Quick Jump to a Policy:

GDPR Policies & Procedures

 

General Data Protection Regulation (GDPR)

On 25 May 2018, European data protection legislation was updated for the first time in 20 years. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to harmonies data protection laws across Europe, regardless of where that data is processed.

Skill Set 365 is committed to GDPR compliance. We are also committed to helping our customers comply with the GDPR by providing stringent privacy and security protections that are built into our service and contracts.

What you can do

What are your responsibilities as a customer?

Skill Set 365 customers will typically act as the data controller for any personal data they provide to Skill Set 365 in connection with their use of our services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Skill Set 365 is a data processor and processes personal data on behalf of the data controller when they use the Skill Set 365 facility.

Data controllers are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimization, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority.

You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for, legal advice.

Where should you start?

Here are some considerations to help you work towards GDPR compliance:

Firstly, familiarize yourself with the provisions of the GDPR, especially the differences from previous data protection obligations.

Ensure you have an up to date inventory of personal data that you handle. You can use Skill Set 365 to help identify and classify data.

Review your controls, policies, and processes to assess whether they meet the requirements of the GDPR. If not, plan to address any areas that need amending as a matter of urgency.

Consider how you can leverage the data protection features within Skill Set 365 as part of your own regulatory compliance framework. Review Skill Set 365 third-party audit and certification materials to see how they may help with this exercise.

Monitor updated regulatory guidance as it becomes available.

Consult a lawyer to obtain legal advice specifically applicable to your business circumstances.


WHAT WE’RE DOING

Skill Set 365 commitments to the GDPR

Alongside other duties, data controllers are required to only use data processors that provide adequate guarantees to implement appropriate technical and organizational measures so that data processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of Skill Set 365:



Skill Set 365 employs and works with security and privacy professionals to maintain our systems, develop security review processes, build security infrastructure, and implement Skill Set 365's security policies.

Our teams engage with customers, industry stakeholders, and supervisory authorities to shape the Skill Set 365 services in a manner that helps customers meet their compliance needs.

OUR POLICIES

Our terms have been updated to reflect GDPR and are available on the support portal of our website.

FUNCTIONALITY

We have verified that our application, Skill Set 365, has all of the necessary functionality for compliance with the GDPR. The method we use for deletion and retention of data is acceptable for use under the GDPR.

DATA PROCESSING

We promise to maintain a high level of security, and will ensure timely breach reporting to meet all GDPR expectations. To reflect this, we have signed up to Rackspace managed security: https://www.Rackspace.Com/en-gb/managed-security-services This is the gold standard for security management. This service introduces automated analysis of the log files, forensic analysis of breach detection and timely notification and then recovery. We've purchased this on behalf of all of our customers. It's active as of now and we will be contractually assuring our customers of the use of it. It's incumbent upon data controllers to ensure the data processors have the right infrastructure in place to process your data. By purchasing this service, we can assure you we have the technical infrastructure in place which goes above and beyond regulation requirements.

PROCESSING ACCORDING TO INSTRUCTIONS

Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our previous, as well as our current GDPR-updated data processing agreements.

EMPLOYEE CONFIDENTIALITY

All of Skill Set 365’s employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy trainings, as well as our Code of Conduct training. Skill Set 365’s Code of Conduct outlines expected behavior with respect to the protection of information.

USE OF SUBPROCESSORS

Skill Set 365 always adheres to the requirements of the GDPR legislation to identify sub-processors.

DATA RETURN & DELETION

Administrators can delete employee data, via the functionality of the Skill Set 365 services, at any time during the term of the agreement. We have included data export commitments in our data processing terms since we began trading, and we continue these commitments post-GDPR. We are always working to enhance the robustness of the data export capabilities of the Skill Set 365 services.

Skill Set 365 store data backups for two weeks before the backups are replaced fully and any old data is removed.

DATA CONTROLLERS

How Skill Set 365 assists data controllers

Data Subject's Rights

Skill Set 365 can provide an export of customer data, at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and we continue these commitments post-GDPR

Data Protection Officer

The Skill Set 365 Data Protection Officer is Errol Cameron, any questions can be directed to him regarding data protection concerns.

Incident Notifications

Skill Set 365 provides contractual commitments around incident notification. We will inform you of incidents involving your customer data, in line with the data incident terms in our previous, and GDPR-updated, agreements.

Certifications

Our customers and regulators expect independent verification of security, privacy, and compliance controls. The Skill Set 365 platform and service undergo several independent third-party audits on a regular basis to provide this assurance.

STANDARDS & CERTIFICATIONS

Our customers and regulators expect independent verification of security, privacy, and compliance controls. The Skill Set 365 platform and service undergo several independent third-party audits on a regular basis to provide this assurance

 

ISO27001 Accredited pending
Skill Set 365® is in the process of an independent audit to meets the requirements for BS EN ISO 27001:2013 registration. The scope covers how we manage information security in providing online Human Resource Management software and services to our customers.

Data Protection Registration
Skill Set 365® is fomalizing being registered with the Information Commissioner’s Office (ICO). This means we are contractually committed to delivering our services in compliance with the Data Protection Act (DPA). 

Penetration Testing
We commission regular independent penetration testing of our infrastructure, to ensure we keep our system free from vulnerabilities. With many high profile customers in the financial sector, we recognise the need for tight security at a very technical level.

 

 

 

 

Data Protection Officer

What’s the name and contact details of your Data Protection Officer?

Errol Cameron him@errolcameron.com

Accreditations

What security accreditations you have?

5 pending

Systems and applications

Where is your data center located?

Florida, USA

Will the space in your data center be shared with any other clients?

No, we have a dedicated infrastructure

What measures are in place to protect the physical security of data centers where our data will be stored?

Data centers are owned and managed by Rackspace

Who has access to our data?

Our Customer Services team

Is our data on your servers encrypted at rest?

Yes, we use Vormetric encryption to encrypt your SQL data and all your documents

Business continuity

Do you have a business continuity plan that is reviewed, tested and updated at least annually?

Yes

When was the business continuity plan last tested?

October 2018

User access

Who within your organization will have access to the personal data?

Our Customer Services Team

What user authentication do you use on networks/systems that store/process our data?

Our Customer Services team can access your data via a super admin function. This function can only be accessed from the IP address of our offices. 

Access to our serves is also tied down to fixed IP addresses and via 2FA.

How often are user accounts reviewed for suitability of access levels?

We run a monthly report of who logged in to our severs

What are your password complexity policies?

We have a password policy as part of our ISO 27001 ISMS

Penetration / security testing

Do you conduct penetration testing at least annually on all networks hosting our data?

Yes, annually. We have also allow clients to do independent pen tests.

Physical security

Could you please describe the physical security that protects our data, including building access and physical server access?

Physical security to our servers is managed by Rackspace. Physical security to our offices is managed by us.

Anti-virus

Do all devices hosting or connecting to our data have AV which is updated at least daily, runs a scheduled scan at least daily, and runs on execution?

Yes, all our laptops use Webroot AV, our servers use Sophos

Application development

What procedures do you have in place to ensure that acceptance criteria for new information systems, upgrades and versions are established and tests are performed prior to roll out?

We have a secure development policy. The development life cycle is the standard Business Requirements à Functional Specification à Technical Specification àDevelopment àUnits Tests àQAàUATà Live

Describe the segregation of duties, including the separation of development, test and operational facilities?

We have separate environments for Development, System Testing, UAT and Live

Is production data used in test or development environments?

No

Logs

Do you keep and regularly review access, event, error and transaction logs on all networks storing/processing our data?

Yes, we have Rackspace Managed Security provides active threat detection and remediation for advanced persistence threats (APTs) and other cyber-attacks.

Are all logs protected from deletion and/or amendment?

Yes

Is access to all logs recorded and monitored?

Yes

Breach notification

Do you have a formal breach notification process?

Yes

What is the timelines to notify us of any suspected breach?

We would notify you without delay

Have you had a security breach within the last 12 months? If so, please describe the incident, effect and outcome.

No

Data retention / deletion

For what period do you retain our data?

We never delete your data. How long you retain data on our facility is your responsibility

For what period is our data stored in back-ups?

We have a 14 day backup rotation period

Where are our backups kept?

Florida USA

Data encryption

Is Personal Data encrypted in transit? Explain how

Yes, using https protocol

Is Personal Data encrypted at rest? Explain how

Yes, using Vormetric encryption which encrypts your data and your documents

Territories

Is any our processed, stored or transferred outside of the EEA?

No

Sub-processors

Is our data passed on to any third parties for processing?

No, however we use Rackspace for hosting our Infrastructure and Mailgun for transmitting our emails .

 

Comments

C25252F65D94440088020374EFF326A3