West Quay Ltd - GDPR Statement
West Quay Limited is strongly committed to maintaining the privacy of all individuals whose personal data it holds and processes and managing all such data in accordance with United Kingdom legislation. Within this statement, West Quay Limited sets out some of the steps it is taking in order to comply with the new legal requirements for the processing of personal data.
West Quay Limited has undertaken a review of all its activities and implemented the requirements of the General Data Protection Regulation (GDPR) to ensure compliance in all areas of our business. This review has included the preparation of a detailed information audit; establishing the extent to which any personal data needs to be processed by West Quay Limited on behalf of our clients; identifying the lawful basis upon which we process; understanding the role of any supporting third-party sub-contractors who receive personal data from us and their own compliance position; establishing the periods during which any personal data is retained; conducting a review of our security arrangements.
West Quay Limited remains committed to the principle that any personal data collected in connection with its own business will not be shared with any other party for the purposes of marketing and will only be shared with a third party when an individual specifically agrees or where it is necessary for the purposes of providing the services requested by our client. Where West Quay Limited processes personal data for a client, it will only use the data for the purposes of providing the services as directed by the client and for no other reason. West Quay Limited only processes personal data at its Head Office within the United Kingdom and when that data is input, or imported, to our own database solution and processing is required. It is the case however that data we capture in our role as a ‘response handler’ is sometimes processed outside of West Quay, when third-party database solutions, processors and suppliers are used by our clients.
Where West Quay Limited processes personal data for its clients, the management of this data can be the responsibility of both West Quay Limited and the client. In the case of our applications, the client can determine the extent of any personal data which West Quay Limited captures and processes. Where third-party applications are used and where data is sent to us for processing, the client can amend and delete the types of data as appropriate and supply only the data which allows us to provide the services for which we are contracted. In the case of any online data services West Quay Limited may provide, the client is able to decide who has access to the services and protect access using security controls.
West Quay Limited is committed to ensuring that it has in place the appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
West Quay Limited is certified as a PCI DSS processor for the handling of payment card data and applies the same levels of security to any personal data it holds or processes. As part of its internal arrangements, West Quay Limited restrict access to only those employees who need to be able to review personal data, vet all employees who have access to personal data and ensure that all such employees have undertaken to keep any personal data confidential.
West Quay Limited only uses industry certified data centres and cloud service providers who deliver high levels of security, availability and monitoring 24 x 7 x 365 for processing activities including availability and intrusion. All services benefit from quick failover points and regular backing up of data. Regular internal and external scans are performed together with penetration tests annually or after any major infrastructure changes.
Personal and cardholder data is encrypted inflight using Transport Layer Security (TLS) encryption (also known as HTTPS) and at rest using AES256. West Quay Limited has in place documented processes to ensure that all confidential information, including personal data, is securely destroyed when no longer required. In the case of personal data utilised in the processing of order and card transactions, this will be held for no longer than 12 months.
In the event of a security breach, West Quay Limited has processes in place for identifying and reviewing any suspected data breach. If a breach involves the destruction, loss, alteration, unauthorised disclosure or access of any personal data processed for a client, West Quay Limited will advise the customer as soon as is possible with full details and the steps being taken to limit the effects of the breach West Quay Limited will provide full co-operation to the customer in any investigation or that of a regulator.
Data Subject Rights
West Quay Limited is committed to adhering to the new extended data subject rights for personal data it holds as part of its own business and in providing contracted services to our clients, for whom it processes and stores personal data. This includes being advised of the data held, rectifying errors in the data, destruction and where relevant, the right to restrict any processing. West Quay Limited does not utilise automated decision making or profiling when processing personal data.
In order to comply with the new law, West Quay Limited recognises the need, as a data processor, to have contracts in place with its clients and is currently reviewing all existing arrangements. These contracts will need to adequately cover such details as the length of the arrangement, the reason for data processing, the types of data being processed, consent to the use of any sub-contractors by West Quay Limited and the rights and obligation of those clients who provide West Quay Limited with personal data for processing.
West Quay Limited has started training all staff on the effects of GDPR and is implementing procedures to ensure all new staff receive adequate training on joining West Quay Limited with periodic monitoring and refresher courses. West Quay Limited is reviewing and updating as necessary all its staff policies to comply with the changes being introduced by GDPR.
West Quay Limited GDPR Statement - May 2018