Q.) Where is the data we upload to the iConnect platform stored?

For the loca­tions of where your data is stored see our Organ­i­sa­tion Agree­ment, sec­tion 18.3

 

Q. ) Is iConnect GDPR compliant and able to demonstrate compliance?

iCon­nect will be com­pli­ant with GDPR by May 25th. To review all our poli­cies and cer­tifi­cates see our GDPR page

 

Q. ) Do you have a process for deleting personal data when asked by the data controller? 

Yes — see our policies:

Data Reten­tion pol­i­cy,  The pri­va­cy notice for the web plat­form, Organ­i­sa­tion Admin Agreement

 

Q) What data does iConnect hold in relation to our organisation?

Please see the pri­va­cy notices for the web plat­form and web­site.

 

Q.) How long does iConnect store our data for?

For data where you are the Data Con­troller you man­age how long the data is stored for. See the Data Reten­tion pol­i­cy and Organ­i­sa­tion Admin Agree­ment for more information.

For data where we are the Data Con­troller, see the pri­va­cy notice for the iCon­nect web plat­form and web­site.

 

Q.) Who does iConnect share our data with?

iCon­nect does not share any data where you are the Data Con­troller and iCon­nect is the Data Processor.

For any data where iCon­nect is the Data Con­troller, we only share data with our part­ners who have been cer­ti­fied by iCon­nect to exclu­sive­ly rep­re­sent them in spe­cif­ic regions. Fur­ther infor­ma­tion on this can be found on the pri­va­cy notice for the iCon­nect web plat­form and web­site.

 

Q.) Does your organisation provide training to staff on data protection management?

All staff will be pro­vid­ed the nec­es­sary train­ing on GDPR includ­ing data pro­tec­tion man­age­ment pri­or to May 25th. Staff train­ing will be pro­vid­ed on a reg­u­lar basis.

 

Q.) What technical and organisational security measures do you have in place to protect personal data?

Please see our Secu­ri­ty Mea­sures and Con­trols doc­u­ment for our secu­ri­ty pro­vi­sions and pro­ce­dures as well as our Secu­ri­ty and Safe­guard­ing page.

 

Q.) Do you have a written policy for data protection? If yes, does it provide a procedure for data breaches and notification of customers of a breach? 

Yes see our data poli­cies on the website’s GDPR page, in par­tic­u­lar, the Data Breach Response and Noti­fi­ca­tion Procedure

 

Q.) In the event of a data breach, what is the process? 

Please see our data poli­cies on the website’s GDPR page, in par­tic­u­lar, the Data Breach Response and Noti­fi­ca­tion Procedure

 

Q.) Should there be a breach, please confirm that you notify us as soon as you are aware? 

Yes see our data poli­cies on the website’s GDPR page, in par­tic­u­lar, the Data Breach Response and Noti­fi­ca­tion Procedure

 

Q.)In the event of a breach please confirm that you will cooperate with us to report, manage and recover data that you have also had access to or use?

Yes see our data poli­cies on the website’s GDPR page, in par­tic­u­lar, the Data Breach Response and Noti­fi­ca­tion Procedure

 

Q.) Are you registered with the Information Commissioner’s Office?

Yes, iCon­nect reg­is­tered as a data proces­sor on 22nd April 2010. Our cer­tifi­cate can be found here.

 

Q.) Does your organisation have differentiated access to data depending on the level of sensitivity?

Yes, our staff have strict con­trols over who may access data and pro­to­cols for gain­ing per­mis­sion from clients if access is required. The lev­el of data access is tied to each mem­ber of staff’s role and its spe­cif­ic requirements.

 

Q.) Are data management procedures regularly reviewed?

Yes all poli­cies and pro­ce­dures are reviewed regularly

 

Q.) Who is the person responsible for data management/protection in your organisation?

iConnect’s Data Pro­tec­tion Offi­cer is Sime­on Drage who can be con­tact­ed on dpo@irisconnect.co.uk

 

Q.) What action are you taking to comply with the GDPR?

We have been exter­nal­ly audit­ed and cer­tifi­cat­ed to ensure that we com­ply with the UK Government’s Cyber Secu­ri­ty scheme. iCon­nect have com­plet­ed an addi­tion­al exter­nal audit of all of its ser­vices and teams to ensure that it will be ful­ly com­pli­ant with GDPR by 25 May 2018. To sup­port our com­pli­ance on this date, iCon­nect has reviewed all its poli­cies and pro­ce­dures which are avail­able on our web­site.

 

Q.) Do you have any information management accreditation?

We have had an exter­nal audit by a Qual­i­fied Secu­ri­ty Asses­sor con­ferred by the PCI Secu­ri­ty Stan­dards Coun­cil. This includ­ed a gap analy­sis against the inter­na­tion­al stan­dard: ISO 27001 which we are now work­ing towards and expect to become accred­it­ed dur­ing 2019.

 

Q.) Do you provide a processor contract that is updated to reflect the GDPR changes including?

