We have had many questions asked of us by our customers about the forthcoming General Data Protection Regulation (GDPR) and have put the most commonly asked questions and answers below. Please keep checking back as this will be updated from time to time.
What is GDPR?
For general information about GDPR, please visit our GDPR webpage.
How is the OGL Group preparing for GDPR?
The OGL Group is committed to data protection and security and welcomes the introduction of GDPR in May 2018.
We have always taken all information security seriously and over the years we have demonstrated our commitment to data privacy and protection by meeting the industry standards for ISO 27001, as well as achieving and maintaining the quality standard, ISO 9001. In addition, our specialist IT security company, CyberGuard Technologies is Cyber Essentials certified and is also certified as an IASME Gold accreditation body. The OGL Group will continue to maintain accreditations that demonstrate our commitment to information security.
The OGL Group is continuing to review our activities, suppliers’ compliance, contracts and marketing activities which cover all aspects of our business and is working to achieve GDPR compliance across our services for May 2018.
How does OGL ensure that its own networks are secure?
Our systems are protected by the latest technologies ensuring the highest levels of security. This is backed up by testing, testing and more testing. Our Cyber division undertakes regular penetration and vulnerability testing on OGL’s networks, websites and infrastructure to identify any potential weaknesses and works closely with the OGL’s IT Solutions division to implement continuous improvement. Our dedicated team of patching engineers also undertakes regular patches across all our systems (we recommend that all our customers undertake patching at least once a month).
What is OGL doing to ensure its employees are aware of GDPR?
All our employees are made aware of data protection and sign confidentiality clauses upon commencement of employment with OGL. All staff undergo a robust vetting process and during the induction, data protection is introduced. Data protection relevant to the individual’s job role is then covered during their initial training and continues on a regular basis through awareness and security training campaigns. Physical access to our office facilities is restricted per job role and is tested and constantly reviewed, as are IT permissions, workstations and device security.
Our Cyber division ensures that all OGL employees are made aware of any potential threats through regular updates, as well as undertaking regular security checks by way of phishing attacks, password hacks, as well as enforcing monthly and quarterly password changes. We have a strict policy around password strength, and use our staff intranet to encourage staff to actively engage in our security activities. We also utilise two-factor authentication where employees are accessing company systems from multiple devices or remote locations.
Does OGL have a data breach reporting process?
If we become aware of a breach this will be escalated to our senior management team who will assess the risk. Where deemed necessary, the breach will be reported to the ICO and affected individuals will be notified in accordance with the timescales specified within GDPR. All breaches will be recorded to aid in continual improvement of internal processes.
When should we notify OGL if we become aware of an IT breach?
If you have a relevant OGL agreement, you should notify our Helpdesk at the earliest opportunity, who will then advise of any appropriate work that may be needed. In the meantime, you need to assess whether the breach requires reporting to the ICO and whether you need to notify any affected individuals.
Where can we find your Data Processing terms?
Is prof.ITplus GDPR compliant?
prof.ITplus, like other software packages, does not make you compliant as it’s the data itself and your working practices that affects the compliance element. prof.ITplus can be used to enable you to be compliant, as you can utilise the fields and functionality within the software to manage your data. Don’t forget that the data you input into prof.ITplus is only one element of GDPR, you also need to make sure that your system is secure and your users are trained on data security.
How do I know that my prof.ITplus system is secure?
Where your prof.ITplus system is kept on-premise, you will need to think about your security and this could include the physical security of the server room, strong password management (particularly for admin users), network security, patch management, reliable and secure backups of data, user awareness training etc.
For hosted prof.ITplus, see “As a hosted customer”
What does OGL do with customer’s own data?
OGL’s only interest in your data is to ensure the effective installation of your prof.ITplus system. We would only refer to your data should you raise a call regarding an issue which requires an advisor to refer to it. We don’t use your data for any other purpose, as it is your data, and yours only. At your specific request only, we would facilitate the sharing of your data through integration with other channels.
How can I record on CRM whether a contact has given me consent to contact them with marketing information?
