Here at esphr we take our legal responsibilities and duty of care to you as a customer very seriously. For some considerable time, we have been working hard behind the scenes to ensure we fulfil our obligations as a ‘data processor’ of key customer data under the introduction of the Data Protection Act 2018 (and therefore the EU’s General Data Protection Regulation (GDPR)) on 25 May 2018. Additionally, we are placing as much emphasis on fully meeting our ‘data controller’ obligations relating to the handling of our own employees’ personal data.

In May 2017, we started work to identify what overall actions needed to be taken, and prioritised these into a detailed implementation plan. As you would expect, esphr already complied with existing Data Protection laws but we recognised the need to enhance some components to meet the requirements of the Data Protection Act 2018 (and, therefore, all GDPR and key customer requirements).

So, since that time, what work streams have been completed to ensure key compliance with the requirements of the Data Protection Act 2018?

1. Personal information data audit incorporating key customer data

We undertook a comprehensive data audit identifying all of the systems that store and process personal data. Copies of this audit available should you wish to see it. We have always had a comprehensive and detailed understanding of what data we store, and our existing Data Protection policies and procedures provided a robust platform from which to undertake our latest audit. This has allowed us to really focus on the new requirements of the Data Protection Act 2018 (and, therefore, all GDPR requirements and responsibilities).

2. Customer Service Agreements

Our Customer Service Agreement (CSA) has been being updated to incorporate all Data Protection Act 2018 (and, therefore, GDPR) requirements, and all existing customers have been sent updated terms and conditions complying with these new requirements (unless, of course, we have already agreed to your own GDPR wording), which clearly outlines both of our responsibilities in relation to the personal data we process for each other.

3. Supplier Agreements

All our existing Supplier Agreements have been updated to incorporate all Data Protection Act 2018 (and, therefore, GDPR) requirements and all suppliers have been requested to sign a specific addendum to the existing agreements, which clearly outline both of our responsibilities in relation to the personal data we both process for each other.

4. Employee Data

We have issued a firm wide employee information note that clearly communicates to all of our existing employees how we process their personal data. We will also ensure all existing employees have a detailed and clear understanding as to our responsibilities in relation to the personal data we hold and how we store, process and use this data (see ESP Staff Training and Development below).

5. ESP Staff Training and Development

We are running tailor-made Data Protection Act 2018/GDPR training courses to raise awareness among esphr’s staff about the impact of the legislation on our business and the specific role they undertake within esphr. Our staff, as part of their employment induction, read and accept our Data Protection Policy to ensure a consistent level of understanding of data privacy and protection across the business. We also operate a transparent, no-blame, culture where any member of staff can raise any concerns they may have, ensuring that esphr is always doing the right thing. Additionally, all employees will have to undertake compulsory Security Awareness Training online that focuses on, amongst other subjects, email scams and phishing.

6. Internal Policy and Procedures

Our existing policies and procedures (including a new, comprehensive Data Protection Policy) have been reviewed and updated by our external legal advisors. These policies are now enshrined into our Employee Handbook and elsewhere (where relevant). Where appropriate, these documents are available to view on the esphr website and will be provided to anyone upon request.

7. Data and online security enhancements

Hardware provider and data centres

We partner with DigitalOcean in the UK. They have some great customers – the likes of HP, Salesforce and Xerox, as well as thousands of medium sized and smaller businesses.

They have 12 data centres across the globe, customers in 195 countries and 78 million active server instances. Customers enjoy a 99.99% uptime SLA, and 40GbE – the best-in-class network connectivity for speed and throughput.

The esphr websites, applications and databases are hosted in their London data centre (http://www.equinix.co.uk) which is used by large online businesses like Box, Priceline, Foursquare and trivago. It is fully accredited to ISO 27001, the international standard that describes best practice for an ISMS (information security management system). Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether data is adequately protected.

The data centre is also Payment Card Industry Data Security Standards (PCI-DSS) compliant – although our specific application does not handle or store financial details.

Network, backup and email

Connection to our servers is solely via SSH (secure shell) using public and private keys to prevent unauthorised access, and data moving to and from the servers is fully encrypted.

Application email communication is securely handled by a trusted partner – SendGrid – an industry standard mail delivery and tracking platform used by the likes of Uber, Spotify and AirBnB.

