GDPR

General Data Protection Regulation

The existing Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR) on the 25th May 2018, making radical changes to many existing data protection rules and regulations that many organisations currently adhere to in order to strengthen and unite the safety and security of all data held within an organisation. The GDPR places extra responsibilities on people and organisations to ensure information is managed in the right way in compliance with regulation change.

Computer Talk collects a limited amount of personally identifiable information (PII) and only those that we have identified as necessary to provide the services to our customers. We acknowledge our responsibilities with regards to your Personal Data and the GDPR. We would like to share with you the steps we have taken to demonstrate our compliance. 

FAQs

What information of ours will you process?

We may process personal data including, but not limited to, your name, organisation, position, address, telephone number, and email address. The exact type and nature of information we process is determined by the services we provide.

What is your basis for processing our information?

We will use your personal information in the following circumstances:

where we need to perform the contract we have entered into with you;
where we need to comply with a legal obligation;
where it is necessary for our legitimate interests and your fundamental rights do not override those interests.

How will you use the data we share with you?

As a Data Processor, Computer Talk Ltd acknowledges that we must only use data that is shared with us as per the documented instructions of the Data Controller. These instructions operate as binding obligations that cover the duration, nature and purpose of the data processing, the types of data processed and the obligations and rights of the Controller. We will use this data that is shared with us in order to perform contracted work, informing the Data Controller if we believe their instruction may breach the GDPR or any other law.

Computer Talk Ltd have updated its Terms and Conditions of Service and General Terms and Conditions to reflect the changes in Data Protection and GDPR compliance. These are available on the website.

Where is our data stored or processed?

Any information that is stored internally at Computer Talk Ltd will be done so electronically on our secured servers, in the Cloud (on GDPR compliant Cloud services). In the most part, we aim to be paperless, but where you send us paper copies of purchase orders or contracts, for example, that may contain personal data, we treat these as sensitive and secure them away in a locked cabinet with restricted key access.

You can find out more details about the security of the platforms we store your information on this page. 

What security measures do you have in place for processing our data?

Computer Talk Ltd sets high security measures for the data held on its system. We use a mixture of: encryption; Enterprise Antivirus and Malware; complex password protection requirements; locked filing cabinets; double locked rooms; restricted access; and secure cloud services. Where we store data off premise (like in the Cloud) we have taken suitable checks on the GDPR compliance and security measures of these services.

What are your data retention periods?

Computer Talk Ltd will only hold your data for as long as is necessary to complete the works set out in our contract with you (or to fulfil the purposes we collected it for). This may include for the purposes of satisfying and legal, accounting, or reporting requirements. There may also be legal reasons why we need to keep this data for longer than the period of the work (for example to cover warranty periods). 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

More detail regarding data retention can be found on the privacy notice, privacy statement, and data protection policy. You may ask us for these documents at any time by emailing gdpr@computertalk.co.uk.

What are you doing to demonstrate compliance?

Computer Talk Ltd has assessed its requirement in order to comply with the General Data Protection Regulations. We are committed to improving, documenting and monitoring our processes and procedures to ensure we follow GDPR compliant methods. We believe that treating personal data and sensitive data as securely as possible, and recognizing the rights that individuals have with regards to their data is in the best interest of the Company, its employees, its customers and vendors.

Employees at Computer Talk have been trained on the importance of GDPR, and ensuring their methods and practices follow our policies and procedures.

We may sometimes question a request you give us, or request that you don't send certain information to us, if we think it may not be GDPR compliant.

We regularly assess and update our terms and conditions, policies and procedures to keep as secure as possible (within the remit of the sensitivity of your data). 

What is your breach notification policy/procedure?

Computer Talk Ltd have a clearly defined internal process for all employees and are trained to follow this process should they suspect a breach has occurred. This process is straightforward and highlights the urgency of following the process. A dedicated eMail account has been created to monitor such breaches, which give priority to and alert members of staff responsible for GDPR so that actions can be taken without undue delay to notify the Data Controller.

We will notify you (and the ICO) of any breach that is likely to result in a high risk to your rights and freedoms without undue delay.

What security measures do you have in place when accessing data on our network?

Each Computer Talk technician has their own identity and password to gain access to our internal systems, and a different unique identity to gain access to Data Controller’s sites. Using individual identities enables us to track logons to both our own and customer systems. These accounts can be disabled quickly and easily to render all access denied.