The parameters now give you the ability to choose how the default ‘mailshot’ flag is set. This means that when creating new CRM accounts you can control whether the ‘mailshot’ flag is ticked (yes) or un-ticked (no). You can then use this field to run reports to show which of your contacts has given their authorisation for you to contact them. You can also add a CRM note or Memo to record additional information or attach emails/documents to the customer record.
How do I update all of my existing contacts to confirm whether they have provided us with permission to contact them?
Our global CRM contact amendment program allows you to make global changes to the ‘mailshot’ and ‘user-defined fields’ for a range of CRM customer accounts.
How can I limit user access to sensitive financial information about my suppliers and customers?
Within ‘user permissions’ you can hide ‘Supplier’ and ‘Customer bank’ fields from certain screens/reports if that user does not require access to them.
As an eShop customer, can my customers manage their communication preferences within the eShop customer portal?
No. Giving customers the ability to subscribe or unsubscribe from marketing communication would be handled within the email communication itself, and then manually updated within prof.ITplus. You should ensure that all email communication provides the recipient with the ability to subscribe or unsubscribe at any time. This could be done either by adding a simple link at the bottom of your email that opens their email client to enable them to send you a message, alternatively, you can add a link directing them to a webpage where they can fill out a form. If you are using a standard email marketing tool such as MailChimp, then these tools will generally have a standard unsubscribe functionality built in.
How does GDPR affect how long I can hold data in prof.ITplus?
All businesses are legally required to hold certain data for specific periods of time such as holding company accounts for a minimum period of 6 years. The length of time you hold other types of data should be covered in your data retention policy.
As a hosted OGL customer, where is my data stored?
All OGL’s hosted services, with the exception of Office 365, are held on OGL’s own infrastructure within a secure UK data centre. Our two data centres are located in the Midlands and provide state-of-the-art facilities and security.
How is my data stored in OGL’s data centre?
Whether you have your data stored on OGL’s private or public cloud, it sits on virtual servers within OGL’s own private secure pod. Only authorised engineers and relevant technical senior management have access to our data centre. Any data that is transferred between your networks and the data centre is fully encrypted in transit, both physically and over the internet ensuring maximum security for your data.
If I use Office 365 where is my data stored?
Your mailbox data resides in Microsoft’s data centres and they have many strict procedures and security systems for protecting your data. All the details for GDPR compliance in Office 365 can be found below:
Office 365 uses SSL and TLS encryption on all emails, preventing emails being intercepted or accessed except for the recipient it was sent to.
What does OGL do with customer’s own data?
OGL’s only interest in your data is to ensure the effective installation, maintenance and support of your IT infrastructure. We would only refer to your data should you raise a call regarding an issue which requires an advisor to refer to it. We don’t use your data for any other purpose, as it is your data, and yours only. At your specific request only, we would facilitate the sharing of your data through integration with other parties.
Am I still okay to backup my data to tape or USB stick?
It depends. If your data is encrypted and the device is stored securely, then this may be acceptable. However, we would recommend where possible using an off-site/cloud-based DR and backup solution to ensure both maximum security but also easy access to your data should you need it.
What should I do if one of our company laptops or phones is lost or stolen?
If you have a relevant OGL agreement and the device is under cover, you should contact the Helpdesk in the first instance to raise a call. The OGL label number and user will be validated before support is provided by logging onto the customer’s server to disable the account to ensure that there is no access to emails or the network, or to change the user’s password. You will be notified of the restrictions applied to the account. If the device is not covered under an IT support contract, then support may be available at our standard rates.
You will need to follow your incident breach procedure and if appropriate, notify the relevant third parties.
What happens to my company data at the end of the contract?
Other than for our Hosted customers, OGL does not store customer data, we only store technical details such as usernames and passwords that we require to enable us to support you, however, these would give us access to your data. If you terminate your contract with OGL we would supply you with any details that we have and these would then be deleted from the OGL internal systems after 30 days (unless specifically requested to be removed by the customer earlier).
Of course, we will retain contractual and accounting information about our customers in line with legislation and our retention policies.