GDPR

Below we have listed some generic and simple ideas we have used or requirements needed to meet the GDPR, but also our procedures and security we have put in place or will be aiming to reach in the near future. Made from collecting information from many different sources online but also common sense practices found and seen on a day to day basis when serving thousands of small to large business.

As well as some of our own Ideas, if you have any ideas you would like to see added to this list or any improvement, feel free to contact us, we are always looking at ways to improve. You'll likely find some points skim the surface, you'll need to investigate them in deeper detail as every business' scenario will be different from our own.

***Please Note: The information contained in this document is only our opinions and practices we follow. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.***

Ahead4 Hosting Information

UK Datacenter(s): Yes
iomart, ISO 27001 and 9001 certified and secured to UK government IL4 standards. With multi-factor access control, 24/7 onsite roaming security and CCTV

Internal Data Storage: Yes
Ahead4 Limited Premises' are located in the UK. Data is stored in a secure building with restricted user access, full CCTV cover, fire and intruder alarms with 24/7 security. Data only transmitted over secured VPN and IP's.

External Data Storage: Yes
Data only transmitted securely to select third parties with full data security practices: Google, MailChimp, Digital Ocean, Stripe, GoCardless, Namecheap, Nominet, DomainBox, GitHub, OpenSRS / Tucows, Signable.

Data Ahead4 Limited Host or Hold
We hold the following personal information internally on our intranet systems:

• Title, First Name, Last Name
• Address, Billing Address, and Postal Code
• Landline, Mobile Phone
• Payment Method
• Transactional payment information, such as card details will be held with either WorldPay, Stripe, Paypal, GoCardless or Barclays

Website Security

• Is your website or web app using SSL encryption?

  Not only are browsers now requiring this, you should at the very least use SSL certificates to provide your site / app with a level of protection from hackers and malicious bots (automated hacking tools). Not only is this peace of mind for you, customers can be confident any data submitted on your site / app is securely transmitted to the server.

• Is your site hosted within the UK, or overseas?

  When storing customer information collected via forms or internal systems it is important for customers to now know where that data is being stored. Customers will need to made aware of who the server host is and the location of that particular datacentre. Customers can then make an informed decision whether you are allowed to hold their data in that location. For instance Ahead4 Limited have used OVH and their France datacentre, currently Ahead4 Limited use RedStation and their UK datacentre. Sharing any more information than this is a security risk, however, customers can now research that company and make an informed decision whether than company adequate.

  To Expand on this, think of it from a customer perspective would you rather your personal data is stored in a shed on a completely open industrial estate or in a remote datacentre with 24/7 365 roaming security, CCTV, failsafe and breach protocols, security escorted and monitored non-site personnel, tall concrete walls etc. This goes for any and all third party applications for example payment gateways customers will need to know who and where card information is being stored if you use map software with their location who provides this. You ideally want to ensure customers know exactly who and where every piece of their personal data go when interacting with your business, i.e. card information, name, address, phone number, email address, details of their reason to hold business with you (Car details, device details, details of their home etc.), information generally isn’t stored in one exact location so ensure customers know exactly who, where and why information is stored.

• Does your website have Terms & Conditions?

  You now need to be completely transparent with your customers in layman’s terms exactly what their rights are regarding your terms of business and conditions that need to be adhered to, this includes their rights to their data and how destroying their data records may impact how you continue to do business (i.e. will they need to create a new account every time they wish to use your services). Policies regarding your business and how customers interact with it, this should also contain information on their personal data. If your site uses cookies, what information is collected and why it’s collected and finally where that information is stored.

• Does your website have a footer with expected info?

  The footer of your website should contain information that is expected of a customer, your head office location, contact details, links to terms of the site and copyright information. You must supply these details, however, if you don’t wish to share your personal correspondence address, for example if you’re a new business operating from home; you can set up a P.O. Box address instead, see here for a guide on this for information: https://www.royalmail.com/personal/receiving-mail/po-box/.

• Does your site use WordPress or other free web software?

