GDPR

1. Introduction


This GDPR compliance statement provides information about the actions we take to ensure that we comply with the General Data Protection

Regulation (GDPR). Specifically, it relates to how we handle, store and process the personal data of our customers and our customers' personnel.


2. What is the GDPR?


The GDPR regulates the collection, storage and use of personal data across the European Union (EU). It also covers some activities outside the EU.

As well as promoting the protection of personal data, the GDPR harmonises the standards of protection that apply in EU member states.

It came into force on 25 May 2018.


3. GDPR principles


The principles of the GDPR, embodied in the detailed regulations, are as follows.


  • Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 
  • Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


When we process your personal data, we comply with letter of the GDPR and abide by the spirit of the principles.


4. How the GDPR affects us


The GDPR distinguishes between two different roles that organisations can take: "controllers" and "processors".


A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is a natural or legal person, etc, which processes personal data on behalf of a controller.


Confusingly, both controllers and processors may "process" personal data; the fact that an organisation processes personal data does not make it a processor. The critical question is: who determines the purposes (and, less importantly, means) of processing?


The legal obligations which apply to an organisation depend upon the role taken by the organisation.


We act as a processor with respect to most of the personal data included in the databases of your Site Editor websites. To the extent that we act as a processor of your personal data, we are subject to the GDPR-compliant data processing clauses in our terms and conditions of service.


We act as a controller with respect to all the other personal data that we process, including your personal data stored in our customer relationship management, marketing, support and accounting databases. See our privacy and cookies policy – which reflects the disclosure requirements of the GDPR – for specific information about how we use this personal data.


5. Actions taken to ensure GDPR compliance


We have undertaken a review of our personal data processing activities. As a result of the review, we improved the strategies and polices we use in relation to the processing of personal data.


Measures we take or have taken with respect to data protection include the following.


  • Updating the processes that we use to get consents and to maintain consents for marketing communications.
  • Improving the technical and organisational measures that we use to protect your personal data (see below for more information on this).
  • Ensuring that privacy is built into our services from the ground up (known as privacy by design).
  • Prohibiting the transfer of personal data to any place outside the European Economic Area, unless appropriate safeguards are in place or transfer isotherwise permissible under the GDPR.
  • Limiting the data that we collect, deleting old personal data and ensuring that we do not store data any longer than necessary.
  • Auditing and reviewing existing sub-processors of personal data, to ensure that they comply with the GDPR.
  • Ensuring that contracts with sub-processors of personal data comply with the requirements of the GDPR.
  • Enabling the exercise of data subject rights, including the right of access to personal data and the right to be forgotten.


We will continue to review our strategies and policies to ensure continuing compliance as the law changes and data processing technologies progress.


6. Security measures


We are always working to improve the security of our systems, to ensure the confidentiality, availability and integrity of your personal data.


We use the following physical and organisational security measures:


  • Visitor logs
  • Asset management logs
  • Physical access controls, including lockable doors
  • Paperless offices
  • CCTV monitoring of access routes
  • Burglar and fire alarm systems, with 24/7 monitoring and response
  • Security guard patrols
  • Developer security training
  • Peer review of code changes


We use a wide range of technological security measures, including:


  • Secure access methods, including using VPN and SSH
  • Multi-factor authentication where appropriate
  • Minimum password standards, with expiration periods
  • Encryption in transit (using secure TLS protocols)
  • Encryption at rest
  • Firewalls / traffic screening
  • Strictly limited user rights
  • Regular vulnerability scans and penetration testing
  • Critical software patches applied on a priority basis
  • Separated development, testing and production environments


We and our payment services providers comply with the PCI-DSS standard.


7. Features to facilitate your compliance


The GDPR applies to many of our customers. In addition to ensuring that we comply with the GDPR, we have taken the following measures to help our customers to comply.


  • Providing GDPR-friendly legal documentation for you to use on your Site Editor websites.
  • Ensuring our contracts with you include the clauses that need to be there for the purposes of your own GDPR compliance.
  • Mechanisms to help individuals exercise their rights under the GDPR are in development.


8. Contact


If you have any questions about our approach to GDPR compliance, please do get in touch.