Data and site content/files are securely backed up daily via SSH to the Amazon S3 storage service based in the EU region to comply with EU data protection laws. Even if our production hardware failed catastrophically, we could be up and running again within a few hours.

All front end web pages are secured with an SSL certificate (https://) to ensure data cannot be intercepted by a third party.

Application and data security

Our case management stand-alone application (where we store sensitive customer employee data) takes advantage of the following security features:

8. 24/7 server, application and database performance monitoring and Data Breach Response

We use a combination of applications and services to constantly monitor the overall performance of many system metrics that may alert us to technical issues, or suspicious activity. Should anything be operating outside predetermined ranges we are alerted within seconds via email and SMS - and can investigate immediately.

Core Server Hardware Monitoring is handled by our host (Digital Ocean) and tracks CPU, bandwidth I/O, disk read/write, memory utilisation, and disk utilisation.

Uptime Monitoring is conducted from over 70 locations worldwide on the pingdom.com network and allows root cause analysis to identify issues and help prevent recurrence of problems.

Page Speed Monitoring is again managed by pingdom.com and lets us forensically examine each page load, and visualise performance to identify bottlenecks and ensure our applications are as optimised as possible.

Visitor Insights (RUM - Real User Monitoring) lets us actively monitor user experience and analyse site performance in real-time. We can see visitor sessions broken down by OS, browser, platform and geography.

Finally, we also use pingdom.com’s Server Monitor service with a number of plugins to really get into the fine detail of the application’s performance. We monitor Apache load, MySQL connections and operations, network connections and error log tracking.

Pingdom is used by organisations like Shopify, Mailchimp, Buzzfeed, Salesforce and Netflix.

If we become aware of a data breach we would assess its severity and possible effects and follow the advice provided to us by our professional advisors and the guidelines outlined by ICO (the Information Commissioner’s Office). Depending on the circumstances of the breach this may cover:

9. Marketing communications

All marketing, communication and promotional activities have been reviewed to ensure full compliance with the new requirements. In particular, we are ensuring that all business data continues to be sourced from suppliers that sign key indemnities and warranties with us that they are fully complying with the requirements of the Data Protection Act 2018. As we work with leading HR industry publishers (E.G. HR Magazine) and have done so for some time, we are already well placed in this regard. We will also, of course, continue to allow all subscribers to our communications the option to unsubscribe from our communications and also alter the way in which we communicate with them.

10. Ongoing monitoring

Ongoing monitoring and enforcement is vital, and we already have a Data Protection Officer in place, despite the fact that we are not legally required to do so. This is part of our drive to ensure that we remain compliant with the letter, the spirit, and best practice in respect of the requirements of the Data Protection Act 2018 and all GDPR responsibilities.

11. Changes to our online employment law resources accessed by customers from our web portal

Our legal team have been working hard with our external compliance advisors to ensure that all of our employment law online resources have been updated and are available for review and download by all customers, well in advance of the 25th May. These resources were uploaded on to our web portal early February, as part of our monthly updating process. These will be reviewed and updated on a pro-active basis to ensure they are in line with the law and best practice as it changes over time.

A webinar was also undertaken on Tuesday 13th February to explain these changes in detail and the wider ramifications of the Data Protection Act 2018/GDPR from an employment law and HR perspective. A video of the webinar is available on the Customer Zone. Please do contact your normal legal advisors for more information if needed.

Summary

You will notice greater transparency about the way we fulfil our contract obligations as a processor through open publication of our Data Protection policies and new customer and supplier agreements. We will share our Data Protection policy on our website, which will govern the way in which we fulfil our responsibilities as a processor in March and April. Along with this communication, it will allow you to evaluate the measures we have taken to comply with all requirements of the Data Protection Act 2018 and GDPR requirements when processing personal data on your behalf when using our services.

Peter Byrne, CEO, assures customers: “Our dedicated project team have worked diligently to address our Data Protection and GDPR obligations in line with the new regulations and we will continue to ensure this responsibility is a core and key ongoing focus for our business and our customers. We hope that you can see from the above detailed activity report and update that we are have made significant progress along our own Data Protection/GDPR compliance journey. We hope you have too.

We are open to any questions or requests by customers, so please get in touch if you’d like more information.”

If you have a query about esphr’s GDPR compliance, please contact us on info@esphr.co.uk or call 0333 006 2929.