The EU General Data Protection Regulation (GDPR) came into force across the European Union on 25th May 2018 and brought with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.
Coretek Group remain committed to ensuring high standards of information security, privacy and transparency.
We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. We place a high importance on protecting and managing customer data in accordance with the new GDPR standards.
We are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new regulation. Our objectives for GDPR compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.
We will also work closely with our customers and partners to help them meet their obligations through the provision of professional services.
As part of our GDPR compliance process, we have reviewed and updated all our internal processes, procedures, data systems and documentation in order to help ensure that we are fully compliant with the new regulations.
Coretek Group already have a consistent level of data protection and security across our organisation, however, it is our aim to stay fully compliant with GDPR by continuing to review and update, but not limited to, the following data protection categories;
- Data Protection
- Data Retention
- Data Breaches
- International Data transfers and Third-party disclosures
- Subject Access Requests
- Processor Agreements
Our GDPR Principles
- Accountability and governance measures are in place to ensure that we manage customer and partner data in accordance with GDPR data protection requirements.
- We will only process personal data for specified and lawful purposes and to hold relevant and accurate personal data, and where practical, we will keep it up to date.
- Data breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time.
- We have revised our Subject Access Request (SAR) procedures to accommodate the revised 30-day timeframe for providing the requested information.
- We will endeavour to ensure that personal data is not transferred to countries outside of the European Economic Area (‘EEA’) without adequate protection.
Our GDPR Focus
- We aim to build on our existing security and business continuity systems to help ensure our compliance, including ISO 9001:2015 and to introduce ISO 27001 into our own compliance.
- The provision of services and solutions which help customers to understand and prepare for GDPR, develop compliance plans and build a stronger platform for the future by taking control of their data compliance
- The Coretek Group has a robust ISO-based Quality Management System (QMS – ISO 9001:2015) and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements within the Information Security Management System (ISMS ISO27001).
- Updated Information Security policies and procedures (backed by ISO27001) will build on existing management systems, including our QMS system and our ITIL Service Desk system.
- A core foundation of our Information Security, Control and Classification policy will be informed by gap analysis, data protection risk assessments and supported by communication and training programmes.
- Coretek’s Data Protection Officer, will inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, provide the necessary security and ongoing delivery of objectives.
- We will provide training to our team and generally raise the awareness and importance of GDPR to our business.
- We will continually look at ways of improving our systems and procedures to better comply with GDPR best practice.
Data Storage and CoretekCloud
For any of our clients specifically hosted on our CoretekCloud platform, we have put considerable security measures in place with regards to the protection of data, as follows:
- Physical location – CoretekCloud is hosted within a tier 3 datacentre where physical access to the environment is tightly controlled. This is also a UK based datacentre with no CoretekCloud data residing off shore.
- Physical Access to the platform by Coretek Staff – Physical staff access is only permitted via an access control list and only a small number of senior engineers are granted authorised to do so.
- Public access to the service – Access to the service is carried out solely through a secure web portal which is maintained with security patches on a regular basis. This portal is also PCI compliant.
- 3rd party software services (Azure Backup / Office 365) – As per above, the data that is being hosted in these environments is located solely in UK based datacentres.
- Data Guardians – Only a select number of senior staff are permitted access to tenant company data. General service desk technicians only have basic access to carry out session shadowing for support procedures and password resets. No access to tenant company data is permitted, in line with how most larger service providers approach this.
- Login attempt monitoring – Failed logins to the environment are monitored and reported to Coretek 3rd line support on a daily basis.
- Backups and Data retention – Company file data is backed up on a daily basis with a retention range of one full year. Other third party client apps are also backed up on a daily basis, however these are only retained for a 30 day period.
- Use of personal information stored in CoretekCloud – The only personal information that is stored and reported on is that used in point 6 above. Usernames of those CoretekCloud tenant users who have failed to authenticate are recorded and reported on for auditing purposes. Aside from that, no other personal data is used.
Data and coretek.co.uk
You may be asked to submit personal information via our website such as your name, company, email address and phone number.
We use this Data to communicate with you, for example; replying to enquiries, commercial communications or informing you about our products and services.