Privacy and GDPR Statement

 

Introduction

At Ellis Whittam, we take our responsibilities around data security and privacy very seriously which manifests throughout our Privacy and GDPR statement: our systems, processes, and people work together to ensure the confidentiality, integrity and accessibility of the data that we control and process.

We have robust information management and security systems, evidenced by our alignment to the ISO27001 framework, and we have committed to adhere to a security first principle in all our systems and processes.

Transparency is important to us: and within this statement, we clearly state the controls and processes that we have in place that ensure we exceed regulatory data security and privacy standards.

How we comply with GDPR

Summary statement:

Data security is a golden thread which runs throughout our organisation, and we have incorporated best-practice and privacy protection regulations (including the GDPR) within our standard business processes. Data Security is owned at Board level. We use the ISO27001 framework as the minimum benchmark for information security. We are committed to commissioning external, independent audits of our data security practices and systems, at least annually.

Organisational Controls

We maintain a detailed data inventory.

We maintain an asset register for both software and hardware assets.

We have appointed a Data Protection Officer (DPO) who also sits on our Operational Board of Directors: data protection is owned and reported upon at Board level.

We publish privacy notices, providing clear information for our staff, our applications, our clients and our website visitors.

We are registered with the Information Commissioner’s Office (registration number Z2442783).

We conduct information audits to ensure that all personal data we hold is auditable and trackable.

We have a clearly defined Data Breach & Reporting Policy which documents data breach escalation and reporting processes.

We have a clearly defined Subject Request Process which explains how data subjects can exercise their rights under privacy laws.

We have a Business Continuity Plan in place which is tested at scheduled intervals.

We have an SOS service status website to ensure that, in the event of extended service outages, we can inform our employees and clients.

We have a supplier authorisation process and conduct appropriate due diligence upon all data handling suppliers, sub-processors and third-party consultants.

Where appropriate, we ensure Data Protection Impact Assessments (DPIAs) are completed for data processing operations that involve a higher than normal risk to the rights and freedoms of data subjects.

We are committed to continuous improvement, and subject every part of our ISMS to an independent audit, at least annually.

Human Resource Controls

We perform Pre-Employment screening checks to verify that employees are suitable to work for us and that the data they provide about themselves is accurate.

Our employment contracts include data protection.

We deliver regular data protection training sessions to our employees. Related to these training sessions, we conduct regular tests and assessments for all employees to ensure a high level of competency, knowledge, and understanding of relevant best practice and data protection regulations.

Technical Controls

Our ISMS is aligned and built to the ISO27001 standards framework.

We enforce that all devices (physical or virtual) and methods of communication that store and/or transfer data are encrypted, in-line with good industry practice.

We follow a robust set of policies directed by our Information Security Management System, including (but not limited to):

an Access Control Policy to mandate Role Based Access Control and Principle of Least privilege for user/system access

a Remote Access Policy designed to minimise the potential exposure to unauthorised use of our systems and data from remote locations

a Password Policy to ensure a strict standard for the creation of strong passwords, the protection of those passwords, and the frequency of change

a Removable Media Policy forbidding use in nearly all situations and to minimise the risk of loss or exposure of sensitive information in relation to portable storage

a Data Security Policy to ensure we protect restricted, confidential or sensitive data from loss or corruption

a Clear Desk and Clear Screen Policy

We utilise best-of-breed device management tooling to provide near-real-time security insight across our environment

We conduct regular backups to enable data recovery in case of accidental loss or malicious attacks