GDPR – General Data Protection regulations is coming into force on 25 May 2018 and applies to all businesses doing business in or with a person in the EU. We will be posting a number of short blog posts over the next two weeks offering advice on what you need to be doing as a business to get ready for GDPR. First up we wanted to let our clients know what we as a company are doing to prepare for GDPR to keep your personal data secure and to make sure we comply with the new regulations.

As 25 May 2018 approaches we are starting to receive a lot more support tickets from clients asking us about GDPR and how we are preparing for it. Our management team have been working towards the GDPR Implementation date for a number of months now and we are making excellent progress. We will be fully compliant from 25 May 2018.

Here is a summary of what has happened or will be happening in the coming weeks internally at BWF to ensure we process and store your data in compliance with the new law:

Personal Data Audit
We have completed our Personal Data Audit and we know exactly what data we collect from clients and the specific purpose for which we collect this information. We also have a clear picture on where we pass that data onto third parties – for example, when you register a domain name we are required to pass your data onto the respective domain registrar partner otherwise it is impossible for us to register the domain. All of this information will be updated in our Privacy Policy that will be released prior to GDPR in May.

Clarification on storage of Payment Information
When we collect your credit card details to process your payment this is achieved by a link directly to stripe.com embedded into our website. This means we do not directly collect or store your card details on our database. All we store is the last 4 digits and expiration date. Your card details are stored by stripe.com and our privacy policy will be updated to make that clear. Similarly your Bank Account details for Direct Debit are stored at GoCardless and we only see the Name of the Bank and the Last 2 digits of your account number. Again our privacy policy is being updated to reflect this so clients know this data is stored by third party companies.

Server Location
The server we store your personal data on is in the European Union and resides in an ISO27001 certified facility for added peace of mind. We do not store your data on a Virtual Server or Cloud Server but a bare metal dedicated machine that is locked down for your protection. Nothing else is hosted on that server.  ISO27001 ensures the data centre have relevant processes in place to protect access to the data centre etc.

Server Security Audit
We have on a regular basis audited the server we store your personal data on for vulnerabilities using a specialist vulnerability scanning tool (this is not a malware scanner but a tool that actively looks for back doors into the server) With GDPR coming into play we will now be formally documenting these scans and we will be completing very regular ‘Deep Scans’ of the server. Our System Administrators will act upon any recommendations as a result of these scans.  Malware scans will also be completed on a more formal basis with results documented.  Our WHMCS billing software will be patched as new updates are released to ensure we always run the latest secure version.

Server Backups
Our Client Personal Data Backups are taken to another Bare Metal server (not a cloud or VPS Server) and this server also is subject to the same vulnerability deep scans as our main server. We do not store any other websites on this backup server. We are updating our privacy policy (will be live soon) with how long we store backup data but we do not store backup data for more than 30 days. This means after a client has asked us to remove their data from our systems it will be removed completely from our network within 30 days.

Deleting of Old Clients / Right to be Forgotten
Whilst the right to be forgotten is a big part of GDPR we also need to factor in the Companies Act and HMRC regulations that require us as a company to keep financial data for 6 years – this includes client Invoice Data that perhaps could be required in the event of a VAT Inspection. We are updating our policy to ensure we delete data from clients who no longer are with us as clients (within 60 days) whilst keeping relevant invoice data to ensure we comply with the need to keep such data for 6 years.

BWF Mailing List (Marketing Emails)
We operate a very active client mailing list where clients in the past were automatically opted into marketing emails and could opt out at any time by a one click link. The GDPR law requires us to change this and clients now need to OPT IN to email marketing. Very shortly we will be reaching out to all our current clients who have not opted out asking them to opt in again. If a client does not opt in before GDPR day then they will no longer receive marketing emails from us.

Subject Access Requests / Other Requests from Data Subjects
Clients whose data we hold can generally view all this information in their client area but as per the GDPR regulations clients can ask us to provide a full copy of all data we hold on them. Our new privacy policy coming out soon will be updated to reflect the new timescales for data access requests and other relevant requests.

Encryption of Collected Data
We have an SSL Certificate installed on the server ensuring all data sent between your computer and the server is encrypted. tls 1.1 is blocked to stop the GHOST exploit and other older SSL protocols are blocked for security as well We will regularly review this as technology develops. This has been standard for years and helps us comply with Article 32 of the GDPR Regulations.

Client Responsibilities – Passwords etc
We encourage all clients to take active steps to help themselves keep their data secure.  Regular password changes and using 2 Factor Authentication in your client area where you need an app on your phone to get a second level password are all highly recommended.  Our team can help you set this up on request.

Our Responsibilities – Passwords etc
We have an internal policy regarding change of passwords and we also have our client area locked down to ensure access can only happen by users authenticated in our offices.  Nothing has changed here with GDPR.

Finally if you require any clarification on anything above do not hesitate to contact us.