How Fort Privacy delivers GDPR Compliant Services
Our Clients Are our Business
Trust: When you come to Fort Privacy as a client you will be trusting us to protect the personal data of your employees, your clients and your other key business stakeholders just like any other supplier that you engage.
What to expect: Its important to us that as our clients, you know what to expect from our services.
Every Client is important: Our clients are our business. We value and respect how every client engagement helps us to run a successful business. Your success is our success, and we never forget that.
We comply so you can comply: You can and should expect that we will deliver services to you that will comply with GDPR while we are helping you on your own journey to comply with GDPR!
Fort Privacy Role
When we are managing our client relationships – including sales, marketing, running events and webinars, bidding for contracts and communicating with you about our services – we act as a data controller. We are deciding how to run our business and how to engage with our clients and prospective clients.
When we are delivering our services to you, we are acting on your behalf and we act as a data processor.
Service Compliance Summary
In order to deliver a service that is compliant for our clients we have taken the following steps:
- We put a contract in place with our clients that includes a data processing agreement (“DPA”) as required by GDPR.
- We have designed our services so that we do not routinely process personal data on behalf of our clients. We will only process personal data where it is necessary for us to deliver a particular aspect of our service.
- We have put security measures in place to ensure that each clients information is maintained separately, shared securely internally within the Fort Privacy team and shared securely externally with our clients and their contacts.
- We have internal policies and procedures documenting our data protection and security measures as well as back-up and restore and business continuity plans. We implement our own compliance framework!
- We have breach management procedures. Thankfully we have not yet had to report a breach of our own but like all businesses we have had near misses that we have investigated and logged. Our breach procedures include processes for notifying our clients in the event of an incident that potentially impacts them.
- Finally, we can support our clients in the event of a Data Subject Access Request (DSAR) that encompasses data we process on your behalf.
What to expect
Data Processing Agreement (“DPA”)
When you first engage with us we provide you with a contract that includes a Master Services Agreement, a Data Processing Agreement and a Statement of Work.
The Data Processing Agreement complies with Article 28. It outlines our commitment to processing data only as provided for in your instructions to us, to confidentiality, to security and to assist you in compliance with your obligations.
We will supply you with a sample Data Processing Agreement for the relevant service on request during our sales engagement with you.
Technical and Organisational Measures
We implement a variety of technical and organisational measures across our business and our service delivery in order to keep the personal data we process on your behalf secure.
These include:
- All employees use encrypted devices.
- All software we use in our service delivery has two factor authentication implemented by default.
- We use a secure cloud-based file share to store our client data.
- We implement a dedicated directory structure for each client so that client data is stored consistently, is easy to find and separate from other client’s data.
- Files are not emailed internally or externally as email attachments, instead we send a link to the document(s)
- We back-up our data regularly to a secure location, to a dedicated device that is stored in a locked facility with physical access controls.
Incident / Breach Management
If we become aware of an incident involving client personal data, where we are a data processor, our policy is to notify our clients as soon as possible.
We will support our client’s investigation of the incident – following the same robust incident investigation processes that we put in place for our clients.
This could include supporting our client to report the incident to the relevant Data Protection Supervisory Authority where it is determined that a reportable breach has occurred.
Data Subject Rights Management
Where we receive a Data Subject Rights Request from a client’s employees / suppliers / customers, we determine whether the request relates to Personal Data that we are processing on behalf of the client.
In that case, our first step is to notify the client about the request which we commit to doing as soon as possible on receipt of the request.
We are committed to supporting our client to respond to the Data Subject within the timeframes laid down in the GDPR.
Contact Us
If you are thinking of becoming a Fort Privacy client please contact us for further information – additional due diligence documents and sample contracts will be supplied on request!