GDPR
General Data Protection Regulation (GDPR)
From 25th May 2018, the EU General Data Protection Regulation (GDPR) will replace the existing EU Data Protection Directive. The GDPR has been designed to improve and solidify the rights that individuals, known as Data Subjects, have in terms of their personal data, where is is processsed and how it is processed.
At SMB, your data and our compliance to data protection regulations is paramount. We have recently updated our privacy and security policies to ensure the highest compliance with the new regulations.
Your Responsibilities as Data Controller
Customers of SMB will normally act as Data Controllers for any personal data stored within the SMB platform as part of our service to you, while SMB acts as a Data Processor for that data.
As a Data Controller, it is your responsibility to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. Controllers' obligations relate to the main GDPR principles including lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects' rights with respect to their data.
Due Diligence QA
To aid our customers in ensuring they meet the obligations of data protection legislation including GDPR on the basis of SMB acting in the capacity of a Data Processor, we have generated the following general responses to a Data Controller’s Data Protection Questionnaire.
If you require more information, please contact us at dpo@smb.co.uk.
| Q | HOW DO I CONTACT YOUR DATA PROTECTION OFFICER? |
| A | The Data Protection Office for SMB can be contacted at dpo@smb.co.uk |
| Q | IS YOUR DATA CENTRE SECURITY ACCREDITED? |
| A | The Fasthosts and Microsoft Azure data centres are accredited to ISO27001. |
| Q | WHAT METHODS OF PROTECTION FROM UNAUTHORISED ACCESS DO YOU USE TO SECURE YOUR NETWORK AND OR DEVICES? |
| A |
At SMB we have adopted a strong password policy, with a mandated requirement that all passwords are changed every 30 days. All SMB servers are firewalled with active access monitoring and automatic IP blocking to prevent brute force attacks. Servers are only accessible from specific dedicated IP addresses (our own and our hosting partner) with two-factor authentication on all logins. The SMB system uses a three-strike policy to lock accounts on unsuccessful login attempts to prevent brute force attacks along with IP blocking for addresses with high failed login attempts. Clients may also use CAPTCHA controls and two-factor authentication. |
| Q | WHAT NETWORK OR DEVICE ACTIVITY DO YOU LOG AND HOW FREQUENTLY ARE THE LOGS REVIEWED? |
| A | SMB ensure all employee login and access activity on the windows server is checked every two weeks. SMB also checks all IIS logs for unusual activity monthly. |
| Q |
DESCRIBE YOUR SOFTWARE AND OPERATING SYSTEM PATCHING POLICY |
| A | SMB ensure Windows patches are applied automatically within 3 days of release. Hardware updates are performed by our hosting partners Fasthosts while all Windows patches and hardware patches required are performed by Microsoft Azure. The SMB marketing website is updated automatically where possible and any plugins used are checked weekly for updates. |
| Q |
DESCRIBE YOUR DEVICE AND NETWORK PASSWORD POLICY |
| A |
SMB ensures all Server passwords are changed monthly with a minimum of 40 characters for passwords. Office 365 passwords are changed every 90 days. Within the SMB platform, passwords expire automatically in 90 days depending on client settings. SMB ensures passwords are not reused within 5 changes. |
| Q | WHICH ANTI-VIRUS / MALWARE PROTECTION / THREAT DETECTION SYSTEM DO YOU USE, AND HOW OFTEN IS IT UPDATED? |
| A |
All Fasthosts servers use AVG antivirus and file server protection and are updated daily. SMB also uses Syspeace a platform to monitor and actively block server logins on Fasthosts servers. Syspeace prevents brute force and dictionary attacks on Windows Server 2003, Windows Server 2008 and 2008 R2, Windows Server 2012 and 2012 R2, Windows Server 2016, Microsoft Exchange Server, Terminal Server, Remote Desktop Services, Citrix, Sharepoint, RD Web, OWA, SQL Server and more. On Microsoft Azure servers, Microsoft's own security management tools are deployed and monitored 24/7. |
| Q |
ARE YOU AWARE OF EVER HAVING SUFFERED A DATA BREACH? |
| A | SMB have never suffered a Data Breach. |
| Q |
DO YOU MAINTAIN A DATA BREACH REGISTER? |
| A | Yes SMB holds a Data Breach Register. |
| Q |
WHAT SYSTEMS, POLICIES, PROCEDURES AND AUDIT FACILITIES HAVE BEEN IMPLEMENTED TO DETECT A DATA BREACH OR UNAUTHORISED ACCESS TO THE CONTROLLER'S DATA? |
| A | SMB monitor access logs on Windows Server and server activity with IIS. In addition, access management software is used to track all and any access activity to any part of the hosting infrastructure. |
| Q |
WHAT PROCESSES DO YOU HAVE IN PLACE FOR REPORTING TO THE CONTROLLER A BREACH RELATING TO THE CONTROLLER'S DATA? |
| A | SMB have a detailed Data Protection Policy which covers data breach reporting. |
| Q |
DO YOU ENCRYPT THE CONTROLLER'S DATA 'AT REST'? IF SO, WHEN IS IT DECRYPTED?. |
| A | SMB ensures all PI (address, banking information etc) is encrypted in the database using AES256 encryption and is decrypted on client request (when viewing or editing the data in the secure website). |
| Q |
IF THE CONTROLLER'S DATA IS TRANSFERRED, WHAT ENCRYPTION OR EQUIVALENT SECURITY MEASURE IS DEPLOYED WHEN THE DATA IS �IN TRANSIT'? |
| A | SMB ensures all access to the data is via SSL connection through the browser. |
| Q |
WHAT REMOTE ACCESS FACILITIES THAT COULD BE USED TO DIRECTLY OR INDIRECTLY GAIN ACCESS TO THE SERVER OR DEVICE UPON WHICH THE CONTROLLER'S DATA IS STORED DO YOU MAKE AVAILABLE FOR STAFF AND 3RD PARTIES? |
| A |
The SMB servers have Remote Desktop access, which is only accessible from specified IP addresses owned by SMB, with strong passwords and two-factor authentication. Limited access to client portals is available via the SMB secure support tool, also using strong passwords and two-factor authentication. This access is only used as part of customer support investigation and does not provide access to PI. Access to servers containing client data is never granted to third parties |
| Q |
DESCRIBE THE BACKUP POLICY RELATING TO THE CONTROLLER'S DATA? |
| A | All controller data is encrypted and backed up daily to a secure backup solution with a rolling 30 day retention plan. |
| Q |
PLEASE DESCRIBE WHERE THE CONTROLLER'S DATA (INCLUDING ARCHIVES AND OR BACKUPS, IF RELEVANT) ARE PHYSICALLY AND GEOGRAPHICALLY STORED |
| A | All data is stored in ISO27001 certified datacentres in the UK. |
| Q |
DO YOU MAINTAIN RECORDS OF PROCESSING ACTIVITIES? IF SO, COULD, UPON SUITABLE REQUEST, ACCESS TO THESE BE PROVIDED TO THE CONTROLLER? |
| A | SMB maintain a detailed record of processing activities. |
| Q |
DO YOU TRANSFER, SELL, RENT, OR BY ANY MEANS SHARE OR DISSEMINATE THE CONTROLLER'S DATA TO ANY THIRD PARTY? IF SO, WHO TO, WHEN, WHY AND ON WHAT LAWFUL BASIS? |
| A | Data is not passed on to any third party for processing. SMB use Mailchimp to deliver transactional emails from the system, which never contain PI other than an employee's name and email address and Zendesk to manage the customer support system, which controllers can use to share data with the support team as part of support investigate processes. We have DPAs in place with both of these sub-processors. |
| Q |
IF THE CONTROLLER RECEIVES A SUBJECT ACCESS REQUEST (SAR) FROM A DATA SUBJECT, WHAT MECHANISMS DO YOU HAVE AVAILABLE TO SUPPORT THE CONTROLLER TO PROVIDE THE DATA SUBJECT WITH A RECORD OF ALL THE PROCESSING ACTIVITIES AND INFORMATION COLLECTIVELY STORED ON THEM? |
| A | The SMB platform provides a suite of reporting tools with which the controller can extract data in spreadsheet format including a single export report containing all employee data and documents in a single ZIP repository. |
| Q |
WHAT RETENTION POLICY DO YOU APPLY TO THE CONTROLLER'S DATA? I.E. HOW LONG DO YOU KEEP IT (AND ANY ARCHIVES OR BACKUPS) AFTER PROCESSING HAS BEEN COMPLETED, HOW AND WHEN IS IT DESTROYED AND BY WHOM? |
| A | Controller data is deleted from the system and backup server 30 days after the termination of the client subscription. This is performed manually using a deletion function built in to the administration toolset by a support representative. |
| Q |
DESCRIBE WHO HAS PERMISSION TO ACCESS AND VIEW THE CONTROLLER'S DATA, BOTH INTERNALLY AND EXTERNALLY AND WHY. |
| A | Only the support team has permission to access controller data, for the purposes of support investigation. This access does not provide visibility of employee personal information other than name and email address. |
| Q |
HOW IS ACCESS TO THE CONTROLLER'S DATA LOGGED AND CONTROLLED? |
| A |
If controller data is to be accessed as part of support investigation, this is communicated to the client during the support process. Access is via our administration toolset, which is controlled via secure password and two-factor authentication. |