The General Data Protection Regulation (GDPR) is the biggest change in data protection laws for twenty years, and when it comes to effect on May 25th, 2018, it intends to give European citizens back control over their personal data. Its impact won’t just be felt in Europe, as it will have wider implications for companies across the world that hold data.
Data and data protection is at the heart of everything we do at Inspiretec, up to board level, who have been involved throughout our preparation process and new policy rollout. As you are aware, we have been working behind the scenes in recent months to ensure we, as a business, and as a supplier/data processor, are fully prepared for May 25th, and onwards.
Due to the nature and severity of the law changes, Inspiretec engaged a GDPR consultancy to assist with a review of our products and processes, with two consultants on-site many days of product, external and internal, data mapping, and a week of business-wide workshops reviewing existing processes against new legislation.
We will be conducting the same exercises annually to ensure we maintain our levels of compliance and adapt to the inevitable changes in this domain. During our preparation for GDPR we have identified and are in the process of mitigating areas that we feel we might be able to improve our compliance with the legislation:
We are currently rolling-out enhancements to our Product stack, following recommendations from our consultants, across the following products: Travelink, Holistic, Travelcat, Highway, and TravelCRM.
Sales and marketing data.
Alongside product enhancements, we are conducting a marketing list refresh, requesting all current marketing recipients re-consent should they wish to continue receiving communications from Inspiretec, as per new regulations. If you do, please provide consent here: http://eepurl.com/dtqjR9
We are reviewing all current and new contracts to ensure the transfer of data between us, our clients, and our 3rd party suppliers are documented and adheres to new regulations and we’ll in turn be including GDPR specific clauses into our own terms and conditions moving forward.
In addition to modifying our own websites to deliver GDPR compliance, we are also working in partnership with clients who have sourced bespoke sites and systems from Inspiretec, to design and roll out GDPR compliant functions where required.
GDPR is wide-ranging and naturally touches many areas of businesses. We have commenced a large programme of change, focused on addressing a prioritised backlog of identified areas for improvement:
Updating our policies.
We are currently working with the NCC Group, acting as our GDPR consultant, to tailor and update the following key business policies:
We have also updated our recruitment and HR policies to reflect the incoming legislative changes.
Our hosting is within a Tier 3+ Data Centre which means full N+1 architecture in the data centre design, along with stringent security checks both at the perimeter and within the data centre itself. It’s manned 24/7 by the Data Centre Operational team. NGD deploys a 6-layer wall design and general construction to California earthquake resistance standards. Front aspects are protected by 10-ton granite blocks. The perimeter is ringed with military grade fencing, digital tripwires and multiple IR CCTV towers with diverse power and connectivity feeds.
Traffic management systems control entrance and exits supported by double airlock gates. Security teams continuously patrol the site. NGD’s extreme physical security is matched by its site procedures, staff screening and each customer’s individual threat appraisals.
Biometrics, interlocks, tube stars and CCTV, covert if required, are consistent with published UK government standards. Our data centre, NGD has the following accreditations:
- ISO/IEC 27001
- ISAE 3402 Type II
- SSAE 16
- PCI DSS
Our hardware design follows the same ethos. We have dual resilient internet feeds which are geographically diverse, one takes a route just north of the M4 and the other much further south of the M4. Both lines are terminated into separate areas of the LINX (London internet exchange).
We also (should both of these go down) have options to route traffic over the ISPs wider network. Each fibre optic feed comes into different racks from different and dedicated Communications rooms, one at each end of the data centre. Additionally, we have dual, resilient edge routers, firewalls (multiple physical and virtual), Switches and Load Balancers. Server Architecture is again based on dual resiliency based on allowing 2 physical blade failures and still remain operational.
VMWare ESX Enterprise is in use with such modules as VMWare High Availability (HA) and VMWare DRS. Our storage architecture is based on Nimble CS1000 + 7000 arrays. Our racks are locked and access to keys is restricted to 4 members of the business that are also required to certify annually with the data centre.
Cisco AMP is used to defend against malware, VLANs, Multi Contextualised firewalls, Multiple NICs per machine, database layers secured deep inside the network. All security and critical operating system updates performed monthly. Roadmap plans to introduce WAF, Cisco AMP for Networks and VMWare NSX in 2018.
NOTE. The hosting security section above is only applicable to clients who use Inspiretec hosting services.
Subject access requests.
A key new area of incoming legislation is the introduction of compulsory Subject Access Requests. We have introduced new processes to handle such requests for customers who use our core products.
Please could any subject access requests, for retrieval or deletion of data, be logged through our Support Desk. This will ensure we have the request time and date logged, so as to abide by legislation requiring Inspiretec to respond to this request within 30 days.
Our Support Desk will work closely with our Technical Services department to fulfil these requests within the required timings.
A key area for Inspiretec, both before the introduction of GDPR and on an ongoing basis is providing our employees with the required training to handle sensitive personal data, be it during new development, handling support queries and issues, or in day-to-day business activities.
We are bolstering our new starter induction programme with targeted data protection training, alongside a brief of all company data policies and processes.
The same training will be provided to all existing employees, with additional training provided to those that handle large volumes of sensitive personal data. All employees will gain a CPD accreditation following these training courses.
All training will be refreshed annually to ensure employees are up to date with movements in this area.
We are working on a number of product enhancements across our product range, our key enhancements relate to:
The expiration of data
We are providing functionality to expire data after a customer-defined time range.
The anonymisation of data outside live environments
We will be creating and running scripts to anonymise all personal data used in test and development environments.
Fulfilling subject access requests
We have created scripts that can be run to pull down, or delete, all data on a subject, as per new requirements. As mentioned above, please submit any subject access requests through our Support Desk.
Bespoke website/system enhancements
Many of our clients are already proactively working with our teams on enhancements to their products in readiness for GDPR. If you require any changes to become GDPR compliant, please get in touch with your Account Manager who will be able to coordinate this work.
If you have any questions or queries relating to our activities in preparation for GDPR, please reach out to your Account Manager and they will be able to take forward your questions to the relevant teams internally.
For any queries please contact either our Data Controller or our Data Protection Lead: firstname.lastname@example.org.