  Customers will need to be made aware you are using an open source website solution and additionally a list of the plugins the site is currently using. Due to the open source nature of some web solutions and WordPress in particular methods of breaking into the site and stealing personal data are a weekly occurrence. In most cases, this is due to either using untrustworthy plugins of which due diligence has not been done and general user negligence by allowing a WordPress installation to become outdated and not taking the time to maintain the installation properly. The most common in particular is using a password that is not secure and allowing brute force attacks to be carried out very easily, you should at the very least use a proper password generator of which you can find here: https://passwordsgenerator.net/ or use a keychain such as https://www.lastpass.com/.

Staff Agreements

Ahead4 Limited use a compulsory signed a document for existing and new staff, acknowledging all staff of the organisation understand data security and privacy and treat all data very seriously

Out of Hours

During this period Ahead4 Limited use stepped up security procedures to ensure peace of mind for both our customers and our internal systems. Areas of our internal system are locked out and in some cases, IP’s are blocked altogether preventing remote access.

Data Transport

On rare occasions, we must transfer data drives whether contained within hardware or via a personal passport drive, backup drive or USB stick. We take your personal data very seriously, only authorised staff members are to access the data contained.

Workshop Backups

Sometimes when we carry out repairs of a device or upgrade internal storage hardware (e.g. from a Disk Drive to a Solid State Drive) an engineer upon request can back up your data; of which we hold up to an absolute maximum of 3 months / 90 days. If a customer doesn’t retrieve data from the drive(s) using their own backup solution or the data is no longer needed an engineer will format the drive(s) and the will be data destroyed.

Emails

• Do your email signatures & footers contain information a recipient expects?

  Email footers should contain at the very least the name of the business or logo the recipient is corresponding with, the registered address of the business and registration number, contact numbers /emails and legal information with links if required.

• Email marketing how where did your source your email lists?

  You can only acquire emails to market towards through your own platform with clear intentions of how you’ll use their email. You cannot buy lists from third parties to market towards, doing this will open you up directly to heavy penalties.

• Did the customer opt-in for email marketing & are you only using the email for the use it was supplied?

  You cannot market to customers that have not opted into being marketed towards. You will need to ensure newsletter signup forms specifically for email marketing include very clear links to legal information, checkboxes to ensure that have agreed to the terms.

  If you do work for a customer, carry out a transaction for goods / services or create a quote etc., you may likely have a record of their email address which cannot be marketed towards unless they have specifically opted in. You will need to provide customers a link to the newsletter signup form with clear intentions of what this is for. Existing customers will also need to visit this form, otherwise, the ONLY use for that email address is correspondence relating to a transaction or service you have provided or a customer service inquiry. You cannot share /sell this address or use it for marketing purposes as you now have full responsibility for that person's data and ensure it is used appropriately.

  As an example, say that customer approaches you for a quote, you take their details down in order to send the quote out, and you put the paperwork together and send the quote across. Unless they have specifically given you permission, you cannot follow the potential client up with another email as this is considered a form of remarketing. You also cannot add their email to a mailing list to remarket with, you may hold their information on file for a reasonable amount of time for example 14-30 days whilst you await a reply, after this period the information must be destroyed.

• Do you provide customers with clear methods to opt out?

  Customers should able to opt out of email marketing emails easily with either a clear email unsubscribe function added to emails, the alternative is customers should be able to contact your business to get their email removed in an efficient manner.

Surveillance

• CCTV / Dash Cams

  Something very easily overlooked, if you have CCTV in the office, especially with one / two-way audio. You must be careful how this data is kept and stored especially if confidential phone calls or conversations are picked up or confidential documents with client information easily viewable through high-quality CCTV systems.

  With Dash Cameras; we made changes to our fleet vehicles in 2017 which meant all vehicles use a recording device, however, we realised not only are we recording video we were also recording internal sound from the cabin of the vehicles. This means conversations mentioning passwords and other confidential data were picked up on phone calls. We have since disabled this functionality as in the event of a theft, data is not stored on the device that could be used for malicious intent.

Telecommunications

• Do you record calls?

  Recorded calls will no doubt have critical information mentioned at all levels throughout a business, ensuring the call recordings are stored securely is essential. Additionally, where are they stored, are they stored internally or do you use a third party for this service.

