GDPR - Feedback Ferret
Download PDF

GDPR Compliance

At Feedback Ferret we take our responsibilities to secure our clients’ data seriously, including personal identifiable data.  In order to give you assurances as to the steps that we have taken, and continue to take, to meet our compliance obligations under the Data Protection Act and the General Data Protection Regulations, we are happy to provide you with details of our policies and procedures.

 

Overall Approach to Compliance

As a business which frequently works with significant quantities of data, Feