Please review our GDPR Statement regularly as it is subject to intermittent amendment.

Compliance Overview

With GDPR and PECR coming into force as of 25th May, we have been working hard to consult with businesses to provide guidance to them on how they should best work towards compliance with these two EU regulations. Further to this, in the background, we have been working hard to bring ourselves into compliance well before the 25th May.

As an ISO 27001:2013 accredited organisation, we already have the foundations of compliance pre-built as the technical and organisational measures required under this ISO accreditation are a good match to meet, and exceed, the test of “reasonable technical and organisational measures” required under the regulation. The purpose of ISO IEC 27001 is to help organisations to establish and maintain an information security management system (ISMS). An ISMS is a set of interrelated elements that organisations use to manage and control information security risks and to protect and preserve the confidentiality, integrity, and availability of information. These elements include all of the policies, procedures, processes, plans, practices, roles, responsibilities, resources, and structures that are used to manage security risks and to protect information. Links to the details of this accreditation (Certificate number, accreditation body etc.) are contained in our email signatures and on our websites alongside our 9001 and 13485 accreditations. The scope for this accreditation covers both our hosted and on-premise data systems.

We are also registered with the ICO as a controller and processor under the terms of the DPA (Data Protection Act) providing assurance to our clients that we take this responsibility very seriously.

Sub-processors

In line with the regulation, we are required to inform you of any other processors involved in the processing of your data. In our day to day operations, the vast majority of our information is stored on our internal systems here in our offices. We have sought and have recorded assurances from other processors, where they are used; and they are as follows:

We store some sales and leads data in a hosted CRM (Zoho) ( https://www.zoho.eu/gdpr.html )

We use Dropbox for some project related information. ( https://www.dropbox.com/en_GB/security/GDPR )

For our hosted services we use the following processors:

Amazon AWS (UK and Ireland Regions) ( https://aws.amazon.com/compliance/gdpr-center/ )

UKFast (UK) ( https://www.ukfast.co.uk/terms.html )

Rackspace (UK Region) ( https://www.rackspace.com/en-gb/gdpr )

Hosted Services

Where we provide hosting services to our clients we act as data processors on the behalf of our client who are data controllers under the terms of the regulation.

Data Controllers are required to seek assurances from data processors that data processing is being carried out in a manner where “reasonable technical and organisational measures” are being taken to secure the data being processed. Data Processors are required to provide this information on request. To this end, please see below the following series of statements to satisfy this requirement.

Organisational Measures

As an ISO 27001:2013 accredited organisation, we already have the foundations of compliance pre-built as the technical and organisational measures required under this ISO accreditation are a good match to meet, and exceed, the test of “reasonable technical and organisational measures” required under the regulation. We are also registered with the ICO as a controller and processor under the terms of the DPA (Data Protection Act).

We have engaged internal consultants who have created a GDPR compliance manual that contains all of the information required to demonstrate compliance to a regulator of Supervisory Authority should we be required to do so in line with the requirements of the regulation. Further to this, this manual acts as a GDPR Addendum to ISO27001:2013 with additional policies and records in line with the requirements of the regulation.

Access to the administrative portions of the hosting infrastructure are highly restricted, limited to a few people within the business.

Technical Measures

All hosted services are protected by multiple layers of protection. Every server is protected by a hardware firewall that only passes genuine traffic destined for specific services. Access to critical services are disabled and restricted as necessary.

Each server is further protected by an additional software firewall and physical DDOS appliance. The software firewall is configured to only allow relevant network services.

Further to this, each CMS website is protected by a software-based Web Application Firewall to provide protection against common vulnerabilities etc. We also employ intrusion detection systems on the servers that are monitored for unusual behaviour.

Website files, databases and other data relating to the website, underlying content management system files, version and so on are the sole responsibility of the customer.

Image Design Studio are responsible for the security of the Operating System and firewall configurations alongside updating the WHM/CPanel software on the servers only.

Website Development and Design services

Where you have contracted Image Design Studio to design or build a website or web application for you, we are neither data controllers nor data processors with respect to the function and data collection that you provide for on your site / application.

