The Tech Gurus Limited, company registration number 06799597. All information in this document sets out our compliance and use of personal data held in accordance with GDPR legislation. As an IT service provider, we supply support for a number of clients with either contracted support agreements or on an ad-hoc basis, which will require The Tech Gurus Limited to gather information relating to the clients to be able to support them. This will include data that we obtain from clients directly and data about the company that we obtain from other organisations.
This document sets out what personal or company information data that we hold, why we process or control that data, who we share this information with, and your rights in relation to the data we hold.
GDPR’s focus is on protecting the individual privacy rights of EU citizens, and compared to previous EU privacy legislation greatly expands the definition of what constitutes personal, private data to include not just financial, government and medical records, but also genetic, cultural, and social information. Businesses must now gain the explicit consent of an individual before using their personal data, and must also honour their “right to be forgotten”, i.e., to have all personal data held by the business to be deleted at the user’s request. Usually, this would apply at the end of any contracted term or where support is no longer required for the purpose of supporting the client/customer.
The Tech Gurus Limited must also meet a number of new requirements to demonstrate our ongoing compliance with GDPR, appointing one individual responsible for the company’s GDPR issues (the so-called “Data Protection Officer”), reporting on any and all data breach incidents, and storing personal data within the physical confines of the EU.
What information do we process in relation to you or the company?
We will collect, hold and share limited information about you or the company in order to provide our services acting as your support provider.
We may also require third party information in order to support certain products or equipment from you.
Where do we get your data from?
We obtain all the information from you as a client when you agree for us to provide support for your business, whether that be via support agreements or on an ad-hoc basis.
We may also obtain information from you from other sources in order to provide support, this is generally only via your businesses authorisation.
Why do we use your company or personal data?
We will process or control your data for the following reasons (not all would be applicable):
Whilst the majority of processing of personal data we hold about the business will not require your consent, we will inform you if your consent is required and seek that consent before any processing takes place.
To understand GDPR as it relates to data storage and data protection, it is useful to understand the following basic terminology:
A citizen of the EU who is identifiable by their personal data. This may include a consumer making an online purchase, a user on an IT resource system, a citizen accessing online services and so on: any individual providing personal information to use some type of services.
A commercial business like a cloud service provider that acts as a contractor to a controller, i.e., another business serving EU citizens that captures sensitive data on individuals. Examples include application hosts, storage providers, and providers of cloud services like backup.
Right to be forgotten
The right of every EU citizen “to have his or her personal data erased and no longer processed.” Individuals may request the deletion of all of their personal data stored on a controller’s servers and/or on their system management system.
A business operating within the EU — or outside of the EU but dealing with EU residents — that captures sensitive data about EU residents in the course of its operations. This includes a provider accepting online orders, addresses, and payment information from consumers, this also extends to customer records for any service related request.
“Any information relating to an identified or identifiable natural person.” This is more broadly defined by the EU than other governments and includes the EU citizen’s name, email address, social media posts, physical, physiological, or genetic information, medical information, location, bank details, IP address, cookies, cultural identity, etc.
Personal data breach
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Businesses must report every data breach incident to “the supervisory authority” within 72 hours of becoming aware of it.
Privacy Protection Failures
Our ability to attest to the privacy, integrity, accessibility, and erasure of personal data relies in part on our ability to protect against and recovery in personal data and backup. These failures fall into three categories:
Your rights of Personal Data we hold
In addition to protecting against various types of data protection failures, and reporting to EU authorities when breaches occur, we as controllers have a number of obligations to the users whose personal data we are storing. Controllers must support the ability of users to:
Complying with user requests may not always be simple. For example, it is easy to address clear-cut requests like, “Delete my mailbox and its entire contents”, not so easy to comply with more complex or ambiguous requests, like “Delete all my information from any backups, this will inevitably will be overwritten when the backup cycle repeats.”
All requests can be submitted to our “Data Protection Officer” Ronald Gray – firstname.lastname@example.org
GDPR Requirements for Data Protection and Storage of data
We as a business have additional obligations which we must meet, these include:
The EU is serious about enforcing compliance, wielding the threat of painful financial penalties for businesses that cannot demonstrate their compliance or are caught in clear violation of GDPR rules protecting user privacy. For example, failing to maintain written records, to implement various technical and organisational measures, and/or to appoint a Data Protection Officer can cost the offending business a fine of €10 million or 2% of annual global revenue (whichever is greater). Broadly speaking, to achieve GDPR compliance in the areas of data storage and data protection, processors and controllers should only use services solutions that meet the following technical requirements:
As part of our day to day activities, it’s normal practice to use third party providers to deliver some of the services that we offer, such as anti-virus or email client as an example. As such, it’s our responsibility to use providers that fully comply with the new legislation and work with us to protect any data that we may use in order to provide such services.
Below is a list of service providers we use to deliver some of our services, not all services listed would be applicable to all our customers and would only be used as general information. The important element is to demonstrate our responsibility for GDPR compliance and our commitment to only use providers that have clear policies in place to protect The Tech Gurus Limited and our customers.
Microsoft Office365 – Email, OneDrive, Exchange, SharePoint, Skype for Business
All the information is correct at time of publishing and if and when new services are introduced The Tech Gurus Limited will fully comply with our responsibilities to ensure we comply with GDPR.
We are confident that we are fully compliant in readiness for when the General Data Protection Regulation (GDPR) becomes law in the UK on 25th May 2018. If you require any further information or have any questions regarding data protection, please feel free to contact our data protection officer or call 01727 807285.
Welwyn Garden City, HERTS
The Tech Gurus are well equipped to help you with all your IT related needs.
Read more >
8:30am to 5:30pm