By now, most people will have already heard of General Data Protection Regulations (GDPR) and have a general understanding of what it means. At National Training Card, all of what we do involves handling data, a lot of which is personal to an individual. We therefore take data extremely seriously and it's important to us that you have complete confidence in us maintaining it's security.
Below is an overview of how we've approached the subject and what we will continue to do to ensure your data remains at all times secure and protected.
* Have an internal contact for everything GDPR. That person is Julia Mackenzie and she can be contacted at firstname.lastname@example.org.
* Have trained all staff in the group to ensure all were fully aware of what the regulations meant.
* Sought advice and guidance from a legal GDPR expert to ensure that all our policies, processes and communications are GDPR compliant.
* Reviewed all of our internal processes that involve collecting and processing personal data to ensure compliance with the GDPR.
* Put processes in place to ensure the data subject rights are easily met including having the right to object to or restrict processing, access, rectification and/or deleting data and ensuring that we can supply a full data audit report when or if required.
* Updated our website terms and privacy policies to make it very clear where consent is asked for and what it’s used for and how to withdraw it.
* Reviewed how long we retain data for and changed our processes for example, if you provide us data to print on a card then that data file is deleted the moment the information is transferred onto a device.
* Ensure data protection and records remain the sole primary consideration in all existing and new business processes..
2. Our Website – You are in full control of YOUR data
GDPR covers every element of your membership. All those to whom records we hold can instantly access, change, delete and restrict access to that data. All data we hold on you is available within your account. No-one asides you has access aside those you explicitly grant access to.
3. How do you protect the data accessible through your card scheme?
* Most of what we do involves the communication of personal data and training records. This can involve a lot of personal data, including names and photos.
* As the data processor and occasional controller we maintain our processes to ensure you remain compliant as the data controller.
* Members, corporate administrators and trainers all have access to an account where all data can be controlled
* All data provided to us is encrypted and stored on our secure server
* Your data can only be accessed by specific members of the team – all of whom have been fully trained on data protection and information security.
* Access to data is only given to those whom the data controller expressly authorises
* Web URL strings of 64Bit encryption is used to validate authorisation
* Access to data to those authorised is limited to 30 minutes
* All authorised persons given explicit authorisation are recorded and their device and IP address made available to the data controller
4. Staff Training
All our staff have mandatory training on data protection and information security which includes the changes in data protection law brought about by the GDPR. They are specifically trained in spotting data breaches and suspicious or fraudulent activity. We also have a number of automatic validation and security checks which are designed solely to protect and look after the integrity of both the data and of our system activity.
7. Information Security
In addtion to our Data Protection and GDPR processes we also have an IS policy which is typical for the type of work we undertake. That policy and process includes:
* A cybersecurity strategy headed by our inhouse development team. This is to protect the business, our customers and their personal data.
* Regular inspections from an independent cybersecurity consultant who as part of their undertaking carries out stress tests on our systems checking both internal and external vulnerabilities, including a penetration test. To date not a single breach or vulnerability has been discovered, and a mere 6 recommendations have been received from a results test of over 1,000 processes carried out. No serious security concerns were identified.
* Backing up data to an inaccessible external cloud server.
* Working towards obtaining Cyber Essentials certification.
* Commenced preparatory work towards ISO27001 certification.