GDPR Article 28 – Technical and Organisational Measures

GDPR Article 28 – Technical and Organisational Measures (Key Elements) applied within Roots Research (as part of its Integrated Security Management System certified to ISO 27001)

Physical/Facility Security Measures

·      Offices located in a property that has been adapted to provide fit-for-purpose premises, with entry to the main building that is multiple-key controlled allowing access for key holders only.

·      Visitor access to the building is controlled through an entry-phone arrangement, and all visitors are escorted from the front door. A Director must be made aware of any visitor attending at the premises prior to their arrival and any visitor must have a sponsor who is a Company employee who will be responsible for the visitor at all times whilst they are on the premises. Where a visitor is on the premises, all Company personnel should be alerted to his/her presence.

IT System and Data Security Measures

·         Information assets, both electronic and physical, are identified and classified according to the associated risks for their processing, which are identified within the context of consequence, probability and costs of action.

·         A clear desk policy requires that sensitive and restricted documented information in any format must not be left unattended or exposed in the workplace. Proprietary documented information shall be cleared from the desk and stored securely when a desk is to be left unattended for a prolonged period, including overnight.

·         All office documentation and media containing sensitive or restricted information, whether on digital/optical media storage or in hard-copy paper format, are stored in designated filing cabinets that are kept secured at all times. If in use at work, such documentation and/or media is placed in a locked drawer or other secure place if to be left unattended for a short while.

·         PC workstations are screen-locked/password protected if to be left unattended whilst outside of the office or if to be left unattended in the Company office. They are shut-down completely if to be left for a prolonged period.

·         Where a client supplies a customer list with personal data via SFTP; that data will be provided on a password protected, encrypted Excel spreadsheet and the data will be saved on a specific project folder on the Company Server.

·         The Company Server provides a secure environment for storage of information assets based on a risk-assessed approach to the Company provision of data storage that maintains data availability, confidentiality and integrity. The network system comprises the following components.

–          A Windows 2016 Server securely located and fixed in the office.

–          Hard drives encrypted using 256 bit AES encryption.

–          Only accessible by authorised domain users with complex passwords that have to be changed every 30 days.

–          Installed software which manages Anti-Virus updates and patch management including Windows OS updates with alerts setup if anything fails.

–          Protected by a hardware firewall device with firewall rules in place to block any unauthorised access.

–          Remote access restricted to authorised users only, via a secure SSL VPN with a complex password.

–          Files can only be accessed by the specific users required for them to perform their job role.

–          Encrypted back up to a secure offsite location.

·         To avoid the potential for information to be intercepted and falling into the wrong hands, the disposal of information either electronically held or held in some physical format, follows prescribed methods of disposal.

·         There are specified periodicities for retention of documented information to provide guidance for good and orderly management of documented information and in any event to meet any specific legislative obligation for retention that may encompass such information.

·         Sensitive, restricted or proprietary documented information belonging to, or relating to any third party, including clients, which is by necessity transported or transmitted externally, is encrypted and recorded by internal processes. Data transmitted externally uses email or Secure File Transfer Protocols (SFTP). AES-256 Encryption Verification and password protection is required. Project related personal data that is transmitted to a client is done via a password encrypted Excel spreadsheet access via One Drive. All other electronic data will be outward transmitted using Azure Information Protection (or AIP), a cloud-based solution provided by Microsoft. This technology integrates with all other Microsoft cloud services and applications used by Roots Research, such as Office 365 and Azure Active Directory. Sending an email with the word ‘Encrypt:’ in the subject line requires a further validation process before it can be accessed. Any incoming data we receive from our clients is done under SFTP to ensure a secure transmission tunnel with password protection of documents sent in such a way.

·         Passwords provide security in relation to controlled access to equipment such as PC’s and electronic information accounts. For such use, incorporation of dictionary words is acceptable as long as they form part of an alpha-numeric password of at least 10 digits on length including at least one upper case letter, one lower case letter and two numbers, excluding use of names of family members and obvious dates.

Staff Controls

·         Clear contractual obligations including confidentiality clauses and restrictive covenants.

·         Well defined job descriptions including responsibilities for information security.

·         Regular training including data privacy and information security.

Risk Management and Business Continuity

·         Well defined plans for business continuity and emergency response arrangements.

·         Strong governance arrangements including ISO 27001: 2013 certification.