GDPR statement for service provision on behalf of our clients

GDPR Statement For Our Clients

The following explains the role of Silver Innovation as a service provider in relation to the GDPR regulations which come into force on 25th May 2018.   If you wish to review our personal data policy for Silver Innovation in regards to you as a client, please review our privacy policy

Terminology and roles

GDPR defines a number of roles which determine responsibility and the guidelines for handling of personal data:

  • Data controller - This refers to a Silver Innovation client who are the operators/owners of any website or application that Silver Innovation have developed, host and/or support
  • Data processor (or data sub-processor) - This refers to Silver Innovation as we are party to personal data through providing our services

Responsibility and obligations

All Silver Innovation clients are responsible for their own adherence to GDPR.  It is not the responsibility of Silver Innovation to enforce or implement any rules or changes for data controllers (i.e. our clients).

Silver Innovation, as data processors, shall provide sufficient technical and organisational practices that meet the GDPR guidelines for data processors.   This is to ensure any handling of any data on our client's behalf is confidential, secure and responsible.  We may disclose data to service providers who render services to us or our clients, all of which are contractually obliged to act only on our instructions and in accordance with applicable laws including GDPR.

Website & application changes to become GDPR-compliant

The GDPR laws which have come into affect are globally impactful, being law in the UK and EU countries.  Furthermore, other countries which serve UK and EU citizens are also required to adhere to the same guidelines. 

As such, any website, application or software developed prior to GDPR coming into affect on 25th May 2018 may require further changes to ensure compliance with the guidelines, and how they specifically apply to each client

These changes may be subject to additional investigation & development charges as advised by Silver Innovation on a case-by-case basis due to the diverse rules and nature of the website/application/software.

Review and change process

The extent of changes required will depend on several factors:

  1. The type of data captured and stored by your website/application/software (i.e. is is personally identifiable, is it sensitive)
  2. The intended usage for that data (i.e. for order processing, marketing, promotions etc)
  3. How the data is captured (by online enquiry form, by user registration etc)
  4. The length of time and legal basis for storing this data (i.e. stored for 6 years due to HMRC invoice and tax purposes)

We advise the following:

  1. Client should initially involve their Data Protection Officer (if appointed/applicable)
  2. Client should review and formalise their own GDPR policy wording and make key decisions on the above factors such as data capture methods, intended usage, retention period, security.  Existing processes may need to be reviewed and revised inline with GDPR
  3. Client to make their policy available via their website, email signature and other communication forms
  4. Silver Innovation to review the website/application/software to determine what areas contravene the agreed GDPR policy
  5. Silver Innovation to recommend technically feasible solutions to ensure GDPR-compliance
  6. Silver Innovation to estimate costs for implentation where applicable
  7. Client to instruct Silver Innovation to proceed

Data Subject Rights

GDPR includes several data subject rights which data controllers are obligated to respect

In the first instance, it is the responsibility of the data controller to respond to all requests and fulfil where possible - via any content management system (CMS) or administration area.

As a service provider (data processor), Silver Innovation may be required to manually intervene to technically carry out certain tasks not available through the existing CMS/Administration.   All manual requests will be carried out for free for clients who are covered by a support & maintenance agreement.  Otherwise, requests will be chargeable at our standard agreed hourly rate.

The data subject rights that Silver Innovation can manually assist with are as follows:

  1. The right to ask for a copy of data - typically a comma separated file (CSV)
  2. The right to ask to correct any data - such as errors, mistakes or inaccuracies
  3. The right to ask for data to be removed - includes audit records

Data handling

Retention & backups

Silver Innovation, as a data processor, retain backups for 3 months for the purpose of providing restoration of data in the event of a disaster recovery scenario.  These backups are stored securely and accessible only via an encrypted platform.

Data breaches

Silver Innovation, as a data processor, will comply with the GDPR guidelines surrounding data breaches, such as notification of clients within 72 hours of a breach being detected etc.   Further details can be found here

Data security

Silver Innovation recommend all websites/applications are operated under a secure https:// connection to ensure encryption is in place to secure data in transit

Specific data encryption is implemented on a case-by-case basis based on the level of sensitivity of the data and any specific requirements or instructions from clients (data controller)