Data Protection Policy

This policy will come into effect on May 25, 2018.

 

KEE IT provides technology and technology support services to businesses. Although we don’t have a commercial relationship directly with individuals, we do hold what could be considered “personally identifiable information” about the employees of our clients, and that data is within the scope of the GDPR. This article details the data we hold, who has access, the measures we take to protect it, and how we get rid of it when it’s no longer of use.

 

Who do we keep data on?

For clients on our ongoing support plans we hold data about each named employee on the account, in addition to any other people involved in the provision of the service (for example, an supplier contact who works for another organisation and is not covered under the support plan).

For all the other services we provide we only hold data for the people involved in the service provision.

We also hold data on people who’ve contacted our sales team with an interest in our services.

The people we hold data on are the “Data Subjects”, using the terminology of the GDPR. In our relationship with our clients we act as “Data Processors” and the client is the “Data Controller”.

 

What data we hold and why

At a minimum, we hold the following data about a person (we call this “Default Information”):

  • Full name
  • Company email address
  • Company

This data is necessary to effectively provide our service: we can’t provide support to a person if we don’t know their name, if we can’t get in touch with them and we don’t know which company they’re from.

In addition, we may store the following data, if a person or their company choose to share it with us (we label this “Additional Information”):

  • Job title and department: helps us provide our service effectively, for example, being able to find all the users in a department, and contact them about an global update or service outage
  • Gender: aids in addressing contact accurately and respectfully when the person’s gender isn’t clear from their name
  • Personal phone number: may be provided to us in cases where a person does not have a company issued phone, or if they do not have access to it (for example, when travelling)
  • Personal email address: may be provided in cases where a company email address is not working.
  • Personal physical address: may be provided in the event a visit to their home is necessary (for example, in troubleshooting a home office setup).

At any time, a particular person can log on to our Portal and view all the data we hold about them, and permanently remove any Additional Data they don’t feel comfortable with us holding.

 

Lawful Basis For Processing

Using terminology from the GDPR, we use “Legitimate Interests” as our lawful basis for processing the information we store.

 

Data Categories

We group the people about whom we hold data by their company, and by their job function (if provided). As detailed above, for each person we mark data “Default” (name and email) and “Additional” and handle each differently.

 

Who Has Access

By default, our Accounts, Technical Support and Senior Management teams have access to the information about all people across clients.

Individual members of our support, sales and operational teams (which may include contractors) have access granted to each client (and by extension all their employees) when they are engaged in supporting the client, or when they start a project on their behalf.

Our New Business and marketing teams have access to “New Business” or “Prospect” Contacts.

 

Data deletion

In the event a client cancels all services with us, we offer to provide a copy of the data we hold to them, in an electronic format (typically as a txt file). This data is provided using a secure link, and upon confirmation that the data has been received, it may be deleted permanently from our systems. In doing so all centrally held personal data is removed.

In the event a person leaves a client, the person may request any “Additional Information” we hold on that person to be permanently deleted.

We retain the “Basic Information” we hold on a previous employee for up to 7 years after their last day, since having records of previous employees can be necessary in continuing to provide our service effectively. Some examples include:

  • A request by a current employee to “Forward X’s emails to me”. To do this we must know X’s email address (and confirm that X is indeed a previous employee). (Obviously whether or not we would fulfil this request would be down to the company’s IT policy, and outside the scope of this document).
  • Updating a company IT policy that references “X” as a contact - it helps to know X’s job title and department in order to find the person who has taken over X’s role.
  • When wiping an old computer for disposal, and we may find a user profile for X. Knowing he is a previous employee and what department he was in can help in determining what should be done with that data.

In both of these cases, despite our best efforts to remove everything, the nature of certain systems make it unfeasible or impossible to remove every trace of personal data. As such there may be personal data that remains on our systems which may include:

  • Email/support ticket correspondence between a person and our support team will show a persons name and company email. We do not send personal data over email, however people may include personal information when contacting us (for example, including their personal phone number in an email signature).
  • Historic invoices and billing statements may display the name of the person they were sent to. These are immutable and must be retained for tax purpose.
  • Internal chat logs may reference a person’s name. There is no way to redact names from these logs.
  • Copies of deleted data may exist on backups. Backups are maintained of our entire system: encrypted and stored as single files. Removing one person’s data is not possible.

 

Right To Access

The data we hold as “Data Processors” is made available to each person via our Portal, so that a live copy of their data can be accessed (and revoked) at any time. This data is also made available to nominated people at the client allowing them to fulfil data access requests for their current and past employees. We do not fulfil access requests from previous employees of clients (or previous clients) directly, since we have no means of verifying whether X is indeed X from Y Company. Regardless, we make the address data@keeservices.net available for anyone to ask questions about their data, and processes in place to handle each type of request.

 

Data Security

We take a number of steps to ensure personal data is kept secure.

  • All systems we use utilise data encryption at rest and in transit.
  • All endpoints used by our team are encrypted, require complex passwords, auto lock, have firewall and other malware protection enabled
  • All critical business systems are protected by a complex password, some have two factor authentication enabled
  • Our CRM & HelpDesk System utilise strict access controls to ensure all users are only able to access the data they’re authorised to access

Breach Notification

Our incident management procedure includes notifying any technical and/or operational contacts at our clients within 72 hours of a breach, and its potential impact.