Where employees of Computer Talk have access to data on the Data Controller’s systems (for example technicians who require access to perform their support tasks in line with our contract with the Data Controller), we have rigorous security measures and checks in place to ensure the safety of such data.

To gain access to the password required for a customer site, technicians have to log in to a secure password managed system which controls access to customer logons for specific products. This access is monitored and logged in order to provide a footprint of employee activity.

How do you onboard new employees? What vetting procedures do you have in place?

All employees of Computer Talk Ltd are subject to an Enhanced DBS check prior to their appointment and have confidentiality and NDA clauses within the employment contract. All employees must understand and sign this contract upon appointment. Our employee pre-employment checklist includes the following:

  • Enhanced Disclosure and Barring System (DBS) formerly CRB (Criminal Records Bureau) Reference Check
  • Employment Verification on work history
  • Reference checks
  • Right to Work Verification – Asylum & Immigration paperwork checklist
  • Education Verification – authenticate education history
  • Credential Verification – IT qualification checks
  • DVLA Report - suitability and reliability of candidates driving company vehicles
How do you monitor employees' activity to ensure they're following processes?

Computer Talk uses internal monitoring systems to record some activities on company devices both in and out of the office. Whilst this system provides duty of care services for the business it also monitors the use of applications and browser activity.

To gain access to the password required for a customer site, technicians have to log in to a secure password managed system which controls access to customer logons for specific products. This access is monitored and logged in order to provide a footprint of employee activity.

Who is your DPO?

We have reviewed the requirement and determined that it is not applicable to our organisation. However, we have chosen to appoint a member of staff who can advise and assist Computer Talk Ltd in GDPR compliance. This member of staff is Emily Jamieson. We also seek advice from our external HR company to provide additional guidance.

You can always contact Computer Talk regarding GDPR or Subject Access Requests by emailing gdpr@computertalk.co.uk.

Overall responsibility for Data Protection lies with the Directors of the Company (Andrew Winterford and Liam O’Mahony).

What if you use sub-contractors?

Computer Talk Ltd will seek prior written consent from the Data Controller before appointing any sub-contractors or sub-processors, giving the Data Controller enough time to object. Should the Data Controller object to this arrangement, or request further information, we will request the sub-processing of the information immediately.

Any contract Computer Talk Ltd has in place with the Data Controller will be reflected in any sub-contracting arrangement. We understand that Computer Talk remains liable to the Controller for the actions or inactions of any sub-processor.

How do you dispose of IT hardware?

Computer Talk Ltd does not dispose of IT hardware containing personal data. Where requests are made we recommend a third party partner who provide the following services:

  • Free collections using GPS-tracked vehicles fitted with 4 cameras and load weighting
  • Fully accredited facility with certifications including ISO 27001: Information Security Management, ADISA Distinction with Honours, DIPCOG and Cyber Essentials.
  • Secure data description using industry-leading data wiping software Blancco

Where the nature of the work involves hardware disposal (that does not contain personal data), the Customer will be required to list all equipment to be collected prior to the collection date.  Upon collection Computer Talk will provide the Customer with a Waste Transfer Note detailing our Waste Carrier License No. and Storage Exemption Notice.  This must be signed by the Customer before the equipment can be removed from site.

Do you provide certification of completed works?

At the end of works completed by Computer Talk, the Customer will receive an email confirmation of the completed work, and/or a sign off and an acceptance sheet (depending on the work carried out).

How do you keep any devices safe that you remove from our site?

Where devices are removed from a Customer site they are stored and repaired within a secured environment with limited access and protected by a door entry system. This room and the office building is monitored by CCTV and the Offices are locked by way of secure locks and shutters. The Offices are protected by an alarm and monitoring system 24/7 365 when unattended.

Computer Talk also operates a Clear Workspace Policy to encompass office, home, and site working with paper documents shredded when no longer required or locked away in a secure drawer.

What about data transfers to third countries?

It is very unlikely that Computer Talk Ltd will transfer any data to a third country.

Computer Talk Ltd will only transfer data to third countries and companies that have similar data safeguarding measures in place. Unless required to do so by law, we will always seek to gain documented consent from the Data Controller before passing on any data.

If you wish to request further information from us, have any questions or queries regarding our commitment to GDPR compliance, or you require further documentation, please email gdpr@computertalk.co.uk or call 020 8595 7744. 

You may make a Subject Access Request at any time by emailing gdpr@computertalk.co.uk.