Projects Point & GDPR: Frequently asked questions
Is my website compliant?
This is probably the wrong question. Are you, as an individual, business or organisation compliant.
Projects Point is striving towards GDPR compliance, but cannot guarantee that your website or business complies.
A website hosted by us will be in part compliant when passing personal information from a visitor on your site securely using SSL, but there is more. Data may be stored on the server in any number of ways, some of which you can control (feedback and contact forms, comments if they are enabled, if you use an smtp tool to communicate with your email rather than use the server, analytics data etc), some of which we oversee and control (the database, the 3 tiers of backups, email logs, system logs, website logs and so on and so forth). Our host is trustworthy and doesn’t have access to our virtual machines, unless we grant them it. We don’t hang on to data for longer than we think necessary and constantly review third party tools that we make available that could leak data in ways that might breach privacy, covertly or through bad design.
We obviously don’t know about your information security practices, whether you use Cloud based file sharing services, use 2 factor authentication, still use a USB stick, still have a relationship with facebook. We cannot be sure either about the practices of all the participants in your enterprise including the supply chain, e.g. the domain provider, the yoof that run your facebook, twitter and instagram or perhaps that more mature person who you really trust to draft your newsletters, because you don’t have time to or never bothered to learn how.
It probably isn’t practical to ditch cloud based services, your social media accounts, and newsletters, but it would be timely to review who has access to services and files. And have you left open email accounts of disgruntled staff or that have long gone, do you secure all your business accounts with strong passwords and 2 factor authentication? What is your weakest link?
If you want a longer read about the implications and some of the myths, drafted by UK’s Information Commissioner Office ( ICO ), you can read more here.
Where does ProjectsPoint store data?
Hosting: Customer websites are all hosted in the UK, on virtual machines in Manchester and York. Backups are on separate physical archive grade disks. We also keep a copy of our small networks data on our Business Dropbox account, which is synched to our home office.
Email: We don’t provide email services directly. We have setup a small number of users with forwarders (unreliable though these are, and very difficult for us to trace missed communications) and GSuite, a Google product. With the latter, you are governed by the agreement with Google, broadly speaking GDPR compliant – as far as we can evaluate.
Office 365: If you use Office 365, then data is stored by Microsoft. We don’t offer this, but use the service ourselves. Please see this guide on the Microsoft website for more information.
Backups: See hosting above.
Business data: We run the whole show from our tiny home office/bedroom, which has a small network of computers. We don’t let anyone on these machines, without tight supervision. No one can install new software. We don’t use social login techniques for anything (such as login with facebook). We use 2 factor authentication for email. We do use whatsapp. That means that if you use and we have exchanged calls, we are automatically connected – we’re not sure whether this is a good idea. We have never knowingly connected our contacts list to anyone, not to linkedin nor any other social network, though we know a great many people who have. You really shared your personal and business contacts?
So where do you store your data? How secure is it? Did you know that if you shared a link with someone or sent the a customer list, it is your responsibility to see that they use the data within the terms of GDPR? You may need to verify that colleagues, partners, business associates, mailchimp managers know about your policies, that they may need to delete old files according to a protocol that you specify and can verify.
What are the legal bases you use to store customer data?
We store the minimum of data needed to manage and run a customer account. If customers are using one of free products, the information we hold would include an email address, a unique username, an IP address and a location. If you paid us at some point we’ll keep records of that for tax. If you contact us by email, we’ll store that too. We log website usage in quite a lot of detail, for security, to improve things and to provide support / troubleshoot problems.
We have established working practices that minimise the accidental loss, inadvertent sharing, quiet leakage or mass diffusion of customer data. We have trained ourselves to respect privacy, your rights, and information management issues generally.
Our full GDPR compliance information is work in prgress, but is publicly available in draft on our website, for all to see.
Can I opt out of Projects Point marketing emails?
We don’t operate any such thing to promote Projects Point, because we don’t like receiving them as often as we do.
We do help manage some lists on behalf of other customers, and we’ll be advising all our clients to make sure they update their sign up procedures and forms as soon as practical, not just check that their lists are GDPR compliant.
Do I need to re-permission my newsletter customers?
It is hard to say. But at least one scenario is clear, if you didn’t obtain your list by consent, technically you shouldn’t use that list at all, end of story. You have no right to contact people that did not consent, before or after GDPR. Read this: https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts
Will I need an SSL certificate after GDPR?
All our websites have ssl, and have been secure for around 2 years.
We need to setup certificates the first time round, after which they should quietly auto renew, going forward there is a fee.
I need more help …
The ICO have a helpline, but we expect this might be busy this week and the next, indeed for the foreseeable future. The ICO has also produced this guide to help small businesses with GDPR compliance. You may also want to consider contacting a data protection specialist if you handle a large amount of personal data or just realised that we’re in the 21st century and have been asleep for 20 years, have nightmares that you might be a spammer …
Alternatively contact me firstname.lastname@example.org you never know we might be able to help.