What is GDPR?
The EU General Data Protection Regulation (GDPR) is designed to protect individual residents of the EU's identities and right to privacy. In essense this gives consumers the right to know, understand and more importantly consent to what personal data any companies collect about them.
These laws come into effect on Friday 25th May 2018.GDPR legislates that any entity based inside or outside the EU that offers any services to individuals living within the EU or monitors them by collecting personal data MUST comply or face harsh financial penalties.
This means every business must be totally transparent regarding the collection of data which can personally identify an individual (known as "data subjects"). They must also disclose why they are collecting this personal data, how and where it is stored, how it is secured and for how long it is kept. "Data Subjects" have the right request this information and to make decisions about how their information is used.
InTouch Systems have spent the last year investigating all aspects of our business to ensure that we comply with the GDPR. Data process maps have been produced showing what happens to customer data in all our activities, with a view to updating our policies where needed. We have appointed a "Data Protection Team" within the company and we are classed as a Data Controller, for general day to day processing relating to our customers’ personal data. We are also working towards ISO accreditation for information security management systems which covers many aspects of GDPR.
However we are also regarded as a "Data Processor" when we provide services to our customers and/or resellers which enable them to process personal data relating to their own customers, examples of this would be (but not limited to) providing website hosting or server services to our customers. This means that under these circumstances our customers and/or resellers would be classed as the “Data Controller” for which they must take full GDPR compliance responsibility for their own customers’ personal data.
GDPR has "Controllers" and "Processors"- A Controller determines the purposes and means of processing personal data
- A Processor is responsible for processing personal data on behalf of a controller
Source:
www.ico.org.ukback to top Customer Data Stored by InTouch Systems
In a nutshell:We process your contact data to provide your chosen services with us and may need to share it with our providers to fulfil this contract. We don't share your data with any third parties for purposes outside of your contract, although we are obliged to share any data we have with the authorities if the law forces us to.
Your responsibility:It is your responsibility as the customer to ensure that your data held with us is accurate and current with appropriate contact details. This is to enable us to provide you with the products and services you have from us.
The technicalities:Your personal data is stored at InTouch Systems registered company address only on devices in a secure server room with access controls and limitations in place. All personal data is secured by multiple methods and is encrypted at rest. Your contact details will be processed and will not be shared with any other third parties, unless the provision of the service under the contract you have agreed to necessitates it. We may also share your data with legal entities if the law dictates it.
Opt Out:We may contact you relating to the support, status and billing of any services you have with us, this makes up part of our contract with you. If you do not wish us to do so then please let us know and we will cancel the service.
back to top If you have WISP with us
In a nutshell:We process your contact data to provide your chosen Wisp service with us and do not share it with anyone else. We also are required by law to store very basic details of sites you have visited for a period of six months. We do not store any other data relating to your browsing history.
The technicalities:As we are the sole provider of this service, your contact details will be processed by us and will not be shared with any other third parties. Your data will be used to provide you with the Wisp service according to the contract in place. As an ISP we store IP addresses that you have visited with dates and times for a period of six months. We do not log any further information like keystrokes, searches, emails or any other data relating to your browsing history. We are forced to do so to comply with current legislation and may hand over this data to the authorities if legally required. The encrypted data stored on our servers is secured by multiple methods and is accessible only from within InTouch Systems registered office. The key to decryption is only available to InTouch Systems senior staff.
back to top Broadband, Domain Names and Phone Lines
Broadband supplied via ADSL, FTTC, Satellite or Mobile Data 3G/4G
In a nutshell:We process your data to provide your chosen services with us and may need to share it with our providers to fulfil this contract.
The technicalities:Your contact details will be processed by us as and we will share your contact details with our upstream supplier. This is to meet the terms of our contract with you and to enable us to provide your Internet Service. A data sharing agreement with the upstream supplier has been put in place.
back to top Email Accounts (Hosted by InTouch)
In a nutshell:We process your contact data to provide your Email Account with us and do not share it with anyone else. We also store basic details of when and from what IP address your email accounts were accessed from. This is for security purposes only so we can identify any illegal access attempts, this data is stored for 14 days then deleted and we do not store any other data relating to email access.
Your responsibility - the data you store:Any personal data you hold within your email account is your responsibility as it has been populated with your data. The security of the server is our responsibility and the steps we have taken to secure the email server is shown below. You need to ensure your email account is kept secure and you know exactly who has access to it, as you are the owner of the data.
