Please review our GDPR Statement regularly as it is subject to intermittent amendment.
With GDPR and PECR coming into force as of 25th May, we have been working hard to consult with businesses to provide guidance to them on how they should best work towards compliance with these two EU regulations. Further to this, in the background, we have been working hard to bring ourselves into compliance well before the 25th May.
We are also registered with the ICO as a controller and processor under the terms of the DPA (Data Protection Act) providing assurance to our clients that we take this responsibility very seriously.
In line with the regulation, we are required to inform you of any other processors involved in the processing of your data. In our day to day operations, the vast majority of our information is stored on our internal systems here in our offices. We have sought and have recorded assurances from other processors, where they are used; and they are as follows:
We store some sales and leads data in a hosted CRM (Zoho) ( https://www.zoho.eu/gdpr.html )
We use Dropbox for some project related information. ( https://www.dropbox.com/en_GB/security/GDPR )
For our hosted services we use the following processors:
Amazon AWS (UK and Ireland Regions) ( https://aws.amazon.com/compliance/gdpr-center/ )
UKFast (UK) ( https://www.ukfast.co.uk/terms.html )
Rackspace (UK Region) ( https://www.rackspace.com/en-gb/gdpr )
Hetzner (Germany) https://www.hetzner.com/rechtliches/datenschutz/
Google Cloud (Gemany and UK) https://cloud.google.com/security/gdpr/
Where we provide hosting services to our clients we act as data processors on the behalf of our client who are data controllers under the terms of the regulation.
Data Controllers are required to seek assurances from data processors that data processing is being carried out in a manner where “reasonable technical and organisational measures” are being taken to secure the data being processed. Data Processors are required to provide this information on request. To this end, please see below the following series of statements to satisfy this requirement.
Access to the administrative portions of the hosting infrastructure are highly restricted, limited to a few people within the business.
All hosted services are protected by multiple layers of protection. Every server is protected by a hardware firewall that only passes genuine traffic destined for specific services. Access to critical services are disabled and restricted as necessary.
Each server is further protected by an additional software firewall and physical DDOS appliance. The software firewall is configured to only allow relevant network services.
Further to this, each CMS website is protected by a software-based Web Application Firewall to provide protection against common vulnerabilities etc. We also employ intrusion detection systems on the servers that are monitored for unusual behaviour.
Website files, databases and other data relating to the website, underlying content management system files, version and so on are the sole responsibility of the customer.
iSky Creative are responsible for the security of the Operating System and firewall configurations alongside updating the WHM/CPanel software on the servers only.
Website Development and Design services
Where you have contracted iSky Creative to design or build a website or web application for you, we are neither data controllers nor data processors with respect to the function and data collection that you provide for on your site / application.
In these circumstances the client is acting as a Data Controller and the company hosting the site is acting as a processor and the Controller should seek written assurances from the processor around the measures being taken to secure the data.
Technical IT Services
Where you have contracted iSky Creative to consult upon, build, and deploy internal IT systems, iSky Creative is not responsible for the way in which these systems are used and, as Data Controllers it is your responsibility to ensure that your IT systems and the organisational policies and procedures are compliant with the regulation. iSky Creative is willing to assist with this in whatever way possible.
3rd Party Hosted Services
Where you have taken advice from iSky Creative who have recommended and / or referred you to a 3rd party processing service, such as O365 or Jungledisk, iSky reative act as neither processors nor controllers with respect to these data processing systems. The Data Controller should seek written assurances from the processor around the measures being taken to secure the data.
iSky Creative Internal Systems
We have engaged internal consultants who have created a GDPR compliance manual that contains all of the information required to demonstrate compliance to a regulator of Supervisory Authority should we be required to do so in line with the requirements of the regulation.
In line with our own 27012 accreditation, we have multiple layers of physical and logical security in place in our premises. Our building is secured with multiple layers of key-based access with registered key holders and controlled access to keys. Our building entrance is secured with a shutter and the building is alarmed and monitored 24x7x365.
Access to data on our internal systems is restricted according to business need and each user has a unique password and username and all systems are logged and monitored for unusual behaviour 24×7. We employ a full suite of anti-malware systems and all updates and patches are applied and checked regularly by our internal team. Our network is protected by a controlled and monitored hardware firewall. Each computer has software firewalling enabled and controlled.
We have multiple logging and monitoring systems internally that continually monitor and record successful and unsuccessful access to data stored on our systems.
Data Collection Policy Statement
We do not have to appoint a DPO as stipulated under the terms of the regulation, but any enquiries on this matter should be addressed to the [email protected] email address.
We collect data in order to provide quotes to prospective clients and to fulfil contractual requirements. This information may be retained for up to 7 years for financial recording reasons as required by regulators. Further, data may be retained for the purposes of client communication, the marketing of similar services and for regulatory or legal defence reasons until such time as these details would no longer be relevant or required. If this contractually necessary information is not provided we will be unable to satisfactorily communicate with clients and so be unable to act effectively on any requests from such clients.
This data will be in the form of names, email addresses, telephone numbers and other contact details such as Instant Messaging account names, IP addresses and possibly other online identifiers.
We do not sell or transfer data onwards to other recipients, nor do we transfer data to third countries or international organisations that do not have an adequacy agreement.
Data subjects have the right to request objection, access, deletion, alteration, restriction of processing, withdrawal of consent, and data portability. We do not engage in profiling or automated decision making. To exercise these rights please contact us using the details provided above.
Data subjects also have a right to raise a complaint with the UK supervisory authority (the ICO) and their contact details can be found online.
Nothing on this statement constitutes legal advice. Specialist legal advice should be taken in relation to specific circumstances.
The contents of this site are for general information purposes only. Whilst we endeavour to ensure that the information in this statement is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.
We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material.