1. Introduction

With the introduction of GDPR in May 2018 there will be additional requirements for Intuity (ICE Computer Services Ltd & Intuity Technologies Ltd formerly Cabrae Technologies renamed 9th May 2018) to demonstrate and declare compliance with regards to data processing.

Under specific circumstances Intuity may be deemed to be data processors of certain client’s data. It is very difficult to define which clients we may act for in this regard ,as a result we operate the same controls for all our clients as part of our Information Security Management System.

Article 28.1 of GDPR states that processing should only be carried out on behalf of a controller where the processor provides sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the regulation and the rights of the data subject. Intuity by being certified under ISO 27001:2013 and Cyber Essentials demonstrate under Article 25 that they have sufficient controls to satisfy this requirement.

We outline in this document the relevant GDPR Articles and highlight the different controls in place to mitigate any risks and demonstrate compliance. As the requirement under GDPR is that clients must be satisfied that the processor satisfies certain criteria we are also declaring that these controls are in place and are audited to this international standard which is also required in Article 43.

Based on our own privacy impact assessments we aim to streamline all our contracts into one single master framework contract with the different individual aspects included as appendices. This will be rolled out in the coming months and will be communicated individually with clients as part of your review meetings.

Article 28 Data Processing Agreement

Intuity agree to operate any data processing to ensure that the inclusion of the following controls.

28.1    Intuity operates ISO 27001:2013 controls, both technical and organisational to ensure the security of the processing. These are independently audited as well as internally audited.

28.2    Intuity operates a defined Supplier Relationship Process to ensure all suppliers are properly vetted in advance of beginning a business relationship with them. Any new suppliers will be introduced only where a customer has given specific or written authorisation.

28.3    Intuity (ICE Computer Services Ltd & Intuity Technologies Ltd) agree to adhere to the following considerations under Article 28.3…

  1. All processing of personal data will be done at the instruction of the customer and recorded in the ticket raised for that purpose. Only instructions from authorised personnel of the Data Controller (DC) will be deemed to be a valid instruction. The DC will provide Intuity with a list of authorised personnel.
  2. All staff at Intuity are subject to confidentiality clauses and/or NDA’s as part of their employment and any breaches of same are treated as gross misconduct. No data will be transferred to a 3rd country without the express permission of the Data Controller in advance unless it is required to do so by law. If this is required then the DC will be informed in advance of the reason it is required.
  3. As part of our documented procedures Intuity operate any processing as per Article 32 of GDPR.
  4. As part of our Supplier Relationship Process we will continue to audit all our suppliers to ensure any sub processing is controlled as per our procedures. Any failures of sub processors to follow our processes may result in removal of the service from them.
  5. Depending on the specific area of processing Intuity will assist the data controller in any requests to respond to data subjects insofar as is possible.
  6. Articles 32 – 36 – Assist Data Controller should the need arise.
  7. All processing of data from a client site will be carried out as per our ISO 27001:2013 procedures. Any data transfer will be logged and will follow a strict data retention process that is audited as part of our ISO certification. Where data is required to be transferred it will be anonymised in the first instance unless there is a specific reason to use live personal data. If for any reason a copy of live data is used, a record of the reason will be retained for audit and it will be deleted once the purpose it is transferred for is complete. This data can be deleted at any stage upon request by the Data Controller – Please note Intuity may not be able to carry out the original purpose this data was transferred for if it is deleted prior to the purpose being complete.
  8. Intuity, as part of their ISO 27001:2013 certification performs several internal and external audits annually, this demonstrates our continued compliance under Article 25. These audits as subject to scrutiny by Certification Europe an approved certification body pursuant to Article 43 of the regulation. The results of these audits demonstrate compliance and will be made available on request to data controllers.

28.4    As part of Intuity’s supplier relationship policy we require evidence of their Article 25 compliance where it involves the processing of personal data. Sub processors if they are required to process on our behalf or that of the Data Controller will have contracts in place for same.

28.5    Intuity are ISO 27001:2013 certified and Cyber Risk Essentials certified and these recognised benchmark qualifications demonstrate an approved code of conduct. We expect that following the 25th May 2018 these qualifications will become a recognised validation of GDPR compliance.

28.6    Existing contracts will remain in place until updated master contracts are produced which will replace them.

28.7    Intuity clients and suppliers already operate under a contract of service. These contracts will remain in place and updated to reflect Article 5 of Regulation(EU) No 182/2011.

28.8    In the absence of any standard contractual clauses Intuity will rely on its own clauses.

28.9    Your current contract will satisfy this aspect of the regulation, we intend updating our contracts to a master document before the end of the year.

28.10  Intuity do not expect to determine the purpose or means of processing and therefore don’t expect to have to become a data controller for client’s data.

We declare that the above details are a true reflection of our controls as data processors for our clients and suppliers. Signed on behalf of Intuity Companies

  • ICE Computer Services Ltd.
  • Intuity Technologies Ltd (formerly Cabrae Technologies Ltd, renamed 9th May 2018)
  • Infoscience Software Ltd

 

 

Thomas Cox Director (Company Secretary)