Data Protection By Design And Default

The UK GDPR requires organisations to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights. This is known as ‘data protection by design and by default’. Best Companies embraces this approach, which means that we consider data protection upfront and ensure that it’s integrated into everything we do.

Our Privacy Notice details how we process data and is available on our company website www.b.co.uk/privacy-notice.

Registration with the Information Commissioner’s Office (ICO)
The Data Protection Act 2018 requires every organisation that processes personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt.
Best Companies Limited is registered with the ICO
Registration Number: Z8349843

Governance

Best Companies has an in-house Data Protection Officer who is a certified GDPR Practitioner and certified DPO, and directly reports to the highest management level.

Data protection is given top-level support, with data protection an item on the board agenda.

The security team, headed by the DPO, complete 6-monthly organisation reviews. Where issues or improvements are identified, they are scheduled to be completed within an appropriate time-frame dependent on severity. This ensures event driven reviews as required within the business. We also conduct an annual audit to evaluate against GDPR compliance.

All employees are screened prior to employment and are contractually subject to confidentiality.

Compliance

All our data processors have appropriate agreements in place, containing the mandatory data processor clauses.

Compliance is demonstrated through our certifications which include ISO 9001, ISO 27001, PCI-DSS and FSQS Hellios.

Data Protection

Best Companies is committed to protecting the data we hold. We have a number of organisational and technical measures in place, including but not limited to:

• Data Protection is part of our culture, which we maintain through training, at induction, and throughout the year, along with an employee awareness programme.

• All data is only accessible by authorised personnel. Restrictions apply to Best Companies employees, designated users on our client accounts and third parties who can access the information only in specific and limited circumstances and are bound by confidentiality and a need-to-know basis. Each client may only access the information pertaining to its data on our hosted website(s) and to the specific responders visiting our website such as for survey participation. We periodically review our data collection and processing process.

• Data Privacy Impact Assessments (DPIAs) are conducted when there is a material change or as dictated as a requirement under data protection laws.

• Best Companies servers are protected by firewalls establishing a barrier between our trusted, secure internal network and the Internet.

• Watchguard firewall installed configured with Total Security Suite which includes DLP and TDR.

• We use https for all our websites to ensure secure transfer of data.

• All Company Desktop and Laptop (PCs) with Windows OS are Microsoft BitLocker encrypted, while those with a macOS are Encrypted with FileVault.

• Two Factor Authentication for all employees accessing our systems externally through VPN.

• We monitor our security posture, and a Vulnerability Assessment and Penetration test is undertaken annually by an independent specialist provider.

• Cyber Insurance in place.

• Due diligence is completed for all new suppliers. Only authorised personnel with admin credentials can install new software and there is an authorised software list for the organisation.

• Agile development methodology operation, our product teams work in 3-week sprints. Only authorised personnel can make changes to software applications; work is peer reviewed before going live.

• On-scanning and behaviour monitoring are in place from our Sophos AV console against user and network activity. IDS and IPS are enabled with attack patterns against operating systems, servers, client software, malware, and protocol anomalies in place.

• Sophos Enterprise Console Protection is enforced across the business. Critical updates are applied every 10 minutes, critical event notifications are raised by email to the IT department.

Physical Security Controls

The physical security of our sites to prevent and/or detect unauthorised entry, include but are not limited to:

• Electronic and manual code lock doors throughout buildings

• Employee and contractor swipe cards provide/restrict access to areas depending on job requirement and logs room entry points.

• Electrified perimeter fencing in place to the rear of the building.

• Internal and external CCTV recording 24x7, with partial motion detection. Recordings are kept for 30 days.

• Building alarms for outside of office hours

• Visitor policy in place

Storage of data

Our client data is stored in the cloud, in a SQL database within Microsoft Azure. Data is logically isolated at the record level using a client id field. Backups are taken at the end of every working day. A midday incremental backup is also taken of critical network data. We have backups kept securely with Barracuda Networks. These are kept for three months and encrypted at rest in a UK Datacentre. We also have backups of the Azure setup in Azure, where we keep six-monthly backups at a time and 30 days of daily backups. All backup data is encrypted in transit and at rest.

Transferring data to and from Best Companies

At times it may be necessary for our client or Best Companies to transfer large files, personal data, reports, files, and other sensitive information securely. Sensitive and confidential documents can be sent securely using Zivver Limited, a secure communications platform. Zivver ensures that all confidential information is delivered securely and encrypted.

Retention and removal of data from our systems

We retain the personal data as per our Terms of Service for up to three years following the lapse of the subscription term. All personal identifiers such as the employee name, email address, basically any data that could potentially identify a specific individual, is deleted and in short anonymises the remaining statistical data. This is in line with the Information Commissioners Office (ICO) Anonymisation code of practice. The UK General Data Protection Regulation (GDPR) does not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.

Requiring us to retain the personal data for the determined period protects client’s invested interest and allows for restructuring and year on year comparisons. We state in our privacy notice and documentation three years following the lapse of the subscription term is the maximum term. To ensure fairness and transparency to the employees we would not accept a request to retain for longer periods.

A client can make a written request for the deletion of their organisation’s personal information which they have provided to us, at any point after delivery of the service. We retain the survey responses and demographics for our continued research, once the identifying data has been removed, the remaining statistical data is no longer deemed personal data, as per the meaning in the UK GDPR.

On receipt of a request, anonymisation will complete within one month, unless advised otherwise for a longer time period, such as three months following release of the survey reporting. We will confirm when this is completed, please be aware that the anonymisation process takes place in our live production environment. The data will be retained for a further 6 months in our offsite cloud backup, data retained in our backups from the production server environment, is held for business continuity purposes only. This means it is held to recover the entire database from a single point in time, (such as a cyber-attack event). The backup is not designed to recover a small part e.g., a single organisation dataset. In the event of a reversal of decision after the anonymisation process has taken place, we would be unable to recover this data. Once deleted, it is deleted beyond reasonable use.

The request will be added to our register of company anonymisation requests. In a disaster recovery event of the live production server, where recovery of the entire database is from a point of time within that 6 month period where the company data is recovered, we would complete the anonymisation process and notify when that was complete.

For a list of data processors please view the article: Who are Best Companies Data Processors, or your Sub-Processors?