EU General Data Protection Regulation
Corrilan IT Consultancy Ltd
Document Last Updated 25th May 2018
Author: Jason Bassett
Table of Contents
Contact information for clients (both business and domestic) is held within our SugarCRM database (manufacturers website is https://www.sugarcrm.com). Contact information held on each client is as follows:
Telephone call recordings
Social media handles
A history of contact with the client is also stored within SugarCRM – such as telephone calls, site visits, what was discussed etc. This aids us in providing a better service to the client as we know the history of work undertaken.
Our SugarCRM database is hosted on an internal server located at our head office.
It is accessible both internally and externally (via a VPN connection) using address https://crm.corrilan.com
Secure http is used for communication between the server and viewing client web browsers.
We hold a record of password and login details for a range of our clients as we undertake many aspects of their IT needs on their behalf, requiring such details.
Password and login details are stored in an encrypted database using the open source password manager KeePassX (manufacturers website is https://www.keepassx.org). Encryption is achieved using an AES 256 bit encryption key.
Client data as described above is obtained from the clients themselves. Contact information is obtained on initial interaction with the client and client history is built up upon each further contact whether that be by email, telephone, fax, social media, online interaction or in person.
Contact the client when they request it.
Provide follow up call to ensure that the client is happy with recent work.
Provide a checkup reminder (every six months) to see if the client would like any further work performed.
Provide occasional (less than monthly) marketing emails and telephone calls.
Provide occasional (monthly) newsletters.
Permission to store the clients details is obtained in person or over the telephone and is recorded within SugarCRM along with date of granted permission. When first visiting a new client, an electronic or paper based permission form is presented detailing our procedures. This is signed by the client and files for future reference.
We trade only with adults aged 18 and over. If work is to be carried out on equipment owned/operated by anyone under 18, the work is booked under a parent/guardian.
When backing up our own infrastructure, we do not make use of any third party (cloud) backup services. All backups of our systems are stored on our own infrastructure, at our office and the homes of our directors. Backed up data is transferred via an encrypted Internet connection and is stored on encrypted servers.
Our backup services and infrastructure sold to customers are provided by Safe Data Storage Ltd (Eastern House Clarence Court Rushmorehill, Orpington BR6 7LZ). Backed up data is transferred to Safe Data Storage Ltd via an encrypted Internet connection and is stored on encrypted servers.
Client data as described above is accessible only to two individuals, the management of Corrilan IT Consultancy Ltd – Jason Bassett and James Cordell.
With client permission, we may pass client details onto a partner company, MMPC Solutions (9 Argyll Road, Grays, Thurrock, Essex, RM17 5BS) in order that they can provide adequate cover when Corrilan IT Consultancy Ltd is busy or closed.
Validate and verify the identity of the individual by contacting them by telephone (using our stored contact number in SugarCRM).
Extract requested data from our systems and provide as an Adobe Reader .pdf file attachment to their email address as listed in SugarCRM.
Create record of Subject Access Request and actions taken in SugarCRM.
You may request that we erase your personal data that we hold on our systems. This does not include data which we may be legally obliged to keep. If you request that we erase your data, our ability to assist with future queries and work may be impeded as we will not have a history of client interactions.
In the event of a data breach, we will contact and alert the Information Commissioners Office (https://ico.org.uk). Affected individuals or companies will be informed of a data breach involving their data.
As Corrilan IT Consultancy Ltd has less than 250 employees, it is exempt from having a Data Protection Officer. It does however have a Data Protection Manager. Jason Bassett is the designated Data Protection Manager (DPM), Jason Bassett is responsible for data protection compliance and can be contacted at firstname.lastname@example.org.
All desktops, laptops and servers run the GNU/Linux Operating System as their primary Operating System. We use such a system due to its more secure nature over alternatives.
Microsoft Windows 10 is only used as a virtual machine on one engineers laptop. Microsoft Windows is only used for applications where equivalent software is not available for GNU/Linux – currently only used for Citrix GoToAssist to provide remote support to clients on Microsoft Windows, Apple Mac and Android devices.
No other version of Microsoft Windows is currently used.
Corrilan IT Consultancy Ltd currently use no other Operating Systems.
No company owned tablets or smartphones are in use.
Employees use their own Apple iPad and Android smartphone at times, both with full disk encryption and locking after a short while of non use.
Business mobile phone is a Nokia 2720 Fold with its own proprietary Nokia system.
GNU/Linux, Microsoft Windows 10 and application updates are installed regularly – at least once per week.
All desktops, laptops and servers run full disk encryption with the credentials stored in an encrypted password manager.
All desktops, laptops and servers have encrypted home directories with the credentials stored in an encrypted password manager. Login passwords are required before the user interface is accessible – no automatic login is used.
When a desktop, laptop or server is left for 10 minutes, it will lock automatically. The login password will need to be re-entered to unlock the desktop of the machine.
Command line virtual terminals outside of the GUI will not lock automatically as this is not possible (as far as our extensive research has shown) – we therefore advise not leaving machines logged in when waiting for processes to complete and to either use “GNU vlock” or preferably a “GNU Screen” session instead.
All desktops, laptops and servers have Standard restricted accounts for normal everyday use and an Administrator account for systems administration use. All user accounts are password protected.
All laptops, desktops and servers have a CMOS password set which is required to access and/or make changes to the CMOS settings. A boot password is also set to provide an extra layer of security, but only on laptops that are at greater risk of theft as they are removed from premises.
All Corrilan IT Consultancy Ltd websites (not those of our clients unless they request it) are encrypted using HTTPS with SSL certificates.
The Corrilan IT Consultancy Ltd email system is encrypted using SSL certificates over POP3, IMAP, SMTP and SMTPD.
Corrilan IT Consultancy Ltd operate a VPN server for all business related communications between the head office and the directors home computer networks (manufacturers website is https://www.openvpn.net).
VPN certificates are also issued for use on any external laptop which may be used for business related communications in a “Road Warrior” configuration .
The Microsoft Windows 10 virtual machine runs Microsoft Windows Defender. The virtual machine is set to be “Immutable” so each time it is booted, it resets itself to a clean state.
The GNU/Linux systems run ClamAV antivirus (manufacturers website is https://www.clamav.net).
Articles on our websites may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.