Privacy Policy and GDPR Compliance

EU General Data Protection Regulation

Corrilan IT Consultancy Ltd

Document Last Updated 25th May 2018

Author: Jason Bassett

What Data Do We Hold On Clients?

Contact Details and Interaction History

Contact information for clients (both business and domestic) is held within our SugarCRM database (manufacturers website is https://www.sugarcrm.com). Contact information held on each client is as follows:

• Company name

• First name

• Last name

• Gender

• Ethnicity

• Mailing addresses

• Email addresses

• Telephone numbers

• Fax numbers

• Lead source

• Telephone call recordings

• Social media handles

A history of contact with the client is also stored within SugarCRM – such as telephone calls, site visits, what was discussed etc. This aids us in providing a better service to the client as we know the history of work undertaken.

• Our SugarCRM database is hosted on an internal server located at our head office.

• It is accessible both internally and externally (via a VPN connection) using address https://crm.corrilan.com

• Secure http is used for communication between the server and viewing client web browsers.

Passwords and Login Credentials

We hold a record of password and login details for a range of our clients as we undertake many aspects of their IT needs on their behalf, requiring such details.

Password and login details are stored in an encrypted database using the open source password manager KeePassX (manufacturers website is https://www.keepassx.org). Encryption is achieved using an AES 256 bit encryption key.

Where Do We Obtain The Data?

Client data as described above is obtained from the clients themselves. Contact information is obtained on initial interaction with the client and client history is built up upon each further contact whether that be by email, telephone, fax, social media, online interaction or in person.

How Do We Use The Data?

• Contact the client when they request it.

• Provide follow up call to ensure that the client is happy with recent work.

• Provide a checkup reminder (every six months) to see if the client would like any further work performed.

• Provide occasional (less than monthly) marketing emails and telephone calls.

• Provide occasional (monthly) newsletters.

Client Consent for Obtaining Data

Permission to store the clients details is obtained in person or over the telephone and is recorded within SugarCRM along with date of granted permission. When first visiting a new client, an electronic or paper based permission form is presented detailing our procedures. This is signed by the client and files for future reference.

Children

We trade only with adults aged 18 and over. If work is to be carried out on equipment owned/operated by anyone under 18, the work is booked under a parent/guardian.

Backups of Data

When backing up our own infrastructure, we do not make use of any third party (cloud) backup services. All backups of our systems are stored on our own infrastructure, at our office and the homes of our directors. Backed up data is transferred via an encrypted Internet connection and is stored on encrypted servers.

Our backup services and infrastructure sold to customers are provided by Safe Data Storage Ltd (Eastern House Clarence Court Rushmorehill, Orpington BR6 7LZ). Backed up data is transferred to Safe Data Storage Ltd via an encrypted Internet connection and is stored on encrypted servers.

Staff Access To Client Data

Client data as described above is accessible only to two individuals, the management of Corrilan IT Consultancy Ltd – Jason Bassett and James Cordell.

Third Party Access To Client Data

With client permission, we may pass client details onto a partner company, MMPC Solutions (9 Argyll Road, Grays, Thurrock, Essex, RM17 5BS) in order that they can provide adequate cover when Corrilan IT Consultancy Ltd is busy or closed.

How Would We Provide Data To A Client If Requested Via A Subject Access Request (SAR)?

1. Validate and verify the identity of the individual by contacting them by telephone (using our stored contact number in SugarCRM).

2. Extract requested data from our systems and provide as an Adobe Reader .pdf file attachment to their email address as listed in SugarCRM.

3. Create record of Subject Access Request and actions taken in SugarCRM.

Rights Over Your Personal Data

You may request that we erase your personal data that we hold on our systems. This does not include data which we may be legally obliged to keep. If you request that we erase your data, our ability to assist with future queries and work may be impeded as we will not have a history of client interactions.

