By now, I’m sure you’ve heard all about the General Data Protection Regulations (GDPR) and what they mean. Whilst we’ve seen some pretty blasé and some pretty funny communications on the topic, at ID Card Centre, a large part of what we do involves handling data so we need to take it extremely seriously and we want to be sure that you have complete confidence in us.
Therefore, we just wanted to take a few minutes of your time to let you know what we’ve done and will continue to do to ensure your data is always secure and protected with us. Apologies in advance that it’s not funny, or clever, but it is compliant!
What have we done to prepare for the GDPR?
In the months leading up to the implementation date we:
- Appointed a specific internal contact for everything GDPR. That is Nicola O’Brien and she can be contacted at email@example.com.
- Attended training workshops to ensure we were fully aware of what the regulations meant.
- Appointed a legal GDPR expert to ensure that our policies, processes and communications are GDPR compliant.
- Completed a full audit of all our suppliers checking important details such as where they store data and their GDPR and information security policies. If they didn’t pass our audit, we are no longer working with them.
- Reviewed all of our internal processes that involve collecting and processing personal data to ensure compliance with the GDPR.
- Put processes in place to ensure the data subjects rights are easily met including having the right to object to or restrict processing, to accessing, rectifying or deleting data and ensuring we can supply a data report if required.
- Updated our website to make it very clear where consent is asked for and what it’s used for and how to withdraw it.
- Reviewed how long we retain data for and changed our processes for example, if you provide us data to print on a card this will be deleted after a maximum of 30 days. Earlier if you ask us too.
- Ensure data protection is a primary consideration in all existing and new business processes.
Our Website – You are in full control of YOUR data
There is now a ‘GDPR Tool’ available in ‘Your Account’ which allows you to instantly access, change and delete you own data. You can also request a full report showing you all the data we hold on you, this will be emailed to you within a few hours.
How do you protect the data when printing cards?
Obviously, a large part if what we do is printing data on to cards, such as ID cards, membership cards and ICE (In Case of Emergency) cards. This can involve a lot of personal data, including names and photos.
This is where we become the data processor (as opposed to the controller) so we’ve updated our processes to help you to remain compliant as the data controller.
- We give you tools to securely transfer your data to us (please never email it!).
- The data does not leave our UK based premises.
- Your data can only be accessed by specific members of the team – all of whom have been fully trained on data protection and information security.
- Our printing bureau can only be accessed by authorised personnel and your cards remain secure within our building until we hand them over to our trusted courier partner, UPS.
- Any test cards and misprints are stored in our locked recycling bin ready to be shredded on site before being sent for recycling.
- All ribbons used for printing your cards are also stored in locked bins and are removed by our waste partner to get used as waste for energy.
- All data is deleted 30 days after we dispatch your order. This gives you plenty of time to check your order and advise us of any issues. If you’d like the data to be deleted sooner than this we can do this on demand.
All our staff have mandatory training on data protection and information security which includes the changes in data protection law brought about by the GDPR. They are specifically trained in spotting data breaches and suspicious or fraudulent activity.
Alongside Data Protection we’ve been working on our IS policies and processes and we've:
- Implemented a cybersecurity strategy to protect the business, our customers and data.
- Instructed an independent cybersecurity consultant to carry out internal and external vulnerability assessments, including a penetration test. The results of our internal network assessment were excellent, with only a few minor recommendations concerning less than 2% of system information. These were immediately addressed. The external penetration tests were even better, with zero security concerns.
- Upgraded our firewall.
- Gained Cyber Essentials certification.
- Started working towards ISO27001 certification.
Following the advice of our independent cybersecurity consultants, we cannot name the security solutions we use because the information is strictly internal and confidential. Passing this information to third parties could cause vulnerability. However, we can confirm that our cybersecurity measures go far beyond GDPR requirements.
If you’d like copies of any of our policies or processes then please email firstname.lastname@example.org and we’ll happily send you a copy.