GraphAware may from time to time during client engagements be asked to legitimately process client data that includes data that can identify individuals ("personal data"). The General Data Protection Regulation (GDPR) governs the processing of personal data and applies to both electronic systems storing and holding personal data as well as manual filing systems where personal data is accessible.
GraphAware places the highest priority on protecting and managing data, especially that of its clients and employees and has policies in place that have been updated and reviewed to ensure the requirements of GDPR are addressed so that:
- data is protected as it comes in to the company.
- data is held securely whilst in the company.
- access is controlled whilst stored in GraphAware systems.
- data is secured when it is sent to a third party (where required, see below).
- data is securely destroyed once it is no longer required.
Regarding the processing of client data that may contain personal data, GraphAware will in accordance with GDPR requirements:
- only process personal data based on documented instructions from the client.
- not engage a third party to help fulfil a specific engagement, without prior specific or general written authorisation.
- inform the client in case of a general authorisation, about any relevant changes regarding any processing of personal data.
- not transfer European Data outside the European Economic Area.
Finally, GraphAware requires all its consultants and employees to use strong passwords that are changed periodically, and that all electronic systems and devices operated by ourselves, our consultants and employees are fully secured in line with industry best practice, including but not limited to:
- Encrypting hard drives on laptops
- Encrypting backups
- Automatic phone lock
- Automatic phone wipe after 10 pin attempts
- Enabling 2-factor authentication for email, GitHub, and all other web applications that support it
GraphAware does not have a dedicated Data Privacy Officer but the Head of Operations will be responsible for the day to day compliance with GDPR and its requirements under Articles 38 and 39, with the support of our legal advisors.
Should you have any further questions regarding this GDPR statement then please contact firstname.lastname@example.org