Data Protection Compliance Statement
Comms-care has always taken data protection seriously and has long-standing measures to address its proper use. Additionally, the company recognises its legal duty to protect personal data and has in place a compliance framework supported by its ISO27001 certification and its Information Security Management System (ISMS). The ISMS meets the requirement of the Data Protection Act 2018, which subsumes GDPR requirements.
Comms-care has implemented physical security controls to restrict access to the Comms-care site in general as well as restricting access to infrastructure and other secure offices. Logical security is an area of high focus, all portable devices and media are mandated to be encrypted with AES encryption. Comms-care follows a policy of least privilege with all staff using individual accounts which provide access required based on job role. Additionally, all staff receive mandatory training covering security awareness and data protection principles. Data which is transmitted outside of Comms-care controlled networks is encrypted with AES encryption to ensure security, this includes emails where the peer mail server has been configured to support encryption. Destruction of media which stored personal data is carefully controlled and audited to ensure that the information is beyond economic recovery.
Comms-care understands that it is the Data Controller for information it collects directly e.g. for its own employees’ information and that of potential customers who make direct contact with us though marketing channels. It is otherwise the Data Processor for data supplied to us e.g. by customers and suppliers.
A Data Protection Lead is in post reporting to the Managing Director and a Data Protection Officer at parent company Ingram Micro provides additional guidance and framework policies.
Comms-care policies and procedures, including a Data Protection Policy, are in place to govern the access to and processing of personal data, its retention and destruction and the other requirements of GDPR. Also, supplier management controls include a standalone Data Processing Agreement, which is used where supplementary terms are required to support any existing contract or agreement. This is available on request.
Privacy Notices advise on our use of personal data and consent is sought where this is required. The Company’s main Privacy Notice is available on our website at: http://www.comms-care.com/privacy. This includes contact details for data privacy related enquiries.