General Data Protection Regulation (GDPR)
Beginning 25th May 2018. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights of individuals regarding personal data relating to them and seeks to harmonise data protection laws across Europe, regardless of where that data is processed.
You can rest assured that Creative Networks is committed to GDPR compliance. We are committed to helping our customers comply with the GDPR by providing stringent privacy and security protections that are built into our service and contracts.
Responsibilities as a customer?
Creative Networks customers will typically act as the data controller for any personal data they provide to Creative Networks in connection with their use of our services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Creative Networks is a data processor and processes personal data on behalf of the data controller when they use the Creative Networks Managed Services.
Creative Networks provides access to third party services who in their regard act as Data Processors.
Creative Networks is a Data Controller in its own regard when we hold specific data about our customers in order to provide our services.
Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects rights with respect to their data.
If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority. In the UK this is the Information Commissioners Office.
As a Data Controller, you should seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Nothing on this website is intended to provide you with, or should be used as a substitute for, legal advice.
Where should you start?
As a current or future customer of Creative Networks, you need to be prepared and compliant with GDPR. Here are some considerations:
- Familiarise yourself with the provisions of the GDPR.
- Create an updated inventory of personal data that you handle. You can use Creative Networks to help identify and classify data.
- Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR. If not, build a plan to address any areas that need amending.
- Consider how you can leverage the existing data protection features on Creative Networks as part of your own regulatory compliance framework.
- Regularly Monitor updated regulatory guidance as it becomes available.
- Consult a lawyer to obtain legal advice specifically applicable to your business circumstances.
Creative Networks commitments to the GDPR
Alongside other duties, data controllers are required to only use data processors that provide adequate guarantees to implement appropriate technical and organisational measures so that data processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of Creative Networks:
Creative Networks employs and works with security and privacy professionals to maintain our systems, develop security review processes, build security infrastructure, and implement Creative Networks’s security policies.
Our terms have been updated to reflect GDPR and are available on terms page on this website.
We have verified that any managed services we provide have all of the necessary functionality for compliance with the GDPR. The method we use for deletion and retention of data is acceptable for use under the GDPR.
We promise to maintain a high level of security, and will ensure timely breach reporting to meet all GDPR expectations. It’s incumbent upon data controllers to ensure the data processors have the right infrastructure in place to process your data. By adopting security measures, systems and processes we can assure you we have the technical infrastructure in place which goes above and beyond regulation requirements.
Any data that we hold on our customers and its users will only be processed in accordance with the customer’s instructions, as described in our contract.
All of Creative Networks employees and contractors are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy training, as well as following our Code of Conduct. Creative Networks’s Code of Conduct outlines expected behaviour with respect to the protection of information.
Creative Networks directly conduct all of data processing activities required to provide our direct services like Support.
Managed Services provide will conduct their own data processing activities.
Creative Networks can delete data, via requests inline with GDPR requiring a 28 day notice period, this can be requested at any time during the term of the agreement, we may need to hold specific data, this will be done in compliance with GDPR.
Creative Networks store data backups for 4 weeks before the backups are replaced fully and any old data is removed.
How Creative Networks assists data controllers
Data Subject’s Rights
Creative Networks can provide an export customer data, at any time during the term of the agreement.
Data Protection Officer
The Creative Networks Data Protection Officer is Azeem Javed, any questions can be directed to him regarding data protection concerns.
Creative Networks will provide contractual commitments around incident notification. We will continue to promptly inform you of incidents involving your customer data in line with the data incident terms in our current agreements.
Our customers and regulators expect independent verification of security, privacy, and compliance controls. We are working towards industry standards such as ISO27001 and ISO9001
The General Data Protection Regulation is a new EU privacy legislation that will replace the 95/46/EC Directive on Data Protection of 24 October 1995.
The GDPR will be directly applicable in all European Union Member States starting from 25 May 2018.
Under the GDPR, audit rights must be granted to data controllers in their contracts with data processors. The updated data processing agreements we will offer from 25 May 2018, when the GDPR comes into force, therefore include audit rights for the benefit of our customers.
Third-party ISO certification and Cyber Security Essentials can be used by customers to help conduct their risk assessments and help them determine whether appropriate technical and organisational measures are in place.
DUE DILIGENCE Q & A
Data Protection Officer
|What’s the name and contact details of your Data Protection Officer?||Azeem Javed – firstname.lastname@example.org|
|What security accreditations you have?||Cyber Security Essentials|
Systems and applications
|Where is your data centre located?||Rochdale & Manchester, UK|
|Will the space in your data centre be shared with any other clients?||No, we have a dedicated infrastructure|
|What measures are in place to protect the physical security of data centres where our data will be stored?||Data centres are owned and managed by Iomart. Infrastructure at the head office and Data centres are owned by Creative Networks|
|Who has access to our data?||Our Customer Services team|
|Is our data on your servers encrypted at rest?||Yes|
|Do you have a business continuity plan that is reviewed, tested and updated at least annually?||Yes|
|When was the business continuity plan last tested?||January 2018|
|Who within your organisation will have access to the personal data?||Our Customer Services Team|
|What user authentication do you use on networks/systems that store/process our data?||Our Customer Services team can access your data via a secured database. This function can only be accessed from our offices.|
Access to data is restricted to internal access only and 2FA
|How often are user accounts reviewed for suitability of access levels?||Proactively monitored|
|What are your password complexity policies?||We have a password policy and it is reviewed regularly|
Penetration / security testing
|Do you conduct penetration testing at least annually on all networks hosting our data?||Yes, annually.|
|Could you please describe the physical security that protects our data, including building access and physical server access?||Physical security to our servers is managed by Iomart for the datacentre and physical security to our offices is managed by us.|
|Do all devices hosting or connecting to our data have AV which is updated at least daily, runs a scheduled scan at least daily, and runs on execution?||Yes, all our laptops use Eset Endpoint our servers use Eset.|
|What procedures do you have in place to ensure that acceptance criteria for new information systems, upgrades and versions are established and tests are performed prior to roll out?||We have a secure development policy. The development life cycle is the standard Business Requirements Functional Specification Technical Specification Development Units Tests QAUAT Live|
|Describe the segregation of duties, including the separation of development, test and operational facilities?||We have separate environments for Development, System Testing, UAT and Live|
|Is production data used in test or development environments?||No|
|Do you keep and regularly review access, event, error and transaction logs on all networks storing/processing our data?||Yes|
|Are all logs protected from deletion and/or amendment?||Yes|
|Is access to all logs recorded and monitored?||Yes|
|Do you have a formal breach notification process?||Yes|
|What is the timelines to notify us of any suspected breach?||We would notify you without delay|
|Have you had a security breach within the last 12 months? If so, please describe the incident, effect and outcome.||No|
Data retention / deletion
|For what period do you retain our data?||We never delete your data|
|For what period is our data stored in back-ups?||We have a 30 day backup rotation period|
|Where are our backups kept?||Slough, UK|
|Is Personal Data encrypted in transit? Explain how||Yes, using https protocol|
|Is Personal Data encrypted at rest? Explain how||Yes, using Eset Endpoint Encryption|
|Is any our processed, stored or transferred outside of the EEA?||No|
|Is our data passed on to any third parties for processing?||No, however we use Iomart for hosting some of our Infrastructure.|
Email transmission is done via Office 365 and mail security solution (everycloud).
Backups are encrypted onsite prior to backing up to a Data centre in the UK.