Q.) Where is the data we upload to the iConnect platform stored?

For the locations of where your data is stored see our Organisation Agreement, section 18.3

 

Q. ) Is iConnect GDPR compliant and able to demonstrate compliance?

iConnect will be compliant with GDPR by May 25th. To review all our policies and certificates see our GDPR page

 

Q. ) Do you have a process for deleting personal data when asked by the data controller?

Yes – see our policies:

Data Retention policy,  The privacy notice for the web platform, Organisation Admin Agreement

 

Q) What data does iConnect hold in relation to our organisation?

Please see the privacy notices for the web platform and website.

 

Q.) How long does iConnect store our data for?

For data where you are the Data Controller you manage how long the data is stored for. See the Data Retention policy and Organisation Admin Agreement for more information.

For data where we are the Data Controller, see the privacy notice for the iConnect web platform and website.

 

Q.) Who does iConnect share our data with?

iConnect does not share any data where you are the Data Controller and iConnect is the Data Processor.

For any data where iConnect is the Data Controller, we only share data with our partners who have been certified by iConnect to exclusively represent them in specific regions. Further information on this can be found on the privacy notice for the iConnect web platform and website.

 

Q.) Does your organisation provide training to staff on data protection management?

All staff will be provided the necessary training on GDPR including data protection management prior to May 25th. Staff training will be provided on a regular basis.

 

Q.) What technical and organisational security measures do you have in place to protect personal data?

Please see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding page.

 

Q.) Do you have a written policy for data protection? If yes, does it provide a procedure for data breaches and notification of customers of a breach? 

Yes see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q.) In the event of a data breach, what is the process? 

Please see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q.) Should there be a breach, please confirm that you notify us as soon as you are aware? 

Yes see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q.)In the event of a breach please confirm that you will cooperate with us to report, manage and recover data that you have also had access to or use?

Yes see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q.) Are you registered with the Information Commissioner’s Office?

Yes, iConnect registered as a data processor on 22nd April 2010. Our certificate can be found here.

 

Q.) Does your organisation have differentiated access to data depending on the level of sensitivity?

Yes, our staff have strict controls over who may access data and protocols for gaining permission from clients if access is required. The level of data access is tied to each member of staff’s role and its specific requirements.

 

Q.) Are data management procedures regularly reviewed?

Yes all policies and procedures are reviewed regularly

 

Q.) Who is the person responsible for data management/protection in your organisation?

iConnect’s Data Protection Officer is Simeon Drage who can be contacted on dpo@irisconnect.co.uk

 

Q.) What action are you taking to comply with the GDPR?

We have been externally audited and certificated to ensure that we comply with the UK Government’s Cyber Security scheme. iConnect have completed an additional external audit of all of its services and teams to ensure that it will be fully compliant with GDPR by 25 May 2018. To support our compliance on this date, iConnect has reviewed all its policies and procedures which are available on our website.

 

Q.) Do you have any information management accreditation?

We have had an external audit by a Qualified Security Assessor conferred by the PCI Security Standards Council. This included a gap analysis against the international standard: ISO 27001 which we are now working towards and expect to become accredited during 2019.

 

Q.) Do you provide a processor contract that is updated to reflect the GDPR changes including?

  • That you help the data controller comply with requirements regarding the data rights of the individuals (e.g. to access, delete or rectify data), secure processing, the reporting and communication of data breaches, and the conducting of impact assessments where relevant
  • That the data processor (iConnect) processes data only on the documented instructions of the data controller
  • That you delete or return the personal data to the data controller at the end of your provision of services
  • That you make information available to us to demonstrate your compliance with the obligations in our contract, and allow the data controller or a 3rd party instructed by the data controller to conduct audits and inspections
  • The subject matter, duration, nature and purpose of the processing
  • The data controllers obligations and rights
  • The type of personal data being processed
  • The categories of the data subjects
  • That the people who process the data are committed to confidentiality
  • That you take measures to ensure secure processing
  • That you will not engage another processor without prior written authorisation from the Trust, and that if you do so, that processor will also be bound by the same data protection conditions as are in your contract with us

Yes we have updated our Organization Agreement which acts as a processor agreement. All organizations will be required to agree to this to continue to use our services. A copy of the agreement is here. Admin users will agree to this agreement via the iConnect Web Platform.

 

Q.) Does iConnect process only on documented instructions, including international transfers? Does iConnect only use the data we provide or that you access from our organisations in accordance with our instructions?

Yes, this is covered in the Organization Agreement, Section 10.4.1: Customer’s Instructions.

 

Q.) Does iConnect ensure those processing personal data are under a confidentiality obligation (contractual or statutory)?

Yes all iConnect employees have agreed to a confidentiality obligation via their employment contract.

 

Q.) Does iConnect ensure that anyone in your organisation understands the data they have access to is confidential and must not be shared with anyone without the data controller’s prior agreement?

Yes, this is covered in the Organization Agreement, Section 12.1.2:  Security Compliance by iConnect Staff

 

Q.) Does iConnect take all measures required under the security provisions (Article 32) which includes pseudonymisation and encrypting data as appropriate? 

Yes, for details about our security see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding page

 

Q.) Does iConnect take all steps to keep data secure, whether it is paper records, emails, digital or electronic?

Yes, for details about our security see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding page

 

Q.) Does iConnect only use a sub-processor (subcontractor) with the controller’s consent (specific or general, although where general consent is obtained processors must notify changes to controllers, giving them an opportunity to object)? 

Yes, this is covered in the Organization Agreement 19.4 Opportunity to Object to Subprocessor Changes. Information on our processors and data sharing can be found in the web platform privacy notice.

 

Q.) If you subcontract any part of the task, and personal information and data is required by that subcontractor, you will seek and obtain our consent before proceeding?

Yes, this is covered in the Organization Agreement 19.4 Opportunity to Object to Subprocessor Changes. Information on our processors and data sharing can be found in the web platform privacy notice.

 

Q.) Does iConnect assist the controller in responding to requests from individuals (data subjects) exercising their rights? 

Yes this is covered in the Organization Agreement section 17. Data Subject Rights; Data Export

 

Q.) On occasion, we may receive a request to release information that we hold about an individual, whose data you have used or processed on our behalf. Please confirm that in those situations you will cooperate with us and provide all records about the person within a specified timeframe?

Yes this is covered in the Organization Agreement section 17. Data Subject Rights; Data Export

 

Q.) Does iConnect delete or return (at the controller’s choice) all personal data at the end of the agreement (unless storage is required by EU/member state law)?

Yes, this is covered in the Organization Agreement section 7.3.5  Termination due to Non-Renewal of Subscription/Licence.

 

Q.) Does iConnect make available to the controller all information necessary to demonstrate compliance; allow/contribute to audits (including inspections) and inform the controller if its instructions infringe data protection law?

Yes, all necessary information can be found on the GDPR page of our website

iConnect permits audits, this is covered in the Organization Agreement section 15.2  Customer’s Audit Rights.

iConnect will process data in providing it doesn’t infringe on data protection law. See Organization Agreement section 10.4.1 Customer’s Instructions.