In the past year, like many of you, we have understood the impact of the General Data Protection Regulation, which is to come into effect on May 25, 2018.
The purpose of this document is to give you an overview of the initiatives we have made and implemented, or we will be in place on the given date.
Internal Project Team
We have set up a GDPR project team through the staff of the company to provide a variety of experiences and skills. This team participated in the review of our internal processes and practices, identifying areas requiring changes or improvements to reach the scope of the project. To improve our understanding and analyze these processes, we have also provided advice from an external vendor.
The team produced a number of blog posts, such as " What is GDPR?" & # 39; and & # 39; ] How the GDPR affects you: Consent & # 39 ;, as well as documents like our guide GPDR to help you prepare for May 25th.
Our platforms and networks are designed in a secure way. Security practices include perimeter firewalls, strong encryption, secure data center premises, access checklists, network monitoring software, and staff awareness training. Our latest penetration test performed by an external expert company was completed in late April 2018.
The procedures are governed by recognized standards such as ISO 27001: 2013 registration and Cyber Security certification.
Our data centers where customer and processed data are stored are in the United Kingdom. No data is transferred outside the EU.
Data held for business processes, p. for the management of customer contracts, personal data or sales and marketing activities, has been revised and revised if necessary to meet the GDPR specification for data held as a permission or legitimate interest. Privacy notices and marketing subscription forms have also been reviewed and brought into line with the GDPR specification.
To enable our customers to better comply with stricter data control, we have introduced a number of improvements. They are designed to facilitate customer data processes and, if they are optional, highly recommended:
Delete complete recipient registration and all associated data ( read more … )
Revised data manager role – to better define who can view recipient data
Standard user role separated and deleted – for greater granularity of role assignment
Adding CAPTCHA Form Manager Configuring and Managing Processes – for Better Web Form Security
Add automatic deletion of inactive records – to delete recipient records that you no longer communicate with, reducing the amount of unnecessary data you hold in your account. This optional feature allows you to define a period in which the recipient's data is permanently deleted when it meets the following criteria:
The recipient has not been imported into Maxemail during the selected time period
The recipient has not received e-mail during the selected period
The recipient has not opened e-mail during the selected period
The recipient has not clicked on an e-mail in the selected period
Our staff only has access to work with this client's customer data. Access is granted once permission is received by email and for a limited time, as specified by this permission.
Having achieved the ISO 27001: 2013 registration in May 2017, we have an ISMS and solid procedures. From staff training and system access control to software development and system design, safety is at the forefront of every decision.
A data processing addendum has been added to our service contracts. This is distributed to and signed by all current customers where a data processing agreement is not already in place. This includes the agreement that the data will be processed only for the purposes indicated by a customer in the provision of processing and service contracts, with the flexibility for modifications to that effect by authorized persons of that customer.
include GDPR references and specifications.
Our data breach procedure has been revised in our business continuity plan to ensure that it meets GDPR specifications.
The details contained in this update should provide sufficient detail to demonstrate and explain how we responded to the changes made by the GDPR. If you have any questions about this document or if you need further information about our approach to GDPR, please contact us:
Tel: 01327 811884