Our Commitment to the General Data Protection Regulation (GDPR)
The new EU General Data Protection Regulation (GDPR) comes into force on May 25 2018. This replaces the UK Data Protection Act (DPA) and any other local equivalents in EU member states. Whilst having a similar overall aim (protecting personal data), GDPR includes new responsibilities, more stringent enforcement and substantially increased penalties.
Data Interchange is committed to high standards of information security, privacy and transparency. We comply with applicable GDPR requirements whilst processing data on behalf of our customers (as a Data Processor) and in our own handling and storage of personal information (as a Data Controller).
How has Data Interchange prepared for GDPR
There have been 2 main areas of focus in preparing for GDPR
Internal Processes and Certifications (Data Controller)
Data Interchange has Management Systems certified against the ISO 9001 (Quality Management) and ISO 27001 (Information Security Management) standards. These management systems contain the processes developed through data classification and risk analysis to ensure that data is handled in an appropriate fashion.
We will not collect or store any unnecessary personal data relating to customers or others as part of our normal business operation. We only store sufficient information to allow us to contact and invoice customers. Any email communication sent from Data Interchange to existing customers will include an “opt out” option.
Customer information is not shared with 3rd parties.
DINET and Managed Services (Data Processor)
Our services may process data provided by customers on their behalf, this generally involves the receipt, storage and forwarding of files, but may also involve data transformation or reformatting (as per customer requirements).
Whilst there is a wide range of data content and formats being processed, all customer files are assumed to be of a sensitive nature and are treated as such.
- Data is secured in transit using secure communication protocols
- All customer data files are encrypted at rest on disk
- Data resides on hardware wholly owned and operated by Data Interchange within the UK
- The services run on a separate physical network to our “Corporate” systems and are only accessible to our Managed Services support team. All of whom are trained in information security best practice
- All services are implemented using at least 2 layers of redundancy for high availability at a primary data centre
- All services are replicated to a second disaster recovery data centre
- All data is backed up securely
- All services are monitored 24/7 with automated health checks, service dashboards and permanently manned service desk
- File processing is monitored by our skilled Managed Services team who will ensure that any issues are detected and followed up as a matter of urgency without compromising the security or integrity of customer data
Retention and use of customer data
- Unless contractually specified, by default customer data is retained for 35 days. This allows us to assist in resolving disputes between sender and recipient regarding content.
- Customer data is not used outside of the production Managed Services environment or used for any purpose other than those set out in the managed services contract.
- The lawful basis for processing personal data is the performance and fulfilment of our contract with our customer and in certain instances the legitimate interests of Data Interchange and/or its customers
Rights of Data Subjects
- Data subjects have the right to access information held about them and the right to request that information be deleted or corrected (as appropriate). They also have the right to request that their information is transferred to another organisation. They can exercise these rights at any time by contacting us using the contact details set out below.
- Questions, comments, concerns and requests regarding this Privacy Statement or our collection or use of your information are welcomed and should be addressed to the email address set out below.
- The Information Commissioner’s Office is the UK’s supervisory authority for privacy and data protection matters – for more information visit www.ico.org.uk/concerns/
Addition to DINET Terms and Conditions
To ensure that there is no disruption to service during software upgrades, all new service releases reprocess a selection of previously processed files with the resulting output compared automatically to previous processing performed by the current service release. This testing is automated and takes place within the same secure Managed Service environment as production processing and all customer data remains encrypted on disk.
We are Data Interchange PLC, incorporated in England with company no. 2018041. Our registered office is at Rhys House, Minerva Business Park, Lynchwood, Peterborough PE2 6FT or by email at firstname.lastname@example.org