1. What is GDPR and how does it apply to IT Glue?
The GDPR (General Data Protection Regulation) comes into force on 25 May 2018, and represents a significant overhaul of data protection law in the EU. It strengthens the rights of data subjects in relation to the uses that governments, businesses and other organisations can make of their personal data, and imposes new legal obligations on those organisations about how they hold and process personal data relating to their staff, customers, suppliers and other stakeholders. This FAQs list provides more detail about the concept of personal data, the kinds of personal data that we hold, and what we have been doing as a company to prepare for GDPR.
2. What steps have we taken within IT Glue to prepare for GDPR?
- Undertaking an internal data-mapping exercise, in order to ascertain exactly what kinds of personal data we hold, the sources from which it is obtained, and how it is used;
- Ensuring that we only process personal data where this is permissible according to the one or more of the “lawful bases” of processing set out in the GDPR, including for example, that the data subject has given consent to the processing, that the processing is necessary for the performance of a contract with the data subject, or that the processing is necessary for the purposes of the organisation’s “legitimate interests”;
- Developing and implementing a number of new policies and procedures to ensure that we are able to respond efficiently to data protection issues, including a Subject Access Request Procedure and a Data Retention Policy; and
- Creating a Data Protection Addendum to our standard terms of engagement that addresses the GDPR’s requirements regarding contracts between data controllers and data processors where we are handling personal data on behalf of a client.
3. What does the concept of “personal data” cover?
The GDPR applies to “personal data”, which means any information relating to a living person who can identified (directly or indirectly) from that data by itself, or by reference to some identifier such as a name or user ID, location data, or an IP address or other online identifier.
The GDPR applies both to personal data held electronically and to personal data held in manual filing systems, if the information is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Even personal data that has been anonymised or pseudonymised can still fall within the scope of the GDPR, if it is practicable to “reverse engineer” the anonymisation or pseudonymisation in such a way as to associate the data with a given individual.
4. What kinds of personal data do we hold within IT Glue?
IT Glue generally holds quite a limited set of personal data. Apart from the personal data that we need to process for HR purposes, the main category of personal data that we hold is information relating to individuals within our corporate customer base, such as:
- Contact data – When someone submits an inquiry through the IT Glue website, either by completing our contact form or completing a quote request, their contact information will be recorded and stored in our secure database.
- Profile data – We may collect and store information about our contacts that is obtained through cookies, log files, and/or third parties (e.g. Google Analytics) to create a profile of our users. The purpose of such a profile is to better understand how users access and use the IT Glue service to provide offers and make improvements.
- Registration data – When someone signs up to IT Glue, they will be asked for their company name, address, billing address, e-mail address, and phone number. Our primary purpose in collecting this information is to provide our customers and subscribers with a customized, efficient, and easy to use service.
5. What are the main do’s and don’ts that we observe with regard to personal data?
a. Ensure security for personal data
The GDPR requires that personal data is processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. IT Glue has put in place suitable measures, which are discussed in more detail in Section 7 below, and we have also stressed to our staff the importance of ensuring security.
b. Keep personal data accurate and up to date
The GDPR requires that any personal data we hold is kept accurate and up to date. We have instructed all IT Glue staff that they should regularly check the contacts for whom they are responsible, to make sure that the details that we hold in our systems remain current.
c. Use “opt-in” language on future sign-up screens
The GDPR restricts most forms of unsolicited communications, and requires that people actively opt-in to receiving electronic marketing communications. This means that pre-ticked boxes, opt-out boxes or other default settings, which rely on the individual’s inertia as consent – rather than a positive, affirmative step – no longer constitute valid consent. We have endeavoured to make obtaining consent as granular as possible, so that we are only communicating with people about the products and services they are interested in, and through the channels (email, telephone, post) that they prefer.
d. Respect requests for withdrawal of consent
The GDPR imposes a legal obligation on us to cease using personal data where an individual has withdrawn their consent (unless we can rely on some other legal basis under the GDPR). We have made clear to all IT Glue staff that users have this right, and that any withdrawal of consent is actioned accordingly.
e. Minimising personal data
The GDPR requires companies to ‘minimise’ the personal data that they hold: this means not holding more personal data about someone than you strictly need to, and not keeping it for longer than is necessary.
6. Where do I go if I want to know more about what IT Glue does with my personal data?
All users of the IT Glue service, and any other third parties, can find more details in the updated IT Glue Privacy Notice and FAQs at https://www.itglue.com/gdpr-faq.
7. What measures do we have in place to ensure the security of personal data relating to users?
Security and privacy have been designed into IT Glue from the start, and some of these measures are set out below:
- We minimise the personal information we collect about users, and only collect such information when we have the user’s explicit permission.
- All our systems and data are hosted with a highly-certified, Tier 1 hosting provider, namely Amazon Web Services.
- EU-based customers may choose to be hosted in the EU zone, in order to be doubly sure that they benefit from the protections that the GDPR affords them.
- We minimise the number of data processors we use, and ensure that none of them have access to unnecessary data.
- All vendors who connect to our production system go through a stringent vendor management process.
- As part of our SOC 2 certification process, we decided to go above and beyond the basic security controls to protect user privacy and data, including:
- Implementing PCI-DSS and ISO 27001-compliant controls and operating procedures;
- Conducting annual testing of our controls and processes as part of our ongoing SOC 2 compliance;
- Performing regular independent testing exceeding PCI-DSS standards, including vulnerability scanning, penetration testing and internal audit; and
- Ensuring that all connections to IT Glue are encrypted.
8. What happens if IT Glue becomes aware that personal data has been lost, stolen or corrupted?
A “personal data breach” is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This might include, for example, unauthorised accessing of personal data by IT Glue staff or third parties; sending personal data to an incorrect recipient; or laptops or mobile phones containing personal data being lost or stolen.
In the event of a personal data breach, IT Glue may be legally required to notify the authorities and/or the data subjects themselves, and to do so within very tight timescales. Our staff are trained to know that any actual or suspected breach must be reported to their line manager or other senior figure, who should also be provided with full details, in order that we can start our formal process of deciding how to respond.
9. Who is your Data Protection Officer?
Not all companies are required by law to formally appoint a Data Protection Officer (or DPO). In the case of IT Glue, we have decided not to appoint a DPO, and have instead designated a senior member of our European team as the lead person with responsibility for data protection:
26 West 17th Street, 9th Floor,
New York, New York 10011.
If you have any requests as a data subject (including without limitation subject access requests, requests for data rectification, or requests for erasure of personal data), or if you are aware of or suspect a personal data breach relating to personal data, please notify IT Glue using the contact details set out above.
10. Where do I go for more information?
If you have any further questions about how we use personal data or how we comply with GDPR, please contact IT Glue using the contact details in Section 9 above.
Further information about GDPR generally can also be obtained from the website for the UK Information Commissioner’s Office at