The technicalities:Our email servers are based in a UK Datacentre in a secure server room with access controls and limitations in place. The data on our servers is secured by multiple methods and is accessible from the Internet only to provide you with our Email Service. This access is only available through security devices managed by InTouch Systems and our server Operating Systems are regularly security checked and patched to minimise the risk of being compromised. The Email Server software is provided by a third party supplier who doesn't have access to our system at any time. The email software has been confirmed as GDPR compliant, however as they do not have access to any of our data this is for information only. Backups of our servers are stored in an offsite secure location in the UK and are all fully encrypted using the latest methods. The key to decryption is only available to InTouch Systems senior staff.
We have put in the above security measures to protect your email accounts on our servers. We provide you with a storage location for your emails in an empty state with default strong passwords and any data is populated by you or on your authority. You are responsible for keeping any personal data in your email account safe, with strong passwords and limiting access to it in line with GDPR.
back to top Website Hosting (Shared Hosting)
In a nutshell:We process your contact data to provide your Website Hosting with us and do not share it with anyone else. We also store basic details of when and from what IP address your website has been accessed from. This is for security purposes only so we can identify any illegal access attempts, this data is stored for 14 days then deleted and we do not store any other data relating to website access.
Your responsibility - the data you store:Any personal data you hold within your website is your responsibility as it has been populated with your data. The security of the server is our responsibility and the steps we have taken to secure the server is shown below. You need to ensure your website coding is kept up to date with the latest security patches (e.g. Wordpress, Joomla, Magento plus all plugins must be regularly checked and updated). You also need to ensure any access to your website control panel or database where personal data is available is kept secure and you know exactly who has access to it
The technicalities:Our webservers are based in a UK Datacentre in a secure server room with access controls and limitations in place. The data on our servers is secured by multiple methods and is accessible from the Internet only to provide access to the relevant websites. This access is only available through security devices managed by InTouch Systems and our server Operating Systems are regularly security checked and patched to minimise the risk of being compromised. Backups of these servers are stored in an offsite secure location in the UK and are all fully encrypted using the latest methods. The key to decryption is only available to InTouch Systems senior staff.
We have put in these security measures to protect your websites on our servers. We provide you with a storage location for your website and database in an empty state with default strong passwords and any data is populated by you or on your authority. You are responsible for keeping any personal data in your website safe with strong passwords and limiting access to it in line with GDPR.
back to top Website Hosting (Dedicated Servers)
In a nutshell:We process your contact data to provide your Dedicated Server with us and do not share it with anyone else.
Your responsibility - the data you store:Any personal data you hold within your server is your responsibility as it has been populated with your data. The security of the server is our responsibility and the steps we have taken to secure the server is shown below. You need to ensure any public facing services like websites or email accounts are kept up to date with the latest security patches (e.g. Wordpress, Joomla, Magento plus all plugins must be regularly checked and updated). You also need to ensure any access to the services you provide where personal data is available is kept secure and you know exactly who has access to it.
The technicalities:Our dedicated servers are based in a UK Datacentre in a secure server room with access controls and limitations in place. The data on our servers is secured by multiple methods and is accessible from the Internet only to provide access to the relevant services you have specified. This access is only available through security devices managed by InTouch Systems and Operating Systems are regularly security checked and patched to minimise the risk of being compromised. Backups of these servers are stored in an offsite secure location in the UK and are all fully encrypted using the latest methods. The key to decryption is only available to InTouch Systems senior staff.
We have put in these security measures to protect your services on our servers. We provide you with a storage location and programs for your services in an empty state with default strong passwords and any data is populated by you or on your authority. You are responsible for keeping any personal data in your services or programs safe with strong passwords and limiting access to it in line with GDPR.
back to top Support Tickets
In a nutshell:We process your contact data to provide you with support and may need to share it with our providers to fulfil this contract.
The technicalities:If we are providing support on an InTouch Systems provided service, your contact details will be processed by us and will not be shared with any other third parties. If this service is provided by an upstream provider, your contact details will be processed by us and we will share your contact details with our upstream supplier. This is to meet the terms of our contract with you and to enable us to support your service. A data sharing agreement with any upstream supplier has been put in place.
back to top Customer Premises Backups to NAS or Portable Drive
In a nutshell:If you have a monthly paid for backup service with us then we are responsible for the encryption of the backup data to the NAS. We process your data to provide you with support and may need to share it with our providers to fulfil this contract.
