GOSS and GDPR
Working within the GOSS Data Protection Policy, we are committed to ensuring that our business, policies, and practices are compliant with the existing Data Protection Act and its replacement, the General Data Protection Regulation (GDPR). We take personal data security seriously, as evident in our implementation of ISO27001.
Services and Practices
As a Data Processor for our clients, we ensure that:
- We only process information following instruction and approval from the Data Controller (this includes the transfer of personal data to a third party, a change of purpose, and the deletion or removal of client data)
- GOSS datacentres and disaster recovery physical sites are located within the UK
- Access to GOSS datacentres and client data is limited to those who have a legitimate need
- Data from hosted sites is backed up every night and stored in 4 weekly rotations (the retention period)
- The GOSS incident reporting process takes into account the requirement to contact the Data Controller, ICO (or other Supervisory Authority), and other relevant regulatory authorities in the event of a personal data breach
- We support our clients in dealing with Data Subject requests in relation to the personal data that we may have processed on their behalf
Moreover as part of the services we offer, we can assist our clients, as Data Controllers, in completing Data Protection Impact Assessments (DPIA). We recommend DPIAs are conducted at the start, and periodically throughout, all new projects and pieces of work. These assessments measure risk and help judge the impact a project may have in meeting any legal obligations and requirements. Contact your account manager or a member of the GOSS Consultancy team if this is a service you require.
The Digital Platform
When building your websites and digital services, the GOSS Digital Platform provides flexible and configurable tools that allow you to manage the rights of Data Subjects.
As Data Controllers, GOSS clients are responsible for the personal data that may be stored within the platform, including its retention and deletion, and the access individual users have to it.
We work with our clients to deliver GDPR compliant solutions on the platform, which fit internal client processes and are able to manage and meet the rights of Data Subjects.