Everything you need to know
PRIVACY BY DESIGN
At cloudThing, we have always believed in and honoured the right to data privacy and protection for all individuals that we hold data for, and championed the same position with our customers, as a part of trying to set the highest ethical benchmark in everything we do. Over the years, we’ve also demonstrated our commitment to data privacy and protection by meeting industry standards for information security such as ISO 27001 and Cyber Essentials. We have already have many Data Processing Agreements in place, and we are revising them further to meet the requirements of the GDPR, recognising that the new regulation will help us implement the highest standards in protecting personal data.
As we care deeply about transparency, in addition to our Privacy Notice we think it’s important that we clearly state the controls we have in place to ensure that we treat all personal data with the respect that it deserves, presenting an opportunity for our customers to challenge our approach in the interest of collective, continual, improvement.
How we Comply
cloudThing has incorporated deep best-practice and all required privacy protection regulations (including the GDPR) as part of its standard business processes, managed via our Governance Team. This includes integration throughout our Business Management System which includes ISO 9001:2015 framework for quality, ISO 27001:2017 framework for information security and ISO 27701:2019 framework for privacy management system, independently assessed at least annually.
- A robust set of policies, procedures, and processes that ensure privacy is inherent in all cloudThing business practices.
- A comprehensive list of PII assets that ensures compliant and secure data processing.
- A process of continuous improvement that reviews and enhances privacy controls.
- Third party review of cloudThing policies, procedures, and processes to drive continuous improvement and create learning opportunities.
- Deliver continuous improvement using employee engagement in data privacy and protection, including training and industry best practice.
To ensure we continue to achieve our privacy outcomes, comply with applicable data protection laws and regulations and deliver our Privacy Objectives we have following controls in place:
- We maintain a detailed data inventory using our complyThing product to track data sets, data owners, applications, locations, implemented controls and to maintain a record of processing activities.
- We publish a privacy notice, providing clear information for cloudThing staff, current customers and prospective customers regarding what data we gather, what we will use it for, how data subjects can exercise their rights and include contact details for cloudThing’s DPPO and the ICO.
- We conduct information audits to ensure that all personal data we hold is tracked to maintain the adequacy, security, accuracy and integrity of data.
- We have a clearly defined Data Retention & Disposal Policy which (in combination with our Data Inventory) defines the retention period, review schedule and method of disposal, to ensure that data we hold is only kept only as long as necessary and destroyed appropriately.
- We have a clearly defined Data Breach & Reporting Policy which documents data breach escalation and reporting processes.
- We maintain a Subject Request Protocol which explains how data subjects can exercise their rights under privacy laws, and use our complyThing product to expedite data subject requests.
- We maintain clear version control for all internal documentation and audit trails of all communication sent or received to or from individuals, demonstrating accountability.
- We have an extensive Business Continuity Plan in place which is tested at scheduled intervals to ensure that in the event of extended service outages caused by factors beyond our control (e.g. natural disasters), we can restore services to the widest extent possible in a minimum time frame.
- We conduct supplier assessments in line with our Purchasing Policy before a supplier is approved. This assessment helps to ensure that the supplier has robust controls in place to ensure the security of data shared with them. Where required, we implement Data Sharing Agreements with our suppliers.
- Data will be transferred or processed by our wholly owned subsidiary in India with explicit customer consent and subject to our customer entering into Standard Contractual Clauses with our Indian subsidiary, cloudThing India pvt Limited.
- Prior to processing any data, be it internal or on behalf of our customers, we ensure that all data is privacy screened.
- Where appropriate, we conduct Data Protection Impact Assessments (DPIAs) for data processing operations that involve a high risk to the rights and freedoms of data subjects to determine the appropriate measures to be taken to minimise, or eliminate, the risks.
- If we identify any high-risk processing for which effective controls cannot be designed, we escalate this to the ICO before proceeding.
- For customers which we are engaged, we operate using Service Level Agreements (SLAs), clearly defining our and our customer’s responsibility to manage and process data in-line with privacy regulations.
- We have a dedicated Secure-DevOps team who are all trained in privacy and security management best practices, providing on-going guidance internally and to our customers.
- We are committed to continuous improvement and subject every part of our business to an internal audit, at least annually.
- Our services are not aimed to serve children. If in the case that, we receive an inquiry from children through our website we do not process data in a way that should put them at risk.
- We use technical tools and services to enforce privacy controls, such as Microsoft Endpoint Protection and Windows Defender, within the organisation.
Human Resource Controls
- We perform Pre-Employment Vetting and Screening checks to verify that are employees are suitable to work for us and that the data they provide about themselves is accurate, ensuring that the safety and security of existing staff, services and end-users is maintained.
- Our employment contracts include data protection clauses for all staff ensuring compliance with applicable laws, regulations, and procedures.
- We deliver regular training sessions for our employees including for relevant data protection regulations. Regular communication is sent to its employees to raise awareness and ensure implementation of data security controls and processes in daily operations. Training sessions are recorded for playback and attendance is tracked in our training log.
