Sandgate Systems Ltd (Every) Commitment

The General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It comes into effect on 25 May 2018.

Sandgate Systems Ltd has always complied with and followed the principles and practices of the Data Protection Act and therefore many of the principles and fundamental processes have been in place for the life of the company. These have now been reviewed and enhanced in relation to GDPR. Sandgate Systems Ltd is committed to following the principles and practices of GDPR.

Sandgate Systems Ltd is both a Data Controller and a Data Processor under GDPR. This statement primarily relates to the use of personal data within Sandgate Systems Ltd’s customer facing operations including the use of personal data as a Data Controller for sales, marketing and customer services purposes, and the processing of personal data as a Data Processor on behalf of customers.

Below is some key information relating to systems and processes.

Data Security

Sandgate Systems Ltd has comprehensive technical and organisational security measures in place to mitigate against a data breach. Details are specified in the Information Governance and Security Policy which is available to customers on request.

The areas covered by the measures are:

Physical security
Staff training
Data centre security and processes
Data Access Control
Penetration testing
Backup systems
Security measures include (but are not limited to):

ISO 27001 certified data centres
CCTV coverage
Monitored alarm systems
RFID badge-controlled access
Physical access limited to specific necessary personnel
At least N+1 UPS, generators and HVAC
Audited Data Access control systems
Data Locations and Sub-Processors

Data for which Sandgate Systems Ltd is a Data Processor (for example: Customer data)

All data is held within the (European Economic Area) EEA, no data is sent outside the EEA. All data resides in the UK (Leeds, Reading, Dunsfold and London).

Sandgate Systems Ltd uses sub-processors for some parts of data (for example, data is stored on Servers which are hosted using a third party). All sub-processors are GDPR compliant and have contracts in place.

Data for which Sandgate Systems Ltd is a Data Controller (for example: staff data, CRM data)

All data is held within the (European Economic Area) EEA, or locations with Privacy Shield or equivalent data protection agreements in place. Sandgate Systems Ltd uses sub-processors for some parts of data. All sub-processors are GDPR compliant and have contracts in place with them.

Contractual Obligations

Our contracts and terms of service are being updated to comply with GDPR, these amendments will be notified to customers directly.

Product support for GDPR

Removal of data

Customers are responsible for deciding what data is held in the system and how long it is retained for. In order to assist customers with their obligations, the removal of personal data is available through technical support and the system will be extended to allow the deletion of data by Admin users.

The process is as follows:

1. Data can be filtered by date entered or processed using standard functionality to find data entered outside a timescale (e.g. 3 years)
2. Data can be archived, so that it is only visible to Administrator users.
3. Data can then be permanently deleted by Administrator users.
Access to data

The systems allow different user level controls for accessing data; data can be segregated by User, User Level, Category and Property. The customer is responsible for allocating appropriate user levels to its users.

Data Breach Policy

Under the GDPR, any data breach must be notified to the Data Controller (or the ICO where Sandgate Systems Ltd is the data controller and the breach is sufficiently serious) without undue delay. Sandgate Systems Ltd has processes and procedures in place for identifying, reviewing and promptly reporting data breaches to the relevant controller or ICO as applicable.

Where Sandgate Systems Ltd is the Data Processor, Sandgate Systems Ltd would provide the Data Controller with:

A description of the nature of the breach
Contact details of the responsible data protection officer or any other contact person
Likely consequences of the breach
Proposed and imposed measures that were taken to limit harmful effects
Retention Periods

Retention periods of data in respect of which Sandgate Systems Ltd is data controller are covered in the Privacy Policy. Customers are responsible for determining their own retention periods for data stored within the systems and held by Sandgate Systems Ltd as data processor and by default this data will be deleted from live systems 60 days after the customer contract terminates unless there is a legal requirement to hold it for a longer period. The customer can request a copy of the data during this 60 day time period.

Data Protection Officer

Sandgate Systems Ltd is registered with the Information Commissioner’s Office (reference: ZA185106) and has paid all applicable fees.

Although not required to do so by GDPR, Sandgate Systems Ltd has chosen to designate a Data Protection Officer (DPO) on the Executive Board, who has full responsibility for all matters relating to data protection and GDPR compliance.

The DPO ensures that Sandgate Systems Ltd is accountable and transparent to all relevant authorities.

To contact the DPO please email [email protected]