The scope of information security is broad and we believe we have taken a thorough approach with our commitment to ensuring the confidentiality, integrity and availability of customer, supplier and employee data.
We operate in a highly regulated industry and in addition to adherence to voluntary codes of conduct we are a member of ITSPA.
Gradwell are also an ISO/IEC 27001:2013 certified organisation, reflecting our commitment to information security and continual improvement. We have a dedicated team in place to monitor current regulation, assess compliance and coordinate activities to ensure Gradwell continue to meet requirements.
As part of our ISMS framework, we have a robust disaster recovery and failover process that is periodically tested and invest in vulnerability scans and penetration tests to identify and respond effectively to potential risks.
Should you have any queries about our approach to information assurance and regulatory compliance please complete the form or contact our Information Security team.
Data Protection: EU GDPR & DPA 2018
The Regulation reflects a collaboration of the European Economic Area to provide a solution to application of data protection law and enhancing the rights of individuals in the first major overhaul for many years.
Each country has a Supervisory Authority in place to regulate compliance and issue fines dependent on the impact to the rights and privacy of the individual/s affected. For the UK this is the Information Commissioners Office (ICO) and maximum penalties for breach of the GDPR can be very high.
What has changed?
– there is a lawful reason for collection and processing
– where consent is given, it is made freely, informed and just as easy to retract and
– only the necessary data required is retained and only for as long as it is required.
The sharing of individual’s data is also restricted with further explicit consent being required if using or wishing to share with other parties for any other purpose than it was originally collected for unless other lawful reasons for sharing the data apply, for example to investigate criminal activity or in the best interests of the data subject.
A person can now easily access their personal data, make applications to correct, port, restrict or have it deleted under qualifying circumstances.
For full details on changes to data protection regulation please refer to the ICO website www.ico.org.uk
Your legal rights under GDPR
The right to be informed
Individuals have a right to understand when their personal data is being held and processed, even when this has been obtained indirectly.
The right of access
You can request access to your personal data at any time to be aware of and verify the lawfulness of the processing, this is via a Subject Access Request (see below).
The right to rectification
Personal data can be easily rectified if inaccurate, incomplete or out of date. This can be done by updating your control panel or by written request (please see below for information)
The right to erasure
Under qualifying criteria, you can request your data to be deleted where there is no lawful reason for its continued processing. Please refer to the GDPR regulation or ico.org.uk for full details.
The right to restrict processing
Under qualifying criteria, you can request the processing of your data to be restricted. This means your data will still be held but not processed and may apply where information is inaccurate or if there is an objection over the lawfulness of the processing. Please refer to the GDPR regulation or ico.org.uk for full details. Please send your request in writing as per the below instructions.
Where data is restricted, Gradwell shall, where possible, also inform any involved 3rd parties of the restriction.
The right to data portability
Individuals can request personal data to be provided in order to reuse elsewhere and/or moved from one IT environment to another in a secure manner without hindrance. Please send your request in writing as per the below instructions.
The right to object
Where processing of your data is taking place under certain purposes and no legitimate reason exists for this, you have the right to object. Please send your request in writing as per the below instructions.
Rights in relation to automated decision making and profiling
Automated decision making, and profiling can only take place where consent or a lawful reason apply. Processors are also required to notify individuals when their data is processed by automated means and provide information about the processing and lawful reason for doing so. It should be straightforward for an individual to challenge or request intervention.
The changes we made to improve
- Here is a brief overview of action we’ve taken to meet the new regulation:
- We assigned a Data Protection Officer (DPO) part of a core team dedicated to compliance, regulatory affairs and information security.
- We conducted Data Protection Impact Assessments (DPIAs) and prepared data flow records which help us to understand what personal data is collected, how it is used and stored and feed into data flow records and risk assessments.
- A Data Breach Procedure has been introduced and internal training provided.
- A Subject Access Request Procedure has been implemented and internal training provided.
- We introduced mandatory GDPR training for all staff to ensure data is handled securely.
- Data Processing Agreement contract addendums have been sent to all partners.
- Our Terms and Conditions have been updated to align with GDPR.
- An updated Retention Schedule has been published.
- We are continually providing guidance to our teams to ensure business activities meet regulation standards
- Where there isn’t clear published guidance, we contact with the Information Commissioner’s Office (ICO) for advice.
Here’s what we continue to do:
- Invest in technology to retain a secure infrastructure that is regularly tested for resilience.
- Provide ongoing training for our team to keep data secure.
- Assess compliance and identify risks with audits and internal procedures.
- Maintain an ISMS (Information Security Management System) and PIMS (Privacy Information Management System) framework.
- Include information security and data protection in all projects and new contracts.
- Monitor upcoming legislation and identify steps to meet requirements.
Accessing my Data – Subject Access Request
Application in writing – You will need to make a request in writing, via an email to firstname.lastname@example.org or post to Governance Team, Gradwell Communications Ltd, Ground Floor, Trimbridge House, Trim Street, Bath BA1 1HB.
Proof of identity – You will need to provide proof of identity as part of your application. Please provide contact telephone numbers as identity is confirmed via a callback and DPA verification from a member of our team for data protection purposes
What to include in your application – please state the specific data you wish to access
If you wish to apply to restrict, rectify, port, object or request erasure of your data, please submit your request in writing as above also including the qualifying circumstances that apply.
Please note in order to validate your request our staff must verify your identity for data protection purposes and where relevant, confirm the qualifying criteria.
Following verification Gradwell will provide the information and lawful basis for processing your data within one month of receipt. This will be in a format that is concise and intelligible and at no cost to you*.