directly requested through a support session to resolve a support request.

 

Customer Data Breach Procedure

ICO define a breach as:

          “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing persona data.”

Personal data breaches include:

  • access by unauthorised 3rd party
  • deliberate or accidental action by controller or processor
  • sending personal data to incorrect recipient
  • hardware with data being lost
  • alternation of data without permission
  • loss of availability of personal data

We have put a Data Breach Procedure in place to ensure that a data breach can be efficiently dealt with once it has been identified. Should we, IT Centric, become aware of a breach which could impact the data we manage and back up for you, we will contact you with undue delay. If a breach is identified by IT Centric, it is our responsibility to inform you the customer, who in turn has responsibility to inform the ICO and individuals who are affected by the breach. You must inform the ICO within 72 hours of becoming aware of any breach.

Example given by ICO:

“Your organisation (the controller) contracts an IT services firm (the processor) to archive and store customer records. The IT firm detects an attack on its network that results in personal data about its customers being unlawfully accessed. As this is a personal data breach, the IT firm promptly notifies you that the breach has taken place. You in turn notify the ICO”

Source: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

Should a breach be identified by you or one of your third parties, please notify Gordon Sayers (gordon.sayers@itcentric.co.uk or 0131 477 2644) immediately you are aware of the breach. This will enable us to help you limit the potential risk of the data breach.

IT Centric is not responsible for data breaches which result from

  • deliberate or accidental action by a data controller (IT Centric customer)
  • alteration of data by controller
  • loss of availability of personal data by controller
  • hardware with data being lost or compromised by controller

Third Party Compliance

IT Centric has contacted all our third party providers who provide back up and security for our customer network infrastructure & servers and requested evidence of their GDPR compliance.

Our data management & back up services are managed through the Solarwinds RMM platform. You can learn about SolarWinds & GDPR at www.solarwindsmsp.com/resources/gdpr

Hardware Disposal

When disposing of obsolete hardware (belonging to a customer) a third party is engaged to reuse or recycle the hardware and ensure secure data destruction of hard drives. Current provider is ReusingIT – www.reusingit.org. Certification of secure data destruction will be provided.

GDPR Responsibilities & Points of Contact

Overall compliance of GDPR – Managing Director – gordon.sayers@itcentric.co.uk

Customer Data Management – IT Manager – euan.stewart@itcentric.co.uk

HR, Finance & Payroll – Finance Manager – jackie.allan@itcentric.co.uk

Customer Communications – Marketing Manager – catriona.tanner@itcentric.co.uk

Privacy Notice

Read the IT Centric Privacy Notice.

 

Updated May 2018