GOSS and GDPR
Aligned to GOSS Data Protection Policy, we are committed to ensuring that GOSS is compliant with the existing Data Protection Act and its replacement, General Data Protection Regulation (GDPR). GOSS is taking personal data security seriously and this is reflected within GOSS's implementation of ISO27001.
As data processor for our clients, we ensure that...
- GOSS will only process the information as per instruction and approval from the Data Controller (this includes transfer of personal data to third party, change of purpose, deletion/ removal of client data)
- GOSS datacentres and its disaster recovery physical sites are located within the UK or EEA (dependent on client requirements)
- Access to GOSS datacentres and our clients' data are limited only to those who have a legitimate need to access.
- Data from client hosted site is backed up every night and stored in 4 weekly rotations (retention period)
- GOSS incident reporting process takes into account the requirement to contact the Data Controller, ICO (or other Supervisory Authority), and/or other relevant regulatory authority in the event of personal data breach.
- GOSS will support our client in dealing with data subject request in relation to the personal data that has GOSS processed on behalf of our clients
Moreover as part of GOSS services we will be able to provide assistance for our clients as Data Controller to help them complete Data Protection Impact Assessments (DPIA). GOSS recommended our clients to conduct Data Protection Impact Assessment (DPIA) at the start and periodically throughout the life-cycle of the project in order to measure that the risk and impact of the project is acceptable. The GOSS consultancy team will be able to help our clients to go through the DPIA process if required. This DPIA supports is available as an additional chargeable service that GOSS could provide.
With regards to GOSS Digital Platform compliance with the current Data Protection requirements and its replacement, the platform is flexible and configurable to ensure our clients are able to deal with data subject rights. As Data Controller, GOSS clients are responsible to manage the personal data within the application including retention or deletion of the data in accordance to their specific data retention policy. As part of the client project kick-off meeting or when requested, GOSS will work with the clients to provide GDPR compliant solutions using GOSS Digital platform to fit to each clients internal processes to deal with data subject rights. Depending on the nature and scope of clients's specific requirements, additional charges may be incurred.