HBP Monpellier Limited take the security of data (both our own and our customers) very seriously. This statement aims to describe a framework under which HBP Monpellier Limited can assure all concerned that their data is secure, that all staff are fully aware of GDPR legislation and that on an ongoing basis, procedures are reviewed to ensure full and continued compliance.
As a provider of IT solutions, we have been exposed to GDPR legislation for some time. All of our staff are fully aware of the requirements. All staff have been encouraged to review documentation and ensure they understand compliance, they are aware of the internal procedures should they have any concerns regarding non-compliance. GDPR awareness has been added to our internal induction process.
Information We Hold
HBP Monpellier Limited are in an unusual position in terms of holding data as we have our own internal data which contains information regarding staff and our customers/suppliers. We also offer software services which includes importing data from one financial system to another, demonstrating company’s data in new versions of software, downloading data for support services as well as many other numerous reasons for HBP Monpellier Limited to access data.
In terms of internal data, this is all held securely on a hosted platform accessible only with the correct level of password security. This is controlled by internal management.
In terms of customer data, the following has been adopted internally as best practice.
Data is required for a great number of reasons, we would not be able to offer the same level of service if we could not access customers’ data.
Should we require to access customers’ data, it will be used for the purpose initially decided upon and then the data will be deleted. The initial backups will also be deleted.
If data is to be copied onto mobile devices (laptops) for demonstration purposes, it will be removed once the demonstration is over and data has no further use. Laptops will always be password protected so that if a device is lost or stolen, data cannot be accessed. Should a device be lost or stolen and it does contain demonstration data, the customer whose data is concerned will be informed immediately.
In conclusion, staff at HBP Monpellier Limited will have the need to access customer data and download data for the purpose of carrying out our business. However, once that data has been used and is no longer useful, it will be deleted.
Communicating Privacy Information
This statement forms only an introduction to the policies of HBP Monpellier Limited. We are constantly reviewing our internal policies and documentation (contracts of employment, contracts of engagement, purchase agreements, etc.) to ensure full and continued GDPR compliance.
HBP Monpellier Limited will respect the rights of individuals as set out by GDPR. These rights are listed below:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Subject Access Requests
HBP Monpellier Limited has a procedure for managing Subject Access Requests (SARs). Data would be provided as soon as practically possible.
Lawful Basis for Processing Personal Data
HBP Monpellier Limited would only process their own internal data. Should HBP Monpellier Limited have copies of customer data, this would be used purely for the tasks outlined at the beginning of the process. Customers’ data would NEVER be used for any internal purposes and would NEVER be provided to third parties for any other purpose than advanced data investigation.
HBP Monpellier have an implied consent to look at and manipulate data. As a software support provider, this is the nature of the business.
However, some customers may feel that a third party having copies of their data compromises their position under GDPR. In such circumstances, HBP Monpellier Limited will work with the customer to ensure a compliant position can be reached. Should this be written consent as a ‘one off’ or written consent ‘on access’, we will devise a system which will make the customer compliant and NOT affect the level and speed of service offered.
NOTE: GDPR legislation is new and there are no precedents for us to work towards. This will be an evolving process which HBP Monpellier Limited will be reviewing all the time.
At the current point in time, HBP Monpellier Limited do not process any data relating to children and it is not envisaged that this position will change.
HBP Monpellier Limited operate on a hosted platform supplied by PCI Services Limited. As part of their GDPR compliance, PCI Services Limited have procedures in place to identify and report any suspicious access to their infrastructure.
All other PCs and laptops at HBP Monpellier are password protected. Should a piece of equipment be lost or stolen, this would be reported to management immediately and any potential compromise of data would be communicated to the parties concerned.
Data Protection by Design and Data Protection Impact Assessment
HBP Monpellier Limited are working closely with a fully qualified GDPR consultant to implement General Data Protection Regulation. This will be an ongoing process to ensure full compliance now and in the future.
Data Protection Officers
An internal Data Protection Officer has been designated by HBP Monpellier Limited. They will have full responsibility for implementation and the continued review of General Data Protection Regulation.
Although HBP Monpellier Limited do have customer sites within other EU countries (and around the world), we would be dealing with them and accessing their data via UK based contacts. HBP Monpellier Limited does not have an office in any country other than England.