In these circumstances the client is acting as a Data Controller and the company hosting the site is acting as a processor and the Controller should seek written assurances from the processor around the measures being taken to secure the data.

Technical IT Services

Where you have contracted Image Design Studio to consult upon, build, and deploy internal IT systems, Image Design Studio is not responsible for the way in which these systems are used and, as Data Controllers it is your responsibility to ensure that your IT systems and the organisational policies and procedures are compliant with the regulation. Image Design Studio is willing to assist with this in whatever way possible.

3rd Party Hosted Services

Where you have taken advice from Image Design Studio who have recommended and / or referred you to a 3rd party processing service, such as O365 or Jungledisk, Image Design Studio act as neither processors nor controllers with respect to these data processing systems. The Data Controller should seek written assurances from the processor around the measures being taken to secure the data.

Image Design Studio Internal Systems

Organisational Measures

As an ISO 27001:2013 accredited organisation, we already have the foundations of compliance pre-built as the technical and organisational measures required under this ISO accreditation are a good match to meet, and exceed, the test of “reasonable technical and organisational measures” required under the regulation. We are also registered with the ICO as a controller and processor under the terms of the DPA (Data Protection Act).

We have engaged internal consultants who have created a GDPR compliance manual that contains all of the information required to demonstrate compliance to a regulator of Supervisory Authority should we be required to do so in line with the requirements of the regulation. Further to this, this manual acts as a GDPR Addendum to ISO27001:2013 with additional policies and records in line with the requirements of the regulation.

Technical Measures

In line with our own 27001 accreditation, we have multiple layers of physical and logical security in place in our premises. Our building is secured with multiple layers of key-based access with registered key holders and controlled access to keys. Our building entrance is secured with a shutter and the building is alarmed and monitored 24x7x365.

Access to data on our internal systems is restricted according to business need and each user has a unique password and username and all systems are logged and monitored for unusual behaviour 24×7. We employ a full suite of anti-malware systems and all updates and patches are applied and checked regularly by our internal team. Our network is protected by a controlled and monitored hardware firewall. Each computer has software firewalling enabled and controlled.

We have multiple logging and monitoring systems internally that continually monitor and record successful and unsuccessful access to data stored on our systems.

Data Collection Policy Statement

Image Design Studio IT Ltd act, variously, as either / or data controller and data processor for our clients in line with the definitions in the regulation. Image Design Studio IT Ltd is located at Unit 1, The Woodford Centre, Old Sarum, Salisbury, SP4 6BU with a phone number of 01722 744 574 and a contact email address of [email protected]. Our website with privacy policy is located at www.imagedesign-studio.com.

We do not have to appoint a DPO as stipulated under the terms of the regulation, but any enquiries on this matter should be addressed to the [email protected] email address.

We collect data in order to provide quotes to prospective clients and to fulfil contractual requirements. This information may be retained for up to 7 years for financial recording reasons as required by regulators. Further, data may be retained for the purposes of client communication, the marketing of similar services and for regulatory or legal defence reasons until such time as these details would no longer be relevant or required. If this contractually necessary information is not provided we will be unable to satisfactorily communicate with clients and so be unable to act effectively on any requests from such clients.

This data will be in the form of names, email addresses, telephone numbers and other contact details such as Instant Messaging account names, IP addresses and possibly other online identifiers.

We do not sell or transfer data onwards to other recipients, nor do we transfer data to third countries or international organisations that do not have an adequacy agreement.

Data subjects have the right to request objection, access, deletion, alteration, restriction of processing, withdrawal of consent, and data portability. We do not engage in profiling or automated decision making. To exercise these rights please contact us using the details provided above.

Data subjects also have a right to raise a complaint with the UK supervisory authority (the ICO) and their contact details can be found online.

Disclaimer

Nothing on this statement constitutes legal advice. Specialist legal advice should be taken in relation to specific circumstances.

The contents of this site are for general information purposes only. Whilst we endeavour to ensure that the information in this statement is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.

We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material.