Rapidity is the trading name of R.S.Price and J.P. Price, all information in this document sets out our compliance and use of personal data held in accordance with GDPR legislation. As an IT service provider, we supply support for a number of clients on an ad-hoc basis, which will require Rapidity to gather information relating to the clients to be able to support them. This will include data that we obtain from clients directly and data about the company that we obtain from other organisations.
This document sets out what personal or company information data we hold, why we process or control that data, who we share this information with, and you rights in relation to the data we hold.
GDPR’s focus is on protecting the individual privacy rights of EU citizens, and compared to previous EU privacy legislation greatly expands the definition of what constitutes personal, private data to include not just financial, government and medical records, but also genetic, cultural, and social information. Businesses must now gain the explicit consent of an individual before using their personal data, and must also honour their “right to be forgotten”, i.e., to have all personal data held by the business to be deleted at the user’s request. Usually this would apply at the end of any contracted term or where the data is no longer required for the purpose of supporting the client/customer.
What information do we process in relation to you or the company?
We will collect, hold and share limited information about you or the company in order to provide our services acting as your support provider.
• Personal information (such as name, business address, potential home address if required, business and mobile numbers, email address)
• Login in credentials (such as email access, server management, admin rights for PCs, Router and switch access, wireless control access, backup access)
• Remote management for PC control in order to remotely fix any such problems that occur
• Financial details (such as bank account details for billing purposes)
We may also require third party information in order to support certain products or equipment from you.
Where do we get your data from?
We obtain all the information from you as a client when you agree for us to provide support for your business, whether that be via support agreements or on an ad-hoc basis.
We may also obtain information from you from other sources in order to provide support, this is generally only via your businesses authorisation.
Why do we use your company or personal data?
We will process or control your data for the following reasons (not all would be applicable):
• To provide remote or on-site support for your business, including any staff within the business we need to hold data to be able to assist in the resolution of any such reported technical related problems
• To provide phone connectivity
• To provide internet connectivity to the premise
• To provide anti-virus support for PCs and/or server
• To provide or obtain additional services including technical advice and/or support for your business
• To communicate support or sensitive information relating to the company
Whilst the majority of processing of personal data we hold about the business will not require your consent, we will inform you if your consent is required and seek that consent before any processing takes place.
To understand GDPR as it relates to data storage and data protection, it is useful to understand the following basic terminology:
A citizen of the EU who is identifiable by their personal data. This may include a consumer making an online purchase, a user on an IT resource system, a citizen accessing online services and so on: any individual providing personal information to use some type of services.
A commercial business like a cloud service provider that acts as a contractor to a controller, i.e., another business serving EU citizens that captures sensitive data on individuals. Examples include application hosters, storage providers, and providers of cloud services like backup.
Right to be forgotten
The right of every EU citizen “to have his or her personal data erased and no longer processed.” Individuals may request the deletion of all of their personal data stored on a controller’s servers and/or on their system management system.
A business operating within the EU — or outside of the EU but dealing with EU residents — that captures sensitive data about EU residents in the course of its operations. This include a provider accepting online orders, addressees, and payment information from consumers, this also extends to customer records for any service related request.
“Any information relating to an identified or identifiable natural person.” This is more broadly defined by the EU than other governments, and includes the EU citizen’s name, email address, social media posts, physical, physiological, or genetic information, medical information, location, bank details, IP address, cookies, cultural identity, etc.
Personal data breach
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Businesses must report every data breach incident to “the supervisory authority” within 72 hours of becoming aware of it.
Privacy Protection Failures
Our ability to attest to the privacy, integrity, accessibility, and erasure of personal data relies in part on our ability to protect against and recovery in personal data and backup. These failures fall in to three categories:
• Device failures— the physical failure of any storage hardware component, including disk drives, storage controllers, and data centers.
• Security breaches— failures due to forceful, malicious attacks on IT infrastructure, including networks, servers, applications and endpoints, including those by malicious insiders, online criminals, and hostile state actors. Example include: a ransomware attack that applies unbreakable encryption to contents of a hard drive and demands an online payment in return for the decryption key.
• Logical or soft failures— failures due to human errors, Examples include: the accidental deletion or overwriting of files in the course of executing a backup procedure, accidental file data corruption due to a bug or error in a script or business application; accidental deletion of a hard drive’s master boot record.
Your rights of Personal Data we hold
In addition to protecting against various types of data protection failures, and reporting to EU authorities when breaches occur, we as controllers have a number of obligations to the users whose personal data that we are storing. Controllers must support the ability of users to:
• Access, read and edit their personal data
• Easily delete their personal data, either directly or with a simple request to us
• Export their personal data in an easily-readable format
Complying with user requests may not always be simple. For example, it is easy to address clear-cut requests like, “Delete my mailbox and its entire contents”, not so easy to comply with more complex or ambiguous requests, like “Delete all my information form any backups, this will inevitably will be over written when the backup cycle repeats.”
GDPR Requirements for Data Protection and Storage of data
We as a business have additional obligations which we must meet, these Include:
• Offer sufficient guarantees that our services meet GDPR technical and organizational requirements.
• Eschew the use of subcontractors to support service contracts between the processor and our clients (controllers) without the express consent of the controller.
• On termination of a service contract or solution, remove all client data from their cloud and/or data centre infrastructure, and provide sufficient proof that we have done so.
• Report data breach incidents to the regulatory body.
Third party Solutions
As part of our day to day activities, it’s normal practise to use third party providers to deliver some of the services that we offer, such as anti-virus or email client as an example. As such, it’s our responsibility to use providers that fully comply with the new legislation and work with us to protect any data that we may use in order to provide such services.
Below is a list of service providers we use to deliver some of our services, not all services listed would be applicable to all our customers and would only be used as general information. The Important element is to demonstrate our responsibility for GDPR compliance and our commitment to only use providers that have clear policies in-place to protect Rapidity and our customers.
Microsoft Office365 – Email, OneDrive, Exchange, Sharepoint, Skype for Business
If you require any further information or have any questions regarding data protection, please feel free to contact us.