The General Data Protection regulation (GDPR) came into force on the 25th May 2018 and is one of the most comprehensive pieces of privacy legislation globally. NTS Communications believes that privacy is a very important right for individuals and wishes to assure our customers that we are compliant across all areas of our business. At NTS Communications we understand the importance of having a robust, well-defined structure with supporting processes and principles to successfully manage and secure the technology we utilise and provide.
That’s why it forms part of our overall management strategy; whereby we have implemented a governance framework which ensures accountability for our Information Security Policy.
Everybody who works for the company must acknowledge responsibility and understand the importance of maintaining the security of customer, employee and other confidential information.
We will continue to monitor and meet the requirements of legislation to provide assurance that our information protection is appropriate for our business and identify security solutions that are tailored for NTS Communications business requirements to support customers and our employees.
Within this follow up statement we wanted to highlight the measures we have put in place to ensure compliance with the GDPR where we hold or process personal data on your behalf.
NTS Communications has designated a Data Protection Officer (DPO), who is taking full responsibility for all matters relating to data protection and GDPR compliance. The DPO will ensure that we are accountable and transparent to the supervisory authorities, including the creation and maintenance of “Records of processing activities” as per Article 30 of the GDPR.
To adhere to the GDPR requirement that a data controller (our customer) must appoint the processor, NTS Communications, in the form of a binding written agreement, with the personal data processed only on documented instructions from the controller or the requirements of EU law or the national laws of Member States. We have reviewed with our customers and sub-processors all our agreements to ensure compliance.
This will ensure that relevant wordings are in place to cover aspects such as the duration, nature and purpose of the processing, the types of data processed and the obligations and rights of the controller. It will also, where applicable, cover cross border transfers and the use of any sub processors.
Under the GDPR, we must notify any data breach to the controller (customer) without undue delay. NTS Communications therefore has processes and procedures in place for identifying, reviewing and promptly reporting data breaches to the relevant controller.
We would provide the controller with:
• A description of the nature of the breach
• Contact details of the responsible data protection officer or any other contact person
• Likely consequences of the breach
• Proposed and imposed measures that were taken to limit harmful effects
We would stress again that we have comprehensive technical and organisational security measures in place to mitigate against a data breach.
Under the GDPR there are significant enhancements to the rights that individuals enjoy with regards their personal data. NTS Communications will continually work with customers for whom we hold or process personal data to determine how best to facilitate:
• Handling Data Subject Access Requests Rectification of personal data
• The application of retention periods and the secure erasure / destruction of personal data
• Responding to data portability requests, providing it in a structured, commonly used and machine-readable forms
NTS Communications continually seeks to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
We are progressing with a program of system and data security improvements to ensure we can continue to manage data securely.
Our comprehensive IT User and System Administrator policies have been updated to reflect the new GDPR regulations and re-issued to each employee to review and re-sign. Updates to our data retention and disposal policy have been applied to reflect the principles of Article 5 of the GDPR organisation.
NTS Communications IT Systems are hosted in secure controlled Data Centre’s and access is further restricted to named individuals.
NTS Communications continually seeks to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access. Our IT security team have a regular business continuity and disaster recovery testing plan to ensure we can recover our services in optimum time. The output of all testing is reviewed by the SMT group and our Recover Point and Recovery Time objectives are at an optimum level.
All business-critical services are designed to operate across Data Centre’s to ensure resilience and a full Disaster Recovery Plan is in place which is aligned with the NTS Communications Business Continuity Plan.
System backups are typically performed on a daily (incremental) and weekly (full) basis. Full backups are stored in accordance with the Data Retention and Disposal Policy. Regular scheduled restores are performed to test the integrity of backups.
System capacity is monitored on an on-going basis and an annual capacity review built into the financial planning cycle ensures ongoing availability of appropriate computing resource.
All IT infrastructure components have nominated owners responsible for managing upgrades, obsolescence and replacement.
The security of information is analysed at six weekly intervals and meetings are held in response to security events.
If you have any specific Data Subject Access Requests, please can you email the DSAR team @ DSAR@NTS-Comms.Co.UK who will log a ticket with a member of the DSAR team to review, process and fulfil your request.