Data Breaches

In the event of a data breach, we will contact and alert the Information Commissioners Office (https://ico.org.uk). Affected individuals or companies will be informed of a data breach involving their data.

Data Protection Officers

As Corrilan IT Consultancy Ltd has less than 250 employees, it is exempt from having a Data Protection Officer. It does however have a Data Protection Manager. Jason Bassett is the designated Data Protection Manager (DPM), Jason Bassett is responsible for data protection compliance and can be contacted at enquiries@corrilan.com.

What security precautions are in place for Corrilan IT Consultancy Ltd infrastructure?

Operating Systems

GNU/Linux

All desktops, laptops and servers run the GNU/Linux Operating System as their primary Operating System. We use such a system due to its more secure nature over alternatives.

Microsoft Windows

Microsoft Windows 10 is only used as a virtual machine on one engineers laptop. Microsoft Windows is only used for applications where equivalent software is not available for GNU/Linux – currently only used for Citrix GoToAssist to provide remote support to clients on Microsoft Windows, Apple Mac and Android devices.

No other version of Microsoft Windows is currently used.

Other Operating Systems

• Corrilan IT Consultancy Ltd currently use no other Operating Systems.

• No company owned tablets or smartphones are in use.

• Employees use their own Apple iPad and Android smartphone at times, both with full disk encryption and locking after a short while of non use.

• Business mobile phone is a Nokia 2720 Fold with its own proprietary Nokia system.

Operating System and Software updates

GNU/Linux, Microsoft Windows 10 and application updates are installed regularly – at least once per week.

Full Disk Encryption

All desktops, laptops and servers run full disk encryption with the credentials stored in an encrypted password manager.

Encrypted Home Directories

All desktops, laptops and servers have encrypted home directories with the credentials stored in an encrypted password manager. Login passwords are required before the user interface is accessible – no automatic login is used.

When a desktop, laptop or server is left for 10 minutes, it will lock automatically. The login password will need to be re-entered to unlock the desktop of the machine.

Command line virtual terminals outside of the GUI will not lock automatically as this is not possible (as far as our extensive research has shown) – we therefore advise not leaving machines logged in when waiting for processes to complete and to either use “GNU vlock” or preferably a “GNU Screen” session instead.

Standard and Administrator user accounts

All desktops, laptops and servers have Standard restricted accounts for normal everyday use and an Administrator account for systems administration use. All user accounts are password protected.

CMOS and boot passwords

All laptops, desktops and servers have a CMOS password set which is required to access and/or make changes to the CMOS settings. A boot password is also set to provide an extra layer of security, but only on laptops that are at greater risk of theft as they are removed from premises.

Encrypted Web Services

All Corrilan IT Consultancy Ltd websites (not those of our clients unless they request it) are encrypted using HTTPS with SSL certificates.

Encrypted Email Services

The Corrilan IT Consultancy Ltd email system is encrypted using SSL certificates over POP3, IMAP, SMTP and SMTPD.

Virtual Private Network (VPN)

Corrilan IT Consultancy Ltd operate a VPN server for all business related communications between the head office and the directors home computer networks (manufacturers website is https://www.openvpn.net).

VPN certificates are also issued for use on any external laptop which may be used for business related communications in a “Road Warrior” configuration .

Antivirus Software

The Microsoft Windows 10 virtual machine runs Microsoft Windows Defender. The virtual machine is set to be “Immutable” so each time it is booted, it resets itself to a clean state.

The GNU/Linux systems run ClamAV antivirus (manufacturers website is https://www.clamav.net).

Web Browser Security

• Web browsers on all machines are configured to clear their cache upon exit.

• Web browsers do not offer to save login credentials or other information.

Bring Your Own Device (BYOD)

• Employees use their own Apple iPad and Android smartphone at times, both with full disk encryption and locking after a short while of non use.

Our Websites

Cookies

We do not currently use cookies on our own websites, should this change in the future, we will update this document.

Embedded content from other websites

Articles on our websites may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.