At Reward Cloud we take data security incredibly seriously, it is part of our core principles. This is no tick in the box exercise for us and we are constantly reviewing what we do to ensure we follow industry best practices to provide a high level of security on our platform.
As you will have no doubt gathered from the numerous social media posts and email consent requests, GDPR (General Data Protection Regulation) is coming in to effect this month, on 25th May 2018.
What is it?
Rather than attempt to summarise GDPR and no doubt repeat what most of you are already aware of, I suggest you get this from the horse’s mouth, the ICO (Information Commissioner’s Office). The ICO is responsible for enforcing GDPR in the UK and their guidance is actually very clear.
For the multi-taskers or those who reading a GDPR document doesn’t appeal, they have a really good podcast series. I would recommend giving their myth-busting episode a listen.
Suffice to say, GDPR should be taken seriously and in general, should be considered a good thing. It is not there to hamper business but protect our data and ensure companies take data security seriously.
How we comply
Minimising what we store
In all areas of the system we aim to minimise what information we receive, process and store to just what is required to meet the business requirements, and for just as long as is needed.
Where a client isn’t making use of our digital gift card delivery services, we do not capture any personal information to start with. When they are using this, we limit that information.
We obviously also limit access to the personal data to just those people that require it for a legitimate business reason and prevent wholesale extractions of data.
Security & privacy by design
From the ground up Reward Cloud aims to foster a culture of security and privacy - we are processing millions of pounds worth of gift card transactions per month after all!
Training - our developers and technical staff receive regular training to ensure they are up to date with secure coding practices and understand how to create secure web applications.
Encryption - All sensitive data is encrypted using modern unbroken encryption algorithms and securely managed encryption keys.
Penetration testing - we regularly perform our own internal security scans and penetration along with regular third party penetration tests using CREST-approved security specialists.
Patching - As evidenced by the recent data breach at Equifax, keeping your servers and software patched and up-to-date is critical to ensure hackers cannot exploit known security issues.
Continual monitoring - we use a number of automated tools and services to monitor different aspects of our service internally and externally so that if a problem ever does arise, we know about it as soon as possible.
Back-ups - Of course we take continual back ups and ensure these are held securely, encrypted and access is audited.
Least privilege access control principles - ensuring users are only given access to data/functionality that they require to perform their role.
Third-party service providers
Like many businesses, we make use of third party service providers. Where we do, such as our cloud-based hosting and email service we carefully selected providers based on their pedigree and track record.
Wherever possible we use EU-hosted services and for all providers we have signed Data Processing Agreements to ensure responsibilities are clearly defined.
Policies and Processes
We continually review our policies and processes to ensure they are up to date, accurately reflect how we use personal data and how to handle different scenarios. These include but are not limited to:
Data Protection Impact Assessments
Data Subject Access Request process
Incident management plan
Data breach notifications
If you have any questions on how we deal with data security and/or GDPR, please don’t hesitate to get get in touch via email - firstname.lastname@example.org