GDPR and Cyber Security
POSITION AS AT 15th MAY 2018
We are delighted to have recently attained the Cyber Security Plus Accreditation. Please visit https://www.cyberessentials.ncsc.gov.uk/ for further information. We are now working towards ISO27001:2013.
Our policy documents are still under review and therefore at this point it would be inappropriate for these to be published. We will have these available to view prior to the 25th of May 2018.
We provided GDPR training and Cyber Security training to all members of staff, who have each received certificates confirming their knowledge and understanding of the changes to legislation.
We enforce a strict password policy (access to TVAS secured by a separate password to login), lock screen timeouts, locked filing cabinets with keys secured in separate key safes depending on the area of business. There are office entry controls and separate secure access to the Server room. We have a secure firewall, that has been externally tested for penetration as part of our Cyber Security Plus accreditation, and non-removeable anti-virus and malware detection software installed on each PC, Tablet and Laptop. PCs, etc are locked down so that USB and CD/DVD storage is not accessible by staff.
All of our employees sign User Agreements that bind them to our policies. We are also shortly going to be introducing additional screening checks for new employees. Our existing staff will also be subject to these checks for additional reassurance.
We use Microsoft Azure services and a local server for providing our services. Backups of data occurs daily to local media and to google servers and these are encrypted. All Microsoft Azure and Google servers used for data storage are in European data centres.
All of our paper files containing member information received as part of our data collection process is destroyed within 3 months of the report being completed/cancelled and is securely destroyed onsite by DataShredders Ltd. DataShredders Ltd also provide us with secure disposal of all electronic devices. DataShredders have the following accreditation – Information Destruction BS EN 15713 : 2009. Please see their website for additional information at http://www.datashredders.co.uk/.
As we have separate elements to the business (Transvas Profiler software, Transfer Bureau and Bulk Projects), GDPR is affecting these areas in different ways. We have therefore created sub sections within this page to give information directly relevant to our individual customers - see the relevant entry on the left.
Contact regarding GDPR
Should a member wish to receive any information we currently hold on them, please contact GDPR@ompensions.co.uk or 01206 805 405 and we will arrange to issue the relevant forms to the member for completion.
ICO Ref: ZA061741