The new EU General Data Protection Regulation (GDPR) came into force on 25th May 2018 and impacts every organisation which processes personal data of EU citizens. It introduces new responsibilities, empowers businesses to be accountable for their processing of personal data as well as enabling EU citizens to protect their privacy and control the way their data is processed. Even though the UK will be leaving Europe, the GDPR still applies and is the replacement for the UK's Data Protection Act 1998.
When you use our services to store or process your personal data (including users' data), you are the Data Controller and we are a Data Processor. This will be true for any personal data you place on our servers or any data on your own site that you grant us access to in order to provide you with support, installation or maintenance services. The GDPR requires you, as a Data Controller, to ensure that any Data Processor services you use to process personal data are GDPR compliant. This means that when you use any of our services to process your personal data you need to carry out due diligence on our services and ensure certain contractual terms are in place.
This GDPR statement is our way of helping you meet these GDPR regulatory requirements and to offer you assurance that we take seriously both GDPR compliance and the security of your personal data as part of the everyday running of our services.
Our GDPR commitment
For clarity, this can be reduced to:
- What data we hold or have access to
- How we use that data
- How we secure that data
- How long we retain that data
- How you can find out what data we hold about you
- What happens if there is a data breach
- (as a bonus) How we can help you be compliant
Precedence provides a number of services and the data implications of each differs. For this reason, our GDPR statement will address the services individually where appropriate.
Core customer data and general principles
Precedence is a supplier of IT services to education and busines customers who are located predominantly in the UK. Core customer data is that required for our internal sales and financial operations. This is limited to:
- Customer name (i.e. business entity)
- Contact details (name, phone, email) for primary contact
- Contact details (name, phone, email) for financial contact
- Order history
- Expiry date of any services which are time-limited
We use this data for:
- Maintaining contact with customers actively using our services and products
- Financial and accounting operations
- Business intelligence (sales trends, lifecycle analysis, etc.)
- Out-of-warranty support
We do not:
- Ask for or store sensitive financial information (such as credit card numbers)
- Use this for marketing purposes except for information that is in the public domain or except with explicit approval
- Sell, trade, or otherwise transfer to outside parties your personally identifiable information. Exceptions to this include trusted third parties who assist us in conducting our business, or servicing you, so long as those parties agree to keep this information confidential. For example, delivery addresses will be provided to our supplier partners.
- Request copies of your order history and all data we hold on your account
- Request we remove all named contacts from your account
All our core customer data is stored on our premises on machines which are not accessible from the outside world. Paper records are kept in locked filing cabinets on our premises or in secure storage. All our servers are routinely subjected to security scanning and penetration testing. No business data is held on servers that also provide services for end-users, i.e. our business data and customers' data is segregated at all times. Backups of our data go to our UK-based data centre over an encrypted private link. The data is held separately from customer data.
In the unlikely event of a breach occurring (as defined in the GDPR) we will notify you within 48 hours of the breach coming to our attention. This will be enough time for you to consider your requirements, under GDPR, for reporting the breach to the ICO and Data Subjects.
Information specific to support, consulting and maintenance services
In order to provide the most efficient IT support, we need to hold specific information (such as usernames and passwords) and have remote access to your systems. If your security policies do not allow this, then we will provide all services on-site only (using your own hardware if required) and will require you to log on as needed.
We do not:
- Copy any data from your site to any of our systems (except for offsite backups which are covered below). Because our remote access systems allow us to access data and resources as though we were on-site, we do not need to copy any data from your site. This includes, but is not limited to, personal information about your users (e.g. names, email addresses) and their data (e.g. files). Occasionally, for some support tasks, we may need to upload things like log files or packet captures for analysis by tools that you do not have on-site. In these cases, we will ask your permission and delete all such files once analysis is complete
- Request you send personal data to us, except where required when describing a problem (e.g. user X cannot access their files). Specifically, we ask that you never send us lists of names or passwords when asking us to create users in bulk. If you send unrequested data like this, we will immediately delete it and ask that you place it securely on your internal systems instead
- Access any of your systems or data except for the purposes of providing the support and services we are contracted to provide
- Give access to any of your systems or data to any staff which are not DBS-checked and trained in their privacy obligations
Remote access to your systems is controlled using public/private key encryption with a minimum of 2048-bit keys. Each member of staff granted access has their own private key which is not accessible by any other member of staff. Keys are never shared between users. The associated public keys for all approved staff are installed onto your network entry points (automated for all Precedence-managed products). When a member of our staff leaves, their private keys are destroyed and their public keys are removed from your network entry points. In this way, even if they kept a copy of their private key, they would not gain access. Using public/private key to control our access also means that you can change administrative account passwords yourself and do not need to share that information with us. It also stops the possibility of successful brute-force attacks from the outside.
Information specific to hosted services (email, webservers, Desktop-as-a-Service, virtual private servers)
Precedence provides a number of services from our datacentres in the UK. The hardware in these datacentres is owned and managed by Precedence. The datacentres themselves are either owned and run by Precedence or are managed by third-parties who we have rigorously vetted (with respect to their internal security and enforcement of security checks on visitors as well as environmental control and reliability). Only a small set of senior Precedence staff are on the access list for the datacentres and only those staff have access to the top level administrative accounts. The physical hardware is not accessible by any of the datacentres' other clients (it is held in dedicated racks). In the case of hardware failure of storage devices (e.g. hard discs), the failed devices are physically destroyed by Precedence.
Some services are provided from shared servers (e.g. email, shared webservers). In this case, data belonging to multiple customers is stored on a single system. Data is encrypted where appropriate and possible. All steps are taken to ensure that no customer can access data from another customer or that any user's data can be accessed by malicious outsider. This is achieved by:
- Applying the most strict permissions possible to all data
- Restricting installed and running software to the bare minimum required
- Tracking security notices for operating systems and third-party software (for more details see here).
- Configuring software to use pro-active mitigation techniqures such as Privilege separation or chroot where possible
For virtual private servers, we only require administrative access if you opt for a managed system (in which case, we update the operating system and software on your behalf). Otherwise, we do not need any administrative rights and encourage you to use full disc encryption (e.g. CGD for NetBSD).
Information specific to Remote Safeguard (offsite backups)
By necessity, the off-site backups provided by Remote Safeguard means large amounts of personal data leaving your site and being stored on our systems.
The servers handling Remote Safeguard backups:
- Are not connected to any customer or internal networks
- Are specifically built to have the bare minimum operating system and software to be able to do their job
- Only allow logins using public/private keys (no passwords are allowed at all)
- Enforce fully-encrypted connections for all data transfer
- Run no network services except for the encrypted data transport layer
- Segregate all customers' data into separate containers. When you are connected to the Remote Safeguard servers, you are locked into your own personal container. The presence of other customers on the system is not detectable
If you notify us that you wish to discontinue using Remote Safeguard, your account will be locked allowing no further connections for data transfer in or out. The data will be kept on the servers for a period of 4 weeks after which it will be irrevocably deleted. During this 4-week period, you can apply to have your account unlocked. You will also receive the standard weekly data report emails to your designated email address to remind you that the data is still present, but they will be flagged as *** BACKUPS NOT RUN IN LAST WEEK ***. Once your account has been removed, you will receive no further emails related to your Remote Safeguard subscription.