On the 25th May 2018, a new regulation called The General Data Protection Regulation (GDPR) came into force and applies to all UK businesses.
The regulation requires business like yours and ours to document how we manage client data in a simple and easy to understand format. This document details how Kimbley IT manages your data.
Legitimate Interest and Contractual Obligations
To offer our services we have to collect key bits of data about you. This data can be used to personally identify individuals and either carry a legitimate interest (a legitimate reason as to why we need it) or a contractual obligation (an agreed reason why we need it).
An example of a legitimate reason; you have contacted Kimbley IT we, therefore, have a legitimate interest (reason) to store your data so that we can contact you back.
An example of a contractual obligation; we are supporting your companies IT, to do this we need to be able to recognise individuals in your business that have access to your computer system, the authorisation to keep, manage and secure this data would be laid out in a contract.
The data we hold about you
Your name and contact details
We need to know this information to be able to identify you, communicate with you, and to securely manage the data we hold about you. This data is also used to identify you when offering our support and assistance services. An example would be when you report a problem with your computer we need to be able to identify your computer and account to help you.
Your use of technology within your business
We know when and how you use your authorised office equipment that has our monitoring agent(s) installed. Such as the websites you visit, the times your computer is turned on and off, the software installed. We can also remotely access your device without the need for you to grant access.
Depending on the services offered to your business we may also know what websites you visit while in the office on devices where we have no monitoring agents have been installed.
We do not install out monitoring agents on personally owned devices (BYOD). However, if you are a G Suite user we can see any managed applications you have installed on your mobile devices. We can also see the make and model of the device you have registered and when it first and last connected to G Suite.
Some of the data we collect is anonymised (we can’t identify you).
The rights you have to your data
You have the right to be informed about how we use your data, as laid out in this document. You have the right to update your personal data. To keep this data up to date you need to contact us.
- To ask us to delete your personal data. However, there may be circumstances where we are legally entitled to retain it.
- To get a free copy of your personal data. Through a Subject Access Request (covered later in this blog post).
- You can object to the processing of your data and have it restricted. There are circumstances where we are legally entitled to refuse this request.
The security of your data
We use a number of services to manage and maintain the data we control and process. These services are vetted to make sure they abide by the highest level of security and if they are based in the USA are Privacy Shield Certified. In addition where possible we implement our own additional access controls and security procedures. Kimbley IT is Cyber Essentials Certified and a certified Google Cloud Partner.
The processors we use to manage your data
Google Cloud - G Suite
We use G Suite to manage our email, calendars, documents and files in Google Drive. Communicate with you through Google Hangouts and retain and delete data using Google Vault. We keep data for 36 months it is then auto-deleted. You can read more about Google GDPR compliance here.
Google Cloud - G Suite Partner
As a G Suite Partner, we manage your G Suite installation. We can extract data about the usage of G Suite inside your business. Such as; when a user logged into the system when they made alterations to a file in Google Drive, what mobile device they have connected to the system. Identifiable data is kept until we are informed by you to delete a user or our agreement with your business finishes. You can read more about Google GDPR compliance here.
We use Spanning to manage and maintain our backup and restore systems. Data is kept in this system indefinitely; it is currently not technologically possible to alter a backup at a later date. If you have requested your data to be deleted whenever we restore data that may contain data about you this data is deleted from the restored data. You can read more about Spanning GDPR compliance here.
We use SolarWinds RMM to monitor your business computer systems and the individual devices your employees use. We can see the times your computer is turn on and off, the software installed, the programs running on the machine in real time, the state of the hardware, make and model, and remotely access the computer. We keep data on this system while your business is contracted to our services. Once this relationship ends the data on this system is deleted within 30 working days. You can read more about SolarWinds GDPR compliance here.
Umbrella by Cisco
We use Umbrella by Cisco to monitor your internet connection and to protect your employees and devices from illegal, harmful and hateful internet content. We can see which websites have been accessed, we do not collect any personally identifiable data as we cannot identify the user who was on the system at the time. We keep data on this system while your business is contracted to our services. Once this relationship ends the data on this system is deleted within 30 working days. You can read more about Umbrella by Cisco GDPR compliance here.
This is a separate service to the Umbrella by Cisco service. It is run through hardware installed in your office. It is used to monitor your internet connection and to protect your employees and devices from illegal, harmful and hateful internet content. We can see which websites have been accessed, and this data can be linked to individuals on all devices on the network where the Cisco device is installed. We keep data on this system while your business is contracted to our services. Once this relationship ends the data on this system is deleted within 30 working days.
We use MailChimp to keep clients informed of service changes that may affect how you work. We do not use MailChimp for external marketing emails. We keep data on this system while your business is contracted to our services. Once this relationship ends the data on this system is deleted within 30 working days. You can read more about MailChimp GDPR compliance here.
We use ProsperWorks to manage projects, sales processes and new business management. We keep data on this system while your business is contracted to our services. Once this relationship ends the data on this system is deleted within 30 working days. We keep new business management data on this system for 12 months, it is then deleted if the new business does not convert to a client. You can read more about ProsperWorks GDPR compliance here.
Xero is our accounting software, used for invoicing, quoting, bank reconciliations and other similar accountancy functions. Our accountants Appleby Mall have access to this system and process data for the purposes of bookkeeping and annual accounts. Data stored in Xero is kept for six years from the data is was created. This is a regulatory requirement under the VAT Act 1994 (Schedule 11, paragraph 6) and HMRC Notice 700/21. You can read more about Xero GDPR compliance here.
Answer is the call handling service we use when you call us you are put through to Answer who will take and retain your name, your message and your phone number. This data is kept under legitimate interests, as you have contacted us, you would like us to reply, we need this data to be able to reply. Currently, this data is kept indefinitely, we are working with Answer to improve the system so data is kept for a much shorter time period. Answer has not published any GDPR compliance information as of 11/05/18.
Subject Access Request (SAR)
It is really important that you can request to find out what personally identifiable data a business holds about you.
You can complete this form to make a SAR request. You will need to supply identification before we can proceed with the SAR, this is to make sure that you are the real owner of the data you are requesting. We will then collect the data we hold about you and release it to you within 30 days of your request and suitable identification being produced.
You first SAR request is free of charge, however, any subsequent requests which fall within a close time period of your first request will be chargeable.