What is UK GDPR
The UK GDPR is the UK General Data Protection Regulation, tailored by the Data Protection Act 2018. It is a UK law which came into effect on 1st January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK.
The “processing” of data for individuals, includes collection, storage, transfer, or use. Any organisation that processes personal data of individuals is within the scope of the law, regardless of whether the organisation has a physical presence in the UK or otherwise. The UK GDPR concept of “personal data” is broad and covers any information relating to an identified or identifiable individual, also known as the “data subject”.
Oneserve is very aware of its role in providing the right tools and processes to support its users and customers in meeting their UK GDPR obligations.
Over the years, we have demonstrated our commitment to data privacy and protection by meeting the industry standards for ISO/IEC27001 and Cyber Security Essentials. We are committed to our customers’ success, including compliance with the UK GDPR.
Oneserve utilises security and privacy professionals tasked with maintaining the company’s defence systems, developing security review processes, building security infrastructure, and implementing Oneserve’s security policies.
Working With Our Customers
Data Subject’s Rights
Oneserve will fulfil its obligations to respond to requests from data subjects in exercising their rights under the UK GDPR.
Information Security Team
Oneserve has a dedicated team where data protection related enquiries can be directed and where all requests will be handled. In the first instance contact our Support Desk (01392 354333).
Oneserve will continue to promptly inform our customers of any incidents involving customer data in line with our standards terms and conditions. This will be handled via our dedicated Information Security, Support Desk or Client Success Teams.
Data Protection & Processing
Personnel & Confidentiality
All Oneserve employees, as part of their standard employment terms and conditions, accept and adhere to our confidentiality statements. Oneserve’s Acceptable Use Policy specifically addresses responsibilities and expected behaviour with respect to the protection of information.
All personnel who are customer facing and have access to customer data are trained in relevant and appropriate data handling principles and procedures relating to our UK GDPR obligations.
Employee Training and Awareness
All Oneserve employees complete data privacy and security awareness training. Oneserve supplements existing training modules with UK GDPR-specific content. In addition to these training requirements, Oneserve conducts ongoing awareness initiatives on a variety of topics, including data protection, security and privacy.
The UK GDPR expects that the “data controller” and the “data processor” shall implement appropriate technical and organisational measures to ensure a level of security appropriate to any risk.
Oneserve operates infrastructure designed to provide modern and industry compliant security through the entire information processing lifecycle. Our infrastructure is designed and built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, and safe operation. Oneserve’s obligations under UK GDPR as both a “data controller” for our own data and as a “data processor” when representing our customers’ data, are fully compliant to the UK GDPR.
Working in conjunction with our partners and customers, Oneserve’s contractual commitments and service delivery terms and conditions are being updated in line with UK GDPR requirements. In the coming weeks, Oneserve will release an update to our contractual terms and conditions with provisions to assist our partners and customers with their UK GDPR compliance. Oneserve is also reviewing its supplier contracts to ensure UK GDPR compliance throughout its supply chain.
Data Processing Instructions from Customers
Any data that a customer and its end-users insert or manage within our systems will only be processed in accordance with the customer’s instructions, as described in our data processing agreements.
Use of Sub-Processors or Sub-Processing Agreements
Oneserve partners with Amazon Web Services Inc., Localz Europe Ltd. and Google Inc. to assist in supporting its data processing activities. Each provider goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy.
We are open in regard to the third-party sub-processors involved in our services, and we include commitments relating to sub-processors in our current and updated data processing agreements.
Oneserve commit that no customer data is processed outside of Oneserve’s core systems and platforms except where a client has purchased Engineer Location Tracking.
Lawful Basis for Processing
Depending on the particular processing activity, Oneserve complies with one or more of the following consent methods to gain right to process data subject information under the UK GDPR:
– Explicit consent
– Commercial or supplier contractual commitments
Data Access and Rectification
Should Oneserve receive a data access or rectification (correction) instruction from a customer, we will provide access to or rectify the relevant customer data from all of its systems unless customer specific or legal restrictions apply. A full audit trail of such action will be maintained.
Data Return and Erasure
Should Oneserve receive a data return or erasure instruction from a customer, we will supply or erase the relevant customer data from all of its systems unless retention obligations apply. A full audit trail of such action will be maintained.
Accountability and Governance
Oneserve will at all times fully comply with our data and commercial agreements we have in place with our customers. We shall ensure relevant audit trails are made available for any specific customer needs and that such audit trails will clearly identify any data subject rights activities, incidents or breaches.
Oneserve meets, and will continue to attain such, industry standards for ISO/IEC27001 and Cyber Security Essentials. We are committed to our customers’ success, including compliance with the UK GDPR.
Partnership and Collaboration
Compliance with the GDPR requires a partnership between Oneserve and our partners and customers in their use of applicable Oneserve services. Generally, Oneserve will act as a data processor and our partners and customers generally will act as data controllers. Working together, Oneserve encourages partners and customers to independently familiarise themselves with the UK GDPR.