  • That you help the data con­troller com­ply with require­ments regard­ing the data rights of the indi­vid­u­als (e.g. to access, delete or rec­ti­fy data), secure pro­cess­ing, the report­ing and com­mu­ni­ca­tion of data breach­es, and the con­duct­ing of impact assess­ments where relevant
  • That the data proces­sor (iCon­nect) process­es data only on the doc­u­ment­ed instruc­tions of the data controller
  • That you delete or return the per­son­al data to the data con­troller at the end of your pro­vi­sion of services
  • That you make infor­ma­tion avail­able to us to demon­strate your com­pli­ance with the oblig­a­tions in our con­tract, and allow the data con­troller or a 3rd par­ty instruct­ed by the data con­troller to con­duct audits and inspections
  • The sub­ject mat­ter, dura­tion, nature and pur­pose of the processing
  • The data con­trollers oblig­a­tions and rights 
  • The type of per­son­al data being processed
  • The cat­e­gories of the data subjects
  • That the peo­ple who process the data are com­mit­ted to confidentiality
  • That you take mea­sures to ensure secure processing
  • That you will not engage anoth­er proces­sor with­out pri­or writ­ten autho­ri­sa­tion from the Trust, and that if you do so, that proces­sor will also be bound by the same data pro­tec­tion con­di­tions as are in your con­tract with us

Yes we have updat­ed our Orga­ni­za­tion Agree­ment which acts as a proces­sor agree­ment. All orga­ni­za­tions will be required to agree to this to con­tin­ue to use our ser­vices. A copy of the agree­ment is here. Admin users will agree to this agree­ment via the iCon­nect Web Platform.

 

Q.) Does iConnect process only on documented instructions, including international transfers? Does iConnect only use the data we provide or that you access from our organisations in accordance with our instructions?

Yes, this is cov­ered in the Orga­ni­za­tion Agree­ment, Sec­tion 10.4.1: Customer’s Instructions.

 

Q.) Does iConnect ensure those processing personal data are under a confidentiality obligation (contractual or statutory)?

Yes all iCon­nect employ­ees have agreed to a con­fi­den­tial­i­ty oblig­a­tion via their employ­ment contract.

 

Q.) Does iConnect ensure that anyone in your organisation understands the data they have access to is confidential and must not be shared with anyone without the data controller’s prior agreement?

Yes, this is cov­ered in the Orga­ni­za­tion Agree­ment, Sec­tion 12.1.2:  Secu­ri­ty Com­pli­ance by iCon­nect Staff

 

Q.) Does iConnect take all measures required under the security provisions (Article 32) which includes pseudonymisation and encrypting data as appropriate? 

Yes, for details about our secu­ri­ty see our Secu­ri­ty Mea­sures and Con­trols doc­u­ment for our secu­ri­ty pro­vi­sions and pro­ce­dures as well as our Secu­ri­ty and Safe­guard­ing page

 

Q.) Does iConnect take all steps to keep data secure, whether it is paper records, emails, digital or electronic?

Yes, for details about our secu­ri­ty see our Secu­ri­ty Mea­sures and Con­trols doc­u­ment for our secu­ri­ty pro­vi­sions and pro­ce­dures as well as our Secu­ri­ty and Safe­guard­ing page

 

Q.) Does iConnect only use a sub-processor (subcontractor) with the controller’s consent (specific or general, although where general consent is obtained processors must notify changes to controllers, giving them an opportunity to object)? 

Yes, this is cov­ered in the Orga­ni­za­tion Agree­ment 19.4 Oppor­tu­ni­ty to Object to Sub­proces­sor Changes. Infor­ma­tion on our proces­sors and data shar­ing can be found in the web plat­form pri­va­cy notice.

 

Q.) If you subcontract any part of the task, and personal information and data is required by that subcontractor, you will seek and obtain our consent before proceeding?

Yes, this is cov­ered in the Orga­ni­za­tion Agree­ment 19.4 Oppor­tu­ni­ty to Object to Sub­proces­sor Changes. Infor­ma­tion on our proces­sors and data shar­ing can be found in the web plat­form pri­va­cy notice.

 

Q.) Does iConnect assist the controller in responding to requests from individuals (data subjects) exercising their rights? 

Yes this is cov­ered in the Orga­ni­za­tion Agree­ment sec­tion 17. Data Sub­ject Rights; Data Export

 

Q.) On occasion, we may receive a request to release information that we hold about an individual, whose data you have used or processed on our behalf. Please confirm that in those situations you will cooperate with us and provide all records about the person within a specified timeframe?

Yes this is cov­ered in the Orga­ni­za­tion Agree­ment sec­tion 17. Data Sub­ject Rights; Data Export

 

Q.) Does iConnect delete or return (at the controller’s choice) all personal data at the end of the agreement (unless storage is required by EU/member state law)?

Yes, this is cov­ered in the Orga­ni­za­tion Agree­ment sec­tion 7.3.5  Ter­mi­na­tion due to Non-Renew­al of Subscription/Licence.

 

Q.) Does iConnect make available to the controller all information necessary to demonstrate compliance; allow/contribute to audits (including inspections) and inform the controller if its instructions infringe data protection law?

Yes, all nec­es­sary infor­ma­tion can be found on the GDPR page of our website

iCon­nect per­mits audits, this is cov­ered in the Orga­ni­za­tion Agree­ment sec­tion 15.2  Customer’s Audit Rights.

iCon­nect will process data in pro­vid­ing it does­n’t infringe on data pro­tec­tion law. See Orga­ni­za­tion Agree­ment sec­tion 10.4.1 Customer’s Instruc­tions.