Epilight New Skin Clinic – GDPR Information Security Statement
From 25th May 2018, General Data Protection Regulation (GDPR) will become law in all European Union countries, including the UK.
GDPR will replace the Data Protection Act 1998 which was developed at a time when there was a limited understanding of the overall impact that technology would have on data processing.
The GDPR has been designed to offer effective legislation for the 21st Century, the main principles are largely the same as the existing regulations but there have been some key changes and updates that are important to understand.
This document, we will explain some of the key points of the GDPR and how we implement them with regards the measures we have taken to ensure protection of your data.
Data Protection Measures
Below is an overview of the data protection measures that have been taken by us, among others:
Data Access control
● Access to any systems that hold data, by employees, is controlled by a username and password.
We have set minimum password complexity requirements and procedures to ensure passwords are changed immediately if they may have been, in any way, compromise.
● All access to data is on a least privilege basis, this means individual employees can only access the minimum amount of data necessary for them to effectively carry their job.
● We use firewalls on all internet facing elements of our infrastructure in order to
control traffic into and out of our business. Firewalls are also enabled on all employee
terminals at all times.
● All our employee terminals and equipment are protected using real-time anti-virus, anti spyware and anti-malware software.
● An Anti Malware policy has been put is in place to ensure that all staff are aware of their obligations with regards to the proper use of employee terminals.
Security of equipment including laptops and mobile phones
● All company laptops, tablets and mobile phones are fully storage disk encrypted and are password and/or passcode protected.
● Employees are trained and aware of the risks of taking mobile equipment out of the office and the importance of protecting these devices.
Data Encryption / Data in Transit
● All transfers of personal data, including contact forms submitted on our website and to any of our partners, are done via secure HTTPS connections.
HTTPS is a secure version of the standard “hypertext transfer protocol” your web browser uses when communicating with our website. HTTPS connections are encrypted meaning that when you send sensitive information over an HTTPS connection, no one can eavesdrop on it or read it in transit. HTTPS is what makes services such as secure online banking and shopping possible.
We use written records to collect and store some of our customer data such as treatment records, consent forms and questionnaires. All of these written records are stored securely offline and onsite. Written records are:
● Stored in locked, secure filing cabinets
● Only accessible by members of staff where necessary to fulfil their role
● Only removed from secure filing cabinets when needed and returned on completion of use
● Never accessible by any third party, outside of our organisation, or the public
● Securely destroyed once we no longer have a legal obligation to keep the records
● Bi-yearly files checks carried out to remove and destroy written records that we no longer have a legal obligation to keep
● Files destroyed in accordance with current regulations (BS EN 15713:2009) and securely disposed of
Company premises where any data is stored have all necessary security and alarm systems to alert us in the case of a break in and keep data secure. External doors and entries are fitted with secure locks and covered by a motion detector alarm system. All internal restricted areas are secured via locked and/or code protected doors.
Employee Data Protection Training
● All of our employees undergo strict pre-employment vetting including education,
Employment and right to work..
● All of our employees are educated on the importance of data security and training covering measures they must take to protect personal, company and customer data is carried out as
part of their induction process and periodically as part of our ongoing staff training.
● All of our employees have confidentiality obligations clearly set out as part of their contract of Employment.
Data Breach Notifications
We take all of the measures detailed in this document to secure your data as part of our Data Processing. In the unlikely event of a data breach, we will inform you within 24 hours of becoming aware of any security issue that may have led to a data breach that could include any customer data.