The Future Of UK Data Protection
How does Memset ensure compliance with GDPR?
Memset operates an ISO27001 accredited Compliance Management System that includes all relevant GDPR requirements. These include:
- Regular data audit and mapping activities including lawful basis for processing
- Ongoing gap analysis and mitigation against any new legislative changes (including Codes of Practice)
- Continual analysis of technical and procedural security controls
- Customer and supplier contractual management
- Documentation and records management
- Management of public and internal-facing data protection verbiage including Privacy notices, points of contact, etc.
- Public points of contact for any data protection concerns
- Regular engagement with external expertise (TechUK Data Protection Group, specialist consulting agencies, ICO)
Frequently asked GDPR questions
Who is Memset's Data Protection Officer?
Do Memset systems undergo regular penetration testing?
Memset undergoes at least annual third party penetration testing, with additional ad-hoc testing performed for new or particularly relevant systems. Memset also maintains qualified internal penetration testing resources for ad-hoc testing.
What third party organisations does Memset work with that may also have access to the data shared by customers?
Memset maintains a list of current third parties that may have access to shared data in the Data Protection Addendum. In practice the list of third parties that have the potential for access to customer data uploaded onto their hosting infrastructure (as opposed to account-level data collected from the customer by Memset for the purposes of service provision) is limited to the following:
- Everest Data Centres Ltd – Data centre colocation provider
All security or data-impacting suppliers undergo at least annual security and compliance review and are required to maintain an executed contract with Memset that flows down all relevant contractual data protection requirements from our customers to the supplier.
Who has access to Customer data?
The following categories of people that have some form of access (physical or logical) to customer hosting infrastructure (and therefore potentially hosted data) is as follows:
- Memset Support Engineers
- Memset System Administrators
- Memset Data Centre Operations Technicians
- Everest Ltd Data Centre Operations Technicians (For solutions hosted in our Reading data centre)
Where is Customer data hosted?
All Customer Hosted Data (I.e. data uploaded by the customer onto their Hosting Infrastructure) resides within UK-based data centres. Additionally, all personnel with logical or physical access to customer Hosting Infrastructure are based and employed from within the UK.
Customer data collected by Memset for the purposes of account management and/or marketing (I.e. where Memset is the Data Controller) may be hosted in systems provided by third parties outside of the EEA. In all cases appropriate audit, security and data protection controls (Privacy Shield, BCRs, etc.) are in place and regularly reviewed.
How can Memset help with GDPR?
Memset will shortly make available a comprehensive Customer Assurance Pack to all customers and opportunities under NDA to provide maximum transparency of our services, our security and governance controls protecting these and steps customers can take to maximise the security and data privacy configuration of their services. We will provide extended audit rights to all customers as per GDPR requirements.
Memset provides a range of services that can be used to build a strong security wrapper around a customer hosting solution, including management and reporting of security and compliance controls around data protection. Please contact your sales person or Account Manager for more information.
Does Memset organisation have a dedicated security team?
Memset maintains a dedicated security team led by the Head of Security. Memset additionally maintains an independent Head of Compliance with seconded, formally qualified Internal Auditors from within the business.
Both the Head of Security and Head of Compliance maintain permanent seats on the Operational Board of the company and report regularly to the Executive Board. The Heads of Security and Compliance report directly to the COO/Deputy MD responsible for strategy and day-to-day management of the company.
What is Memset’s formal procedure for reporting on data leaks?
As a Data Processor, Memset has contractually committed to informing customers of incidents that have or may credibly have impacted on their data ‘without undue delay.’ In practice we interpret that as ensuring that you have received appropriate notification within the 72 hour time window to allow you to comply with your responsibilities as a Data Controller.
As a Data Controller, Memset will inform the ICO within 72 hours of any data breach that may have impacted on our Data Subject’s data protection rights and will, where appropriate, also directly contact those individuals potentially impacted.
Memset’s Incident Response Procedure contains mandatory activities to assess the risk of regulatory data breach, assemble an impacted customer/subject list and commence external communications activities within the first two phases of our process flow. (Qualification and Containment.) As such, these process triggers are baked into the first steps of our repeatable incident response activities.
Can Memset share the results from your most recent vulnerability scan?
The results of vulnerability scans contain detailed technical information and are incredibly sensitive. As such, we unfortunately cannot share these with external organisations.
When deleting data from the system, is it fully deleted or is it held such that it can be retrieved?
The exact details of data deletion depend on the hosting infrastructure in question. Please see this one-pager with regard to the deletion of customer data uploaded onto their hosting solution.
Memset maintains appropriate controls with regard to data deletion requests by Data Subjects. Memset will delete all PII related to that Data Subject not required for retention by regulatory demands within 30 days of an appropriate (I.e. identifiable) request. Data retained as per regulatory requirements will be retained for the relevant period, then deleted. For reference, the longest time period that PII pertaining to a Data Subject that has requested deletion will be 7 years. (Financial records and the data deletion audit log, a record that a given Data Subject requested deletion and the date that this was initiated.)
How can Memset evidence GDPR compliance to their customers?
Memset will seek certification to an appropriate standard or GDPR-specific certification programme as one becomes available as per Article 42 of the regulation.
In the interim, Memset has engaged with a third-party audit firm to conduct an independent review of our data protection stance with respect to GDPR, the report of which will be made available to customers and opportunities under NDA once completed.