On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) took effect. GDPR regulates the governance of personal data for the European Union (EU) citizens with an emphasis on data security and privacy. The GDPR does not only apply to companies that operate in the EU. This regulation will also impact companies operating outside of the EU if they have any EU personal data of anyone in the EU.
DEITG has made information security and data privacy principles the foundation of everything we do, and we recognise the importance of passing regulations to advance information security and data privacy for citizens of the EU. We take special pride in our role in helping clients get ready for GDPR and demonstrating how our products and services that help to provide a more secure environment for our clients.
DEITG are firmly committed to DATA Privacy, Protection & GDPR.
How we handle Client privacy?
- This document includes an overview of how we handle privacy and includes:
- The types of information we collect
- How we collect and use it
- Who we might share it with
- The steps we’ll take to make sure it stays private and secure
- Your rights to your information
Who We Are
When we say ‘we’, ‘us’ or ‘our’, we mean DEITG or I.T. Generalists Ltd. who is the ‘data processor’ for the information in this overview. When we say ‘you’, ‘your’, “client”, we mean you the client company who we are providing services to, which may include employees of the company we are providing services and information provided by you who, being a company, would have a person responsible as the ‘Data Controller’ who is responsible for deciding how we can use the information we hold. When we say your data’ this means files and documents owned by you, the client.
The Information We Collect
We collect information from different places including:
Directly from your employees
From your IT and Business systems including computers, devices (through our own Infrastructure and business Systems used to deliver service)
From publicly available sources
When we generate it ourselves?
From other organisations
We only collect information in line with relevant regulations and law and this may relate to any of our products or services our clients inquire about, are able to receive, currently hold or have held in the past.
As the Data Processor, the Client is responsible for making sure the data given to and held by us is accurate and up to date information.
The Types of Data we Process
Depending on the Product & Services chosen by the Client, we will process on behalf of you the following personal data:
- First & Last Name
- Mailing Address
- Email Addresses
- Business Phone
- Mobile Phone Numbers
- Computer Names
- Computer IP address
- Computer MAC address
- Computer access password
- Configuration Details
- Network & Computer Logs
This information mainly includes but not limited to the Business Contacts such as Employees, Contractors, Suppliers, Consultants, Stakeholders, Directors, Associates.
In addition, we may process, under the terms as detailed in our general terms and conditions, personal data which the Client elects to host with or upload to us in connection with our provision of services to our clients. Our systems hold logs of client data and use, we keep these logs for a reasonable amount of time to help troubleshooting issues. These logs are not passed on or sold.
How we will use the Information
We will use it to provide any products and services the Client has requested and other purposes including:
- To confirm your identity and address
- To understand how you use our services
- To carry out your instructions and deliver services
- To improve our products and services
- To offer other services which we believe may benefit you unless you asked us not to
We will only use Client Information where allowed to by law e.g. carrying out an agreement and providing services for you, fulfilling a legal obligation, because we have a legitimate business interest or where you agree to it.
What we do to ensure your Information is safe
When choosing new companies, we look for companies who have achieved ISO27001, Cyber Essentials, Privacy Shield or another related certification or that can demonstrate competence and adherence to good privacy and security standards.
As a UK Government accredited certification body for IASME/Cyber Essentials (there is none in Ireland yet so we went to the UK) DEITG undergo stringent annual inspections. Certified since early 2017 the Cyber Essentials Certification focusses on the key technical controls while IASME Governance Standard includes the GDPR requirements to demonstrate that our organisation has a wider governance system for management of the controls protecting personal data.
As an IAMSE Gold Accredited company, we are licensed to deliver Cyber Essentials assessments and IASME governance assessments including GDPR readiness to organisations.
As an IT Solutions Provider, we are accredited to implement and maintain appropriate technical & organisational measures to protect data in line with the legislator.
This Service Standard is available on request and is NOT implemented unless requested and agreed.
This is not only part of our commitment to attaining the highest levels of Cyber Security for our clients and the information we hold, it is also needed to allow us to assess other businesses regarding their levels of cybersecurity, GDPR readiness and to issue IASME certificates to show our company has attained the Government approved level of security. We have achieved IASME GOLD status showing that procedures, processes and systems we have in place not only meet the UK Government endorsed IASME/Cyber Essential Standards but surpass it to the GOLD standard.
Our certification can be requested by emailing firstname.lastname@example.org.
A few of the physical measures we take are:
- All devices we use to store information are encrypted.
- Our business systems are both encrypted and protected by two factor authentications meaning that we need to pass at least 2x security challenges to gain access to business systems. In addition to that, we use systems which change the login password every 30 seconds to further reduce the risk of intrusion.
- As well as using firewalls and regularly patching and applying updates, we incorporate intrusion detection and system vulnerability systems and regularly perform penetration testing of our own security.
- Our staff have regular training in relation to Cyber Security.
- Policies, Processes & Procedures governing Access to Technology Assets.
- The above lists just 4 of the 175 methods incorporated to fulfil our IASME/Cyber Essentials standards.
Who we share your information with
We may share our client’s information with other companies we work in partnership with. These include carefully selected DEITG suppliers who provide our warranty support, system updating, business systems and storage systems. Our clients can request a list of companies (see DPA) we use to process personal data. We also use 3rd party vendors to provide platforms to store and manage our client’s data. For the most part, the relationship is between the Client & the Vendor, with us having access to the DATA, example, we use Microsoft’s Azure cloud systems and the Office365 platform to store client’s information and data, as a company we have ensured that client data stored with Microsoft is encrypted, stored in the EU and not stored for longer that is needed. This data belongs to our clients and as such we don’t store it for anything other than providing specific storage services (such as backup). We don’t share our client’s information with any parties other than for the provision of services to the client or to improve our products or services. We apply the same methodology for all our clients.
How long we’ll keep information
We’ll keep our client’s information and client’s data for as long as our companies has a relationship with us. After it ends we’ll keep it for a pre-defined period (agreed upon termination) thereafter and where we may need it for our legitimate purposes e.g. to help us respond to queries or complaints, or for other reasons e.g. fighting fraud, crime, and responding to requests from regulators.
The types of data we keep and how long we keep it:
We keep data for as long as the client is a customer and purchases our Products & Services.
We also use the information to inform around new products and services which may benefit the client.
We retain backups for the duration of providing the backup service.
We do not retain client documents for any longer than is needed to complete the work being performed.
We keep documents for as short time as possible whilst working on a job which requires us to use the documents and only with the permission of the sender.
Transferring your information overseas
Your information may be transferred and stored in countries outside the European Economic Area, including some that may not have laws that provide the same level of protection for personal information. When we do this, we seek confirmation from the Vendor that they have the appropriate levels of protection. This can include membership of EU-US Privacy Shield and other international data privacy arrangements.
The client has rights relating to their information e.g. to see what we hold, to ask us to share it with another party, ask us to update incorrect or incomplete details, to object to or restrict processing of it. Please email email@example.com for such requests.
You have the right to lodge a complaint with the Data Commissioner if you believe your data has been processed in a way that does not comply with the GDPR.