Your responsibility - the data you store:You are responsible for the physical security of the hardware where the data and the backup data is stored.
The technicalities:All backup systems installed at the customer premises and maintained by InTouch Systems with a monthly maintenance fee using the BackupAssist or Altaro software will be setup to encrypt the backup data to the NAS at source. Backup files sent to a NAS drive on the customer premises will be encrypted, files send to portable drives setup by InTouch Systems on Altaro software with also be encrypted. In the case of BackupAssist we would suggest using self-encrypting portable drives to encrypt the data. In both instances the customer is responsible for the transport and security of any portable drives and the secure location of the server and NAS drive by means of limiting access to it in line with GDPR.
back to top Offsite Backups
In a nutshell:If you have a monthly paid for offsite backup service with us then we are responsible for the encryption, safe transport and storage of the backup data. We process your data to provide you with support and may need to share it with our providers to fulfil this contract.
The technicalities:All offsite backup systems installed and maintained by InTouch Systems with a monthly maintenance fee using the Altaro software will be setup to encrypt the backup data at source. Any data sent across the Internet will be encrypted and stored in the same encrypted format. Data will be transported solely for the purpose agreed with you as the customer, then immediately deleted at the agreed time. If the data is to be stored for a period of time agreed, it will be automatically deleted at the end of that period. The offsite data is stored on devices at InTouch Systems registered company address and is fully encrypted using the latest methods. The key to decryption is only available to InTouch Systems senior staff.
back to top Monitoring Service
In a nutshell:If you have a monthly paid for monitoring service with us, then we process your contact data to provide you with this service and do not share this data with anyone else. If we need to provide support as a result of our monitoring, then we may need to share your contact data with our providers to fulfil this contract.
The technicalities:As we are the sole provider of this service, your contact details will be processed by us and will not be shared with any other third parties. Your data will be used to provide you with the monitoring service according to the contract in place. If we need to provide support as a result of our monitoring, then we may need to share your contact data with our providers to fulfil this contract. The program we use for monitoring is GDPR compliant, however it doesn't store any personal information covered by GDPR so this is for your information only. The monitoring servers are situated at InTouch Systems registered office, secured by multiple methods and access is limited.
back to top Engineering Services
In a nutshell:If you have a paid for engineering service with us then we process your contact data to provide this service and may need to share it with our providers to fulfil this contract. Any data we are asked to transport for you will be encrypted.
Your responsibility - the data you store:Any personal data you hold on your server(s), workstations or other mediums is your responsibility as it has been populated with your data. You need to ensure your site security keeps that data safe in line with GDPR.
The technicalities:When visiting you, our engineers will only access your systems or transport customer data using devices approved by InTouch Systems as follows:
a) InTouch Systems provided engineer laptops have fully encrypted hard drives secured by multiple measures.
b) InTouch Systems provided secure portable hard drives are fully encrypted and further secured by a PIN code.
Data will be transported solely for the purpose agreed with you as the customer, then immediately deleted at the agreed time. If the data is to be stored for a period of time agreed, it may be transferred from the portable device to a storage devices at InTouch Systems registered company address. It will be secured by multiple methods and is accessible only from within InTouch Systems registered office.
back to top Hardware and Software Sales
In a nutshell:We will process your contact data and may pass your details onto manufacturers/software providers to provide you with a warranty on your purchase.
Your responsibility - the data you store:Any personal data you hold within hardware purchased from us is your responsibility as it has been populated with your data. You need to ensure that the device is kept secure and you know exactly who has access to it.
The technicalities:If we are providing a product with an InTouch Systems warranty, your contact details will be processed by us and will not be shared with any other third parties. If the product has a third party warranty by an upstream provider, your contact details will be processed by us and we will share your contact details with our upstream supplier. We will notify you at the time of purchase. This is to meet the terms of our contract with you and to enable us to provide you with the hardware you require. A data sharing agreement with any upstream supplier has been put in place.
We provide you with devices in an empty state, any data is populated by you or on your authority. You are responsible for keeping any personal data in your hardware safe with strong passwords and limiting access to it in line with GDPR.
back to top Customer Servers at Customer Premises (Non-Service Contract)
In a nutshell:We process your contact data to provide your chosen services with us and may need to share it with our providers to fulfil this contract. We will initially setup your server according to our security guidelines. You will need to ensure you keep your data on the server safe.