- We conduct regular tests and assessments for all employees to ensure a high level of competency, knowledge, and understanding of relevant data protection regulations, their responsibilities and the controls we have in place to protect personal information.
- We gather digital signatures from all employees annually on an adherence register, confirming their understanding of all our management systems and underwriting their responsibility to ensure the organisation and their personal compliance.
- We annually review cloudThing staff data to ensure that the data we hold about them is accurate and up to date. All employees have access to self-service tools where the relevant information can be updated/corrected. All employees are responsible for ensuring that information we hold about them is accurate and up to date.
- We operate as an organisation using a set of Architectural Principles, which mandate an array of good practices such as Privacy by Design, Secure by Design and Defence in Depth.
- We design and build software and services in-line with a detailed Secure System Engineering Policy, which is regularly updated, to ensure strict security controls are in place including (but not limited to) continuous monitoring of environments, regular vulnerability scanning, penetration testing, weekly reviews of infrastructure and key storage abstraction, to identify threats and malicious unauthorised activity.
- We enforce that all devices (physical or virtual) and methods of communication that store and/or transfer data are encrypted, in-line with good industry practice.
- We follow a robust set of policies directed by our Information Security Management System, including (but no limited to):
- an Access Control Policy to mandate a Role Based Access Control and Principle of Least privilege for user/system access
- a Remote Access Policy designed to minimise the potential exposure to unauthorised use of our systems and data from remote locations
- a Password Policy to ensure a strict standard for the creation of strong passwords, the protection of those passwords, and the frequency of change
- a Removable Media Policy forbidding use in nearly all situations and to minimise the risk of loss or exposure of sensitive information in relation to portable storage
- an Information Transfer Policy mandating minimum requirements to ensure that the transfer of data is performed in a way that adequately protects it
- a Data Security Policy to ensure we protect restricted, confidential or sensitive data from loss or corruption
- a Mobile Device & Teleworking Policy to ensure that data used on our mobile device estate is robustly protected, even when devices are lost or stolen.
- a Bring Your Own Device policy mandating controls around any device which is used to access our employee tools that isn’t issued by us
- a Key Management System Policy which mandates controls and processes for key strength, rotation management and defining how credentials are stored and processed
- a Clear Desk and Clear Screen Policy to establish the minimum requirements for ensuring data is not inadvertently shared within the office
- We utilise best-of-breed device management tooling to provide near-real-time security insight across our estate.
- We conduct regular backups to enable data recovery in case of accidental loss or malicious attacks on internal or customer data, in-line with agreed Service Level Agreements.
Responsibilities of Data Protection and Privacy Officer
We have appointed Data Privacy and Protection Officers for each region we operate in, (the UK and India) in place of a Data Protection Officer because:
- we are not a public authority or body (except for courts acting in their judicial capacity);
- our core activities do not require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking);
- our core activities do not consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
NOTE: Governance team is responsible for making all key compliance decisions.
The Data Privacy and Protection Officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of processing.
The DPPO is responsible
- To inform and advise cloudThing and its employees who carry out processing of their obligations pursuant to this Regulation and to other data protection provisions.
- To monitor compliance with this Regulation and with other data protection provisions and with our policies to ensure the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
- To provide advice where requested about the data protection impact assessment and monitor its performance.
- To review internal/external audit reports along with the Governance Team to evaluate and report on all aspects of CloudThing’s compliance with these Rules and ensure that any corrective/preventative action takes place as soon as reasonably practicable
- Where a DPPO has reason to believe local or national legislation prevents cloudThing from fulfilling its obligations under these Rules, or has a substantial effect on cloudThing’s ability to comply with these Rules, the DPPO will promptly inform the Chief Data Protection and Privacy Officer.
- Handle local complaints from data subjects
- Report major privacy issues to the Chief Data Protection and Privacy Officer
- Ensure compliance at a local level
In addition to the above responsibilities the Chief Data Protection and Privacy Officer is also responsible to:
- To cooperate with Information Commissioners Office – UK the supervisory authority.
- To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation and to consult, where appropriate, regarding any other matter.
- Manage the Data Breach Assessment Board which is chaired by the Chief Data Protection and Privacy Officer and is composed of senior executives of cloudThing Limited. The Chief Data Protection and Privacy Officer is responsible for overseeing all privacy and data protection issues, including ensuring compliance with all aspects of these Rules. The Chief Data Protection and Privacy Officer reports to the board of directors of the parent company of the cloudThing group of companies. The Chief Data Protection and Privacy Officer is supported by a team of local Privacy Officers responsible for overseeing and ensuring compliance with these Rules on a day-to-day basis at a local level.
- The Chief Data Protection and Privacy Officer will make a responsible decision where there is a conflict between national law and these Rules and will consult with the relevant Data Protection Authority in case of doubt.
- To keeps an up to date list of cloudThing affiliates bound by the Rules, records any updates to the Rules and provides the necessary information regarding updates on request to any data controller and data subject or the relevant Data Protection Authorities and no transfer of data is made to a new cloudThing affiliate until the cloudThing affiliate is bound to these Rules.
- Notify the relevant Data Protection Authorities of any changes in operation at least annually.