GDPR Compliance Statement

Buildings

Reception areas are staffed 24/7 and door access control systems are in place throughout the building and all entrances are monitored by CCTV including the data centre.

Secure areas

Secure access areas are protected by entry controls to ensure only authorised staff can enter via an access control card. Access rights are removed when staff move roles and access rights are limited to the necessary personnel required.

Business Continuity

A BCP/DR policy has been implemented. A full annual DR test is conducted within salesforce (our CRM provider) and individual components are tested at Peninsula on a regular basis. All necessary remediation has been carried out.

Software and Applications

·       Software applications are managed through standard Agile software development methodology. Once a change is completed, end to end testing is performed to ensure the accuracy of the change and the existing system functionality.

·       Only approved software is managed and patched centrally and permitted on user machines which is managed through Software Centre.  

·       Software is then packaged and released.

·       All operating systems in place are fully supported and patched.

·       We use desktops and laptops which use Windows 10 with window updates being installed automatically.

·       Sensitive data is processed on several systems including salesforce.

·       No sensitive information would be stored on non-compliant systems.

Network Access 

·       Internal network access is controlled through internal Active Directory security.

·       Access to Salesforce is accessed via https secure internet browser.

·       Internal systems can only be accessed within the secure Corporate network.

·       Passwords on devices are changed every 90 days and complexity requirements are enforced.

·       All access is controlled by ADS permissions and limited access given.

VPN Access

·       All remote access via remote working employees is secured by VPN log on technology and you are unable to access the networks unless a secure VPN connection has been established.

Encryption

·       All databases, software and hardware/devices are protected with high levels of encryption. Encryption keys are managed with strict policies and procedures. The key is stored in a secure location which is only accessible to database admins.

Testing

·       On our equipment, all patches are governed by the change control process which includes evaluation, testing and deployment.

System Updates

·       We update systems when the time is appropriate to ensure we are always using the most advanced technical and organisational tools out there.

Data Back Ups

·       Data is backed up daily and a data restore process has been tested.

·       Measures are in place to ensure that the business can continue to function should a compromise occur.

·       Data is backed up to physical media stored offsite at our secure data backup facility which is owned by the group and secured with CCTV, physical locks and limited access controls.

·       The data restore process is tested monthly or as required.

·       Performance monitoring and file integrity monitoring is in place to ensure our business continuity plan can take full effect.

Monitoring and testing

·       A standard build procedure ensures that all default admin and back door accounts are removed.

·       Regular Network monitoring identifies any non-compliance to data loss prevention controls.

·       Penetration testing at application and network level is carried out on a regular basis.  

Cloud Providers

·       We may use cloud storage facilities for processing and storing data and when we do this, we ensure that the security is maintained and tested regularly.

·       Our CRM is built on cloud-based infrastructure.

·       All data resides in the EU or UK area and no data is transferred out of the EEA.

Cyber Security

·       All networks have firewalls, antivirus and malware protection in place which is deployed on all endpoints to detect, alert and neutralise any threats.

·       Any applications accessible from the internet are constantly safeguarded to prevent the existence and exploitation of web application vulnerabilities such as cross-scripting or SQL injection.

·       External connections are protected with enterprise, resilient firewalls and dedicated security monitoring ex SIEM, IDS, IDP.

·       All internet access is controlled by a dedicated web filtering appliance which restricts the types of traffic and URLs.

·       Firewalls and monitoring control and monitor traffic entering and leaving the organisation.

·       Sensitive data is processed on several systems including salesforce.

·       Security monitoring has also been deployed including a dedicated SIEM platform. 

Third Party  

·       All contractual IT security requirements are in place with any third parties we use which ensures the relationship remains subject to GDPR compliance.

·       Where necessary, our contract with them includes Data Processing Terms or terms are built into our products terms and conditions.

·       We also use alternative data protection safeguard mechanisms where appropriate in the form of standard contractual clauses where required.

·       Our CRM system is called Salesforce and we can confirm that they also have a dedicated security team which regularly tests and verifies that all controls are operational.

·       All Salesforce data resides in the Primary Data centre in the UK and secondary in Germany. All group databases reside in a primary and secondary data centre which are both based in the UK.

·       Peninsula’s data is segregated from other salesforce customers.

Staff Security

·       All staff are screened prior to their engagement and interviews are face to face where possible.

·       All staff get an induction focused on data protection and all our staff’s CV statements and qualifications are checked for validity before the offer of employment can commence.

·       Each staff member is issued with an Employee Handbook which we regularly review and update where necessary.

·       We update our staff when additions and updates are made.

·       A restrictive covenant is signed by staff prior to employment and a confidentiality agreement is signed on the first day on employment.

·       All staff receive security training as part of their induction which is reinforced periodically during training sessions and presentations.

·       Staff are expected to change their passwords regularly and we enforce complex password requirements.

·       When an employee leaves the business, all accounts and access is suspended immediately, blocking all access to our systems and buildings.

·       A clear desk policy is in place across the group and staff know to lock screens when they are away from their desks for any period.

·       We operate policies for data security for our remote and field workers so that integrity is always maintained.

·       Staff are not permitted to store any data via removable media (USB’s) or on device hardware.

Data Retention  

·       All data retention is handled in line with our retention policy. We are committed to taking a practical approach in line with legal, contractual and commercial requirements relating to the ownership, retention and disposal of information relating to our business activities within the UK and Ireland. We tend to keep our client data for 7 years until the contract end date. 

Data Disposal

·       As a company, we have made a conscious effort to become more digitally focused and we steer away from paper records wherever possible.

·       Confidential waste bins are located on each floor for confidential paper waste and this is securely shredded by a vetted third party who provide a certificate of destruction upon completion.

·        We have a hardware disposal policy in place which ensures that all hardware is commercially wiped before final destruction via an accredited third party who also provide a certificate of destruction.