What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive European privacy law that takes effect on May 25, 2018. GDPR expands the privacy rights of EU individuals and places new obligations on all organisations that market, track, or handle EU personal data.
This is the most significant piece of European data protection legislation to be introduced in 20 years and strengthens the protection of personal data in light of technological enhancements, the rapid growth of utilisation of personal devices and increased globalisation. It strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organisation that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data.
The “processing” of data for EU individuals, includes collection, storage, transfer, or use. Any organisation that processes personal data of EU individuals is within the scope of the law, regardless of whether the organisation has a physical presence in the EU or otherwise. The GDPR concept of “personal data” is broad and covers any information relating to an identified or identifiable individual, also known as the “data subject”.
Oneserve is very aware of its role in providing the right tools and processes to support its users and customers in meeting their GDPR obligations. Oneserve welcomes this law as an important step forward in streamlining data protection requirements across the European Union and as an opportunity for Oneserve to deepen our commitment to data protection.
Over the years, we have demonstrated our commitment to data privacy and protection by meeting the industry standards for ISO/IEC27001 and Cyber Security Essentials. We are committed to our customers’ success, including compliance with the GDPR.
Oneserve utilises security and privacy professionals tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure, and implementing Oneserve’s security policies.
Working With Our Customers
Data Subject’s Rights
Oneserve will fulfil its obligations to respond to requests from data subjects in exercising their rights under the GDPR.
Information Security Team
Oneserve has a dedicated team where data protection related enquiries can be directed and where all requests will be handled. In the first instance contact our Support Desk (01392 354333).
Oneserve will continue to promptly inform our customers of any incidents involving customer data in line with our standards terms and conditions. This will be handled via our dedicated Information Security, Support Desk or Client Success Teams.
Data Protection & Processing
Personnel & Confidentiality
All Oneserve employees, as part of their standard employment terms and conditions, accept and adhere to our confidentiality statements. Oneserve’s Acceptable Use Policy specifically addresses responsibilities and expected behaviour with respect to the protection of information.
All personnel who are customer facing and have access to customer data are trained in relevant and appropriate data handling principles and procedures relating to our GDPR obligations.
Employee Training and Awareness
All Oneserve employees complete data privacy and security awareness training. Oneserve will supplement existing training modules with GDPR-specific content. In addition to these training requirements, Oneserve conducts ongoing awareness initiatives on a variety of topics, including data protection, security and privacy.
The GDPR expects that the “data controller” and the “data processor” shall implement appropriate technical and organisational measures to ensure a level of security appropriate to any risk.
Oneserve operates infrastructure designed to provide modern and industry compliant security through the entire information processing lifecycle. Our infrastructure is designed and built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, and safe operation.
Oneserve’s obligations under GDPR as both a “data controller” for our own data and as a “data processor” when representing our customers’ data, are fully compliant to the GDPR.
Data Processing Agreements
Working in conjunction with our partners and customers, Oneserve’s contractual commitments and service delivery terms and conditions are being updated in line with GDPR requirements. In the coming weeks, Oneserve will release an update to our contractual terms and conditions with provisions to assist our partners and customers with their GDPR compliance. Oneserve is also reviewing its supplier contracts to ensure GDPR compliance throughout its supply chain.
We are updated customer onboarding, service and support processes to reflect the GDPR, and will make these updates available in due course.
Data Processing Instructions from Customers
Any data that a customer and its end-users insert or manage within our systems will only be processed in accordance with the customer’s instructions, as described in our data processing agreements.
Use of Sub-Processors or Sub-Processing Agreements
Oneserve partners with Rackspace UK and Google Inc to assist in supporting its data processing activities. Each provider goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy.
We are open in regard to the third-party sub-processors involved in our services, and we include commitments relating to sub-processors in our current and updated data processing agreements. Oneserve commit that no customer data is processed outside of Oneserve’s core systems and platforms.
Lawful Basis for Processing
Depending on the particular processing activity, Oneserve complies with one or more of the following consent methods to gain right to process data subject information under the GDPR:
- Explicit consent
- Commercial or supplier contractual commitments
Data Access and Rectification
Should Oneserve receives a data access or rectification (correction) instruction from a customer, we will provide access to or rectify the relevant customer data from all of its systems unless customer specific or legal restrictions apply. A full audit trail of such action will be maintained.
Data Return and Erasure
Should Oneserve receive a data return or erasure instruction from a customer, we will supply or erase the relevant customer data from all of its systems unless retention obligations apply. A full audit trail of such action will be maintained.
Cross Border Data Transfer
Oneserve do not, unless instructed by a customer (data controller) transfer data across borders. All data is held within the UK and within identified and nominated third party partner hosting facilities. No customer data is transferred across borders.
Accountability and Governance
Oneserve will at all times fully comply with our data and commercial agreements we have in place with our customers. We shall ensure relevant audit trails are made available for any specific customer needs and that such audit trails will clearly identify any data subject rights activities, incidents or breaches.
Oneserve meets, and will continue to attain such, industry standards for ISO/IEC27001 and Cyber Security Essentials. We are committed to our customers’ success, including compliance with the GDPR.
Partnership and Collaboration
Compliance with the GDPR requires a partnership between Oneserve and our partners and customers in their use of applicable Oneserve services. Generally, Oneserve will act as a data processor and our partners and customers generally will act as data controllers. Working together, Oneserve encourages partners and customers to independently familiarise themselves with the GDPR.