• Do all staff smartphones that store customer contacts, call information, messages or work emails have adequate security?

  In the event one of those devices is stolen, how difficult is it to get at the information within the device? Ensure you use screen locks the best two to use are fingerprints and unique passwords. Also what procedures do you undertake to ensure maximum security of those devices, do you have remote access apps that can wipe the phone for instance? Just because the device has been stolen breaches can be avoided by ensuring you treat the incident in the most efficient manner. Please see the following guides:

  https://www.androidpit.com/how-to-remotely-delete-android-phone-data
  
  https://www.imore.com/find-my-iphone
  
  

• Does the phone or can the phone have encryption?

  Most modern devices can have encryption software applied, if the phone is stolen without the password the phone will self-destroy its data and firmware after a few attempts without warning render it completely useless but more importantly keeps the data secure.

Mobile Data

• Laptop and mobile data

  Laptops that store local data at the very least should have password protected login, however, from an IT perspective, this is easily bypassed in a couple of minutes if you know what you’re doing. We only recommend proper encryption software because of this which makes it extremely difficult to get into the system. This is critically important if that device contains locally stored customer data. Some versions of Microsoft Windows have a free encryption option, however, we only recommend DESlock please see here for more information: https://www.deslock.com/.

• Data syncing & Transporting

  When you are moving data to different online services, you should be using the most secure methods. Many marketing platforms, CRMs and modern third-party web software’s have API’s (Application Programming Interfaces) and direct synching methods over secure routing. We have found many customers don’t account for this and increase their chances of a data breach occurring in addition to human error by manually copying data or manually exporting / importing data between their systems.

  It’s worth mentioning you should think about how you are copying data RIGHT CLICK + COPY or CTRL + F5. You can leave fingerprints in the memory of the computer by doing this; which is another reason manually copying data in an unsecured environment is very bad practice, especially if you are not taking steps to either clear this data or not leave copied data stored in the memory.

  If you absolutely need to transfer data from different location manually, and not via a secure network, we advise you investigate hardware devices that support encryption with password protection like the following: https://istorage-uk.com/encrypted-flash-drives/.

Data Breach

So you’ve had a data breach, something you probably prepared for and you have proper lockdown procedures? If you’re like the vast majority of companies, it’s likely something that may have crossed your mind and never thought about again. Well here’s a reminder, you have 72 hours before you MUST report an incident to ICO, what you do in those 72 hours will be the deciding outcome on whether you are legally allowed to resume trading or reinforce security procedures around your business to adequate levels before you can commence again.

To prompt thinking, consider the following when designing your unique procedure:

• Who are the key personnel to ensure this happens with speed and efficiency?
• Do your staff know what to do with a data breach?
• Do you have the key personnel to investigate what happened and ensure full lockdown of the company is achieved?
• Are all staff aware who in the company will be carrying out detailed investigations?
• Are staff aware in the event of a breach they will be locked out of the system until the investigation is over?
• What data networks need to be turned off and secure?
• Force logout / lockouts of internal and external systems?
• What exactly was stolen?
• How did they get in?
• Were your passwords weak in the affected area; Password123 vs 3xhmCbURb5A2AFPX?

These are good questions to begin with to ensure if the worst does happen you are able to shut down efficiently, you have to think outside the box and view each scenario from different angles; an attacker will be looking for an exploit. A relatively basic scenario; how do you know your mailbox for resetting passwords isn’t breached; assume it is and use a fallback to reset passwords so they do not see the generated link. Most of the 72 hours will be a mix of figuring out what was taken and securing your network using new passwords and reinforcing the weak points.

So make it strong in the first place. Answering most of those questions will inherently allow you to put procedures in before a breach can happen

Useful Links

GDPR Links

• https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
• https://www.dropbox.com/en_GB/security/GDPR
• https://kb.mailchimp.com/accounts/management/about-the-general-data-protection-regulation
• https://www.cyberessentials.ncsc.gov.uk/

Recommended Product links

• https://istorage-uk.com/encrypted-flash-drives/
• https://www.deslock.com/