Your responsibility - the data you store:Any personal data you hold on your server(s), workstations or other mediums is your responsibility as it has been populated with your data. You need to ensure your site security keeps that data safe in line with GDPR.
The technicalities:If we have provided a server with an InTouch Systems hardware warranty, your contact details will be processed by us and will not be shared with any other third parties. If the product has a third party warranty by an upstream provider, your contact details will be processed by us and we will share your contact details with our upstream supplier to fulfil the warranty. We will notify you at the time of purchase. This is to meet the terms of our contract with you and to enable us to provide you with the hardware you require. A data sharing agreement with any upstream supplier has been put in place.
As part of our install process we would ensure the server has been setup securely with a random "Administrator" password and that the server Operating System automatically installs patches to minimise the risk of being compromised. We have put in these security measures to protect your services on your servers.
We provide you with a server to store your data in an empty state with default strong passwords and any data is populated by you or on your authority. You are responsible for keeping any personal data on your server safe with strong passwords and limiting access to it in line with GDPR. You are also responsible for the secure location of the server and any workstations that may have personal data stored on them.
back to top Customer Servers at Customer Premises (With a Service Contract)
In a nutshell:We process your contact data to provide your chosen services with us and may need to share it with our providers to fulfil this contract. If you have a Bronze/Silver/Gold/Platinum service contract then we will initially setup your server according to our security guidelines. You will need to ensure you keep your data on the server safe.
Your responsibility - the data you store:Any personal data you hold on your server(s), workstations or other mediums is your responsibility as it has been populated with your data. You need to ensure your site security keeps that data safe in line with GDPR.
The technicalities:If we have provided a server and service contract with an InTouch Systems hardware warranty, your contact details will be processed by us and will not be shared with any other third parties. If the product has a third party warranty by an upstream provider, your contact details will be processed by us and we will share your contact details with our upstream supplier to fulfil the warranty. We will notify you at the time of purchase. This is to meet the terms of our contract with you and to enable us to provide you with the hardware you require. A data sharing agreement with any upstream supplier has been put in place.
As part of our install process we would ensure the server has been setup securely with a random "Administrator" password and that the server Operating System automatically installs patches to minimise the risk of being compromised. As part of the service contract we periodically evaluate the server for security issues and ensure all Operating Systems are patched up to date. We have put in these security measures to protect your services on your servers.
We provide you with a server to store your data in an empty state with default strong passwords and any data is populated by you or on your authority. You are responsible for keeping any personal data on your server safe with strong passwords and limiting access to it in line with GDPR. You are also responsible for the secure location of the server and any workstations that may have personal data stored on them.
back to top Reseller Agreements
In a nutshell:We process your contact data to provide your chosen services with us and may need to share it with our providers to fulfil this contract. If you are a reseller then your responsibility to us is the same as any other customer, therefore any of the statements above will be relevant to you depending on which service you have purchased from us. In turn we would recommend that you should have reciprocal agreements with your customers to cover yourself for GDPR.
Your responsibility - the data you and your customers store:Any personal data you, or your customers have stored on our devices/services is your responsibility. Our contract is with you as a reseller and not directly with the end user. Any devices/services purchased from us will be provided initially in an empty state. Any data populated on our devices has been uploaded by you, your customers, or on your/your customers authority. For the purposes of the reseller agreement, this is
your (the Resellers) data. You need to ensure the hardware or services you have purchased from us have appropriate security as shown in the relevant sections above to keep that data safe in line with GDPR.
Find out more about your obligations under GDPR from
www.ico.org.ukback to top Customers of our Resellers:
In a nutshell:We process your contact data to provide your Reseller with your chosen services and may need to share it with our providers to fulfil this contract. Your Reseller has shared your data with us so it is their responsibility to provide you with the terms of their GDPR compliance. In short, we have an agreement direct with your Reseller, they should in turn have one with you.
Your responsibility - the data you store:Any personal data you have stored on our devices/services is your responsibility. Our contract is with your Reseller and not directly with any end user. Any devices/services purchased from us through your Reseller will be provided initially in an empty state. Any data populated on our devices has been uploaded by you or on your authority. For the purposes of this agreement, this is
your data. You need to ensure the hardware or services you have purchased through our Reseller has appropriate security as dictated in your contract with them. Your Reseller has agreed to our terms above which you can view by clicking
this link. Your Reseller should in turn have a similar agreement with you.
back to top