4TC Service Limited (4TC) GDPR Statement
On May 25, 2018, the General Data Protection Regulation (GDPR) becomes fully enforceable across the European Union (EU), creating a higher standard for data protection, privacy, and security for the processing of personal data from the EU. The GDPR applies to the processing of personal data regardless of where that takes place in the world, and impacts any company that handles personal data of EU citizens and others within the EU.
At 4TC, GDPR readiness has required us to look at all the products and services we provide, and we are confident that these satisfy the requirements of GDPR.
The products and services 4TC provide meet the principles of privacy by design and default as outlined in Article 25 of the General Data Protection Regulation (GDPR). Adherence to these standards means that our products have appropriate privacy and security features embedded within their design, and 4TC has the ability to fully support the data subject rights called out in the GDPR.
We also provide data processing functions as part of our remit with the services we provide, for example data backup and disaster recovery, as well as the system access we have as part of our support role.
Direct Onsite and Remote Support
System access is handled by secure logged auditable connectivity.
No data is retained by us that is not directly relevant to maintaining the services we provide to our customers.
The data that is retained pertains to our direct contact with our customers, not any data pertaining to our customers, customers.
The data held is kept to a minimum for the purposes of our role as a support company.
The access we have to data at customer sites is treated
Backup and Disaster Recovery
4TC provides as part of its managed backup service, taking copies of your data, de duplicating, encrypting and compressing it (all on your site) then sending it to EU based secure data centres for safe storage.
Although GDPR doesn’t mandate encryption – despite what some encryption vendors will tell you – it does suggest encryption as an option and a good idea. If we backup your data we encrypt it at the point of collection on your site, maintain that encryption in flight and store it encrypted ‘at rest’ in the data centres.
Backups do offer a different challenge, as they do not easily comply with the right to be forgotten part of GDPR. Removal of personal details within a company’s internal systems is one thing, removal of it from backups effectively means the destruction of that backup. The removal of one name from a database on all backups taken over the last 3, 6, 9, 12 or longer months is not practical, from a management or cost perspective.
As the ‘data processor’ we would not necessarily know that an individual has requested removal of their personal data, so these requests will need to be maintained and in the event of a restore being required brought to our attention.
When individuals request the erasure of their personal data, controllers should be transparent with them about what will happen to the backups:
- Primary instances of their data in production systems will be erased with all due speed
- Their personal data may reside in backup archives that must be retained for a longer period of time – either because it is impractical to isolate individual personal data within the archive, or because the controller is required to retain data longer for contractual, legal or compliance reasons.
- The individual can be assured that their personal data will not be restored back to production systems (except in certain rare instances, e.g., the need to recover from a natural disaster or serious security breach). In such cases, the user’s personal data may be restored from backups, but the controller will take the necessary steps to honour the initial request and erase the primary instance of the data again.
- Backup archives containing personal data will be protected with strong encryption, so that even if criminals were able to steal the archive, its contents would remain useless to them.
- Retention rules have been put in place so that personal data in backup archives is retained for as short a time as necessary before being automatically deleted.
- Records of all data subject requests regarding their personal data will be retained, as will audit logs that record all activities on backup archives containing personal data. This means that the user can be confident that their personal data has been backed up in accordance with GDPR principles of security by design and by default, as well as data minimization, and that their rights, including the right to be forgotten, have been honoured.