General Data Protection Regulation (GDPR) Statement

24 April 2018

Introduction

The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018 (“the Effective Date”).  GDPR impacts every person, business and organisation that holds or processes personal data.

DPL takes very seriously its responsibilities under GDPR, including in the provision of its Arken and Online Will services where it acts alternatively as Data Controller (handling user’s personal information) and Data Processor (processing user’s clients personal information).  DPL is also fully aware of the role it can play in assisting its’ users to comply with GDPR responsibilities in relation to their client’s personal data.

Commitment

DPL is committed to the principles of and has observed the Data Protection Act 1998.  DPL collects required personal information from its users  solely to enable it to manage users’ registrations and subscriptions to its products and will only process such information strictly for those purposes.

DPL already has strong data processing agreements and processes in place and is conducting a consolidating review in line with GDPR requirements.

DPL is committed to maintaining the highest operational standards in protecting personal data.

DPL’s preparations for GDPR

DPL is preparing itself to be GDPR compliant across its relevant applications and services on or before the Effective Date. DPL has reviewed its business operations in light of GDPR requirements and has tasked its GDPR Committee to meet such requirements.  Initiatives include:

  • Identifying personal data held by DPL as Data Controllers
  • Identifying personal data held by DPL as Data Processors
  • Providing users with the means to effectively manage and protect their client’s data which users hold as Data Controllers
  • Continuing to invest in security infrastructure
  • Reviewing relevant contractual service and supplier terms
  • Updating the DPL Terms and Conditions to set out clearly the respective responsibilities of DPL and its users

Security Information

Protecting user’s information and user’s clients’ personal data is crucial to DPL.  As a cloud-based service provider, DPL sets high security standards in accordance with good industry practice. 

All data held by DPL as Data Processor is held within the UK. 

All data held by DPL as Data Controller is held and used in accordance with the DPL Privacy and Cookie Policies which can be accessed via the relevant service websites.

Overview

DPL’s hosting provider is ISO 27001 certified, ISO 9001 certified, PCI DSS compliant, and has the government endorsed Cyber Essentials controls implemented.
All data is physically located on a server in a dedicated, locked cage at the data centre.

DPL’s data centre partners provide power, network and backup services. 

DPL is responsible for monitoring and managing the servers and providing support to Arken subscribers.

Data Storage

The DPL Cloud platform has been designed and optimized specifically to host the Arken service and has multiple levels of redundancy built in.
Arken is the only service running on this server solution.  The applications themselves run on a front-end hardware node that is separate to that on which the data is stored.  Hardware failure of the node is recovered automatically.

Application data is stored on active/passive SQL Failover Clusters.  If the primary storage server develops a problem or becomes unavailable, the applications are switched over automatically to a secondary storage server.

Facilities

The server locations are PCI and ISO accredited with 24/7/365 on-site security, access protocol and 2.8m razor wire prison fencing.  The locations are not located on flight paths or floodplains and have waterless fire suppression.

The data centres have dual independent power feeds coming in, from two different power grids, plus their own UPS and generators.  These are tested regularly.  The data centres can be sustained on diesel if required.

Cisco Firewalls with redundancy are used to protect the DPL servers, which have also been penetration tested.  McAfee Anti-Virus software is installed on the servers to provide further protection.

Communication between the internet and the servers is secured using SSL, with SHA-2 certificates.

Access control to systems

Access to the data centres is strictly limited to authorised personnel only.
DPL maintains administration accounts on the service only for purposes of application health monitoring and performing system or application maintenance, or upon customer request via our support system.

Within DPL, only authorised DPL personnel have access to application data.  Authorisation is strictly limited to essential personnel only. Authentication is securely granted only from the DPL headquarters using a domain whitelist, only from DPL equipment, and with two layers of password authentication.

Client data is segregated from other areas of the system including the administration functionality and is only accessed with the express written consent of the client.
Arken is designed to allow data to be accessible only with appropriate credentials.  For example, a user cannot access another user's data without explicit knowledge of that user’s login information. Users are responsible for maintaining the security of their own login information.

Backups

Full data backups occur daily and are retained for 28 days.  SQL databases are mirrored across servers with incremental backups taken every 2 hours.

Data Management

In good time before the Effective Date DPL will provide tools to assist users in complying with their obligations to action requests from their clients to delete personal information from Arken.