The clock is ticking for GDPR to come into effect on May 25th 2018. Data protection rules in Europe will see their biggest change in twenty years.
You may wonder what this means for you and the way PredictX handles your data. Under the new GDPR regulations, individuals have more rights over their own personal data. Data controllers must get consent from individuals before they share any personal information, including email addresses, phone numbers and even names. Third party entities entrusted with sensitive information, like PredictX, have greater responsibilities in terms of securing and managing data.
Luckily, PredictX already has effective measures in place to secure our clients’ data. Upon the advent of GDPR, we took a GDPR Gap-Assessment Toolkit to analyse our existing data protection and security framework and how it fits into new GDPR Compliance regulations. We discovered we were already 75% compliant.
There were a few minor adjustments that our data security team needed to make to close the 25% gap. The implementation of a Data Protection Impact Assessment (DPIA) that incorporates the mandatory requirement of Privacy Impact Assessments (PIA) with monthly audits on internal controls, processes and updates was a major adjustment. These audits document our accountability and risk management around data privacy and data protection.
We are proud to say that PredictX is compliant and certified (where applicable) to the following data protection frameworks, associations and Good Practice guidelines:
- ISO27001:2013 certified with BSI and QMS International since 2014
- DPA98 (Data Protection Acts 1998) registered with ICO (Information Commissioner’s Offices) since 2009
- PCI/DSS Compliance with Qualys for vulnerability scanning on Web Applications.
- Cyber Essentials Certified by IT Governance Ltd
- GDPR Compliance
Our current data protection strategy incorporates the measures we had in place before plus some new changes. We have appointed a Data Protection Officer (DPO) to ensure we, as Data Controllers and Data Processors, stay compliant with data protection regulations and comply to data privacy principles that govern the use, process, and storage of personal data.
The current strategy includes data encryption, disaster recovery, record keeping, risk assessment, privacy, staff data protection and IT awareness training programmes. In light of the recent changes, it also includes personal data protection.
- Masks data through the implementation of Universally Unique Identifiers (UUIDs) to replace sensitive data fields. Actual values are stored in our own security server. Without this server there is no way to recreate the information.
- Uses 28 bit encryption
- Uses self-encrypting disks for application databases.
- Uses the latest released versions of MongoDB, Vector, MySql and PostgresQL database platforms.
- Includes the latest security patches updated from the proprietary vendor for Linux CentOS software platform ensuring secure hosting of the front and back end.
PredictX has, since 2014, held an ISO27001: 2013 certification with BSI and QMS International. The following measures allow us to meet industry standards for business continuity and disaster recovery:
- Two Equinix data centres are provided in the case of disaster recovery. Both have certified BCP/DR processes in place.
- Client data remains in the UK and the data is replicated across both data centres using identical hardware and software platforms.
- We have VM snapshot capability.
- Quarterly integrity and availability tests are provided for backups.
Record keeping and risk assessment
- All access and change to Px data is logged in a secure and centralised server. These records reach back six months.
- External BSI auditors audit PredictX on security and risk controls to all associated process management twice a year.
- All changes and change control management are logged through a ticketing system on a web-based platform known as Jira.
- No matter how big or small, all incidents, problems, breaches, client related issues and personal issues are reported through a centralised online Incidents and Reporting document log.
- Data Protection Impact Assessments (DPIA) on client details occur monthly.
- We have implemented DPIA and PIA processes to determine various data set types and associated criteria. These also determine risk impact.
Personal data protection / data privacy
The data controller or client has full control over the individual’s personal information. They can request to suppress or anonymize the processing of specific personal data.
All data processing remains at our two UK-based Equinox data centres. Secured, encrypted file transfer protocols are used for any transfers made inside or outside of the EEA (European Economic Area).
If any data is breached, PredictX has a Breach and Forensic Readiness policy with investigative and mediation processes for each type of breach included.
All client data is stored for the duration of the contract. Upon contract termination or end, all data, including segregated VM, backup copies, snapshots and physical media with data sets, is either securely returned to the client or is destroyed.
Staff data protection and IT awareness training
PredictX promotes a culture of data security awareness. PredictX senior management personnel are members of the Information Security Management System (ISMS) Committee. IT awareness, data security and data protection training is provided to all employees as they join the company. Afterwards, quarterly training is provided.