GDPR Statement

Introduction

The European Union has taken steps in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. From this date EU residents will have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organisation that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data. Pipe Ten is aware of its role in providing the right tools and processes to support its users and customers to meet their GDPR mandates.

Pipe Ten’s Commitment

Pipe Ten are registered with the ICO and have always honoured their customers’ right to data privacy and protection in accordance with the covered by the ICO. Pipe Ten have no necessity to collect and process their customers’ personal information beyond what is required for the functioning of their services.
Over the years, Pipe Ten have demonstrated their commitment to data privacy and protection by operating to PCI DSS industry standards, achieving Cyber Essentials certification and are currently in the final process of achieving ISO 27001 certification. Pipe Ten have always had a strong privacy policy in place which is being adjusted to incorporate GDPR obligations and recognise that GDPR will help them move towards the highest standards of operations in protecting personal data.

How have Pipe Ten prepared for GDPR?

As a data controller we understand our obligation to our customers and their personal data. We have thoroughly analysed the GDPR requirements and are working through several initiatives to ensure that we are only holding the minimum information required to provide the contracted services to our customers, that we allow customers to manage the data that is held and easily be able to provide access to the data and removal wherever possible.
These include:

Identifying personal data

We are undertaking a systematic review of the personal data that is being stored, managed, retained, collected, processed and disposed of across our various systems. Assessment of this data will review information flow, any data transfers, risk, and structural position in relation to Lawfulness, Purpose, Minimisation, Accuracy, Consent, Limitation, Integrity & Confidentiality, Record Keeping and Accountability.

Providing visibility and transparency

The most important aspect of GDPR is how the collected data is used. As a data controller we are committed to allowing customers to manage their personal data. Some of these details do filter through to Pipe Ten’s back-end systems which are not publicly visible for certain applications such as billing or support but all this data can be retrieved or removed on request where appropriate.

Enhancing data integrity and security

We have always taken the privacy and security of our customers data seriously operating to PCI DSS standard or better whilst constantly looking for ways to improve the levels of security. This proactive approach has allowed us to advise and implement security measures for customer’s hosted solutions to cover their own data storage. Following the GDPR data assessment we also identified new technology platforms that have been implemented to further improve this data security, operation & compliance.

Portability and transferability of data

GDPR gives end users the right to either receive all the data provided and processed by the controller or transfer it to another controller depending on technical feasibility. With this new right in mind, we have been implementing new internal procedures and policies to improve the efficiency of the data exporting process.

Training and Awareness

Pipe Ten undertake internal training for all staff on GDPR and its impact on the policies, procedures, and responsibilities.

Supplier & Partner relationships

Pipe Ten have used all reasonable endeavours to ensure that their third party and suppliers are complying with the GDPR.

What does this mean for Pipe Ten customers?

There will be no difference to the service that Pipe Ten customers receive. We have simply made sure that we are fully compliant with the GDPR by 25 May 2018 through improved access controls, procedures and policies for data subjects rights, regular data audits, restricting retained data and enhanced security of customer data. Pipe Ten’s senior Management Team and advisors will continue to monitor the GDPR programme up to the target date in May 2018 and beyond.

FAQ

Can we search our personal data on your systems?

Your personal data that you have provided to Pipe Ten can be found and updated in your online control panel.

Can we delete our personal data from your systems?

By updating or closing your account, your personal data will be removed from Pipe Ten’s systems. Any data that has filtered through to the backend systems can also be requested to be deleted where applicable.

Can we export our personal data from your systems?

On request Pipe Ten will be able to provide a full export of an individual’s personal data.

Do your standard contract terms include the new GDPR mandatory provisions?

The contract terms have been updated to include the new GDPR mandatory provisions.

Do you have a documented Breach Notification Process?

Yes, please raise a support ticket or notify noc@pipe.co.

Can you confirm our right to have perennial data deleted or returned upon termination of contract at no extra cost?

Any personal data that is not active or not legally required to kept for longer periods will not be retained for more than 12 months and upon request can be deleted on termination of contract.

Can you confirm that you offer full transparency of data transfer to other parties/destinations?

A list of all third parties Pipe Ten may transfer customer’s data to is available in Pipe Ten’s Privacy Policy (PP). A list of all third parties that any individual’s personal data has been transferred to is available on request.

What is your geographical location?

Sheffield, UK.

What is the geographical location of your data systems?

South Yorkshire, UK.
Derbyshire, UK.
Greater Manchester, UK.

Should we consider Pipe Ten a data processor?

You can find our Data Processing Policy (DPP) which defines the scope in which we can access and process data which is further backed by our Data Destruction Policy (DDP), Hardware Destruction Policy (HDP), Privacy Policy (PP) and the ToS and SLA at pipeten.com/docs/.