Statement of Compliance

Introduction

On 25 May 2018 the new EU General Data Protection Regulation (GDPR) comes into force (this includes the United Kingdom regardless of its decision to leave the EU) and will impact each and every organisation that holds or processes personal data. It introduces new responsibilities, including the need to demonstrate compliance, more stringent enforcement and a significant increase in penalties compared to the current Data Protection Act (DPA) that it will supersede.

Simply put, individuals will now have greater say over how, why, where and when their personal data is gathered, processed and disposed of. Any organisation that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data.

If you hold and process personal information about clients, staff or suppliers, you are legally obliged to protect that information.

You must:

• Only collect information that you need for a specific purpose
• Ensure it is relevant and up to date
• Only hold as much as you need, and only for as long as you need it
• Allow the subject of the information to see it on request
• Keep it secure

Our Commitment

OES has always honoured our customers’ right to data privacy and protection. We have demonstrated our commitment by adhering to the current UK Data Protection policy, and now we are revising our own internal policies in order to meet the requirements of the GDPR.

OES is, and has always been, committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards, we will ensure that we will comply with applicable GDPR regulations when they take effect. This includes our role as a data processor, whilst also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.

What we are doing to help our customers

OES is fully aware of our role in helping to provide the right tools, systems and processes to support our customers’ need to meet their GDPR mandate. We are also aware of where our responsibility starts and finishes and where it is more prudent to recommend or liaise with other professional services organisations to help our customers to meet the requirements of GDPR beyond the realms of IT.

As a data processor, OES understands our obligation to help customers get ready for 25th May and beyond. We have thoroughly analysed GDPR requirements and we have in place a number of systems, processes, products and services to assist your company to meet them.

These include:

• Password policy template
• User education and awareness
• Hardware and software security reviews
• Email filtering and quarantine services
• Web content filtering and security
• Advanced Threat Protection including sandboxing and malicious link inspection
• Anti-exploit software
• Robust firewalling with Unified Threat Management
• Business-grade anti-virus protection
• Anti-malware deployments
• Data encryption services
• Onsite and Cloud-based data backup solutions
• Business continuity and disaster recovery planning
• Multi factor authentication and secure SSL VPN

What you can do to prepare for GDPR

We understand that meeting the GDPR requirements will take a lot of time and effort. As your IT partner, we want to offer as much help as you require to make the process as seamless as possible. If you are just getting started with GDPR compliance in your organisation, here is a quick to-do list to

keep in mind:

• Appoint a data privacy officer, or team, to oversee GDPR activities and raise awareness
• Identify the personal data that is being collected and minimise where possible
• Analyse and record how this information is being processed, stored, retained and deleted
• Establish procedures to respond to data subjects when they exercise their rights
• Create processes for data breach notification activities
• Assess the threats and risks to your business through the creation of a risk register
• Review current security and privacy processes and where applicable, revise your contracts with third parties and customers to meet the requirements of the GDPR
• Train your staff both in terms of cyber security risks and also data privacy policy
• Secure your data, both in the office and on the move
• Backup your business-critical data, ideally both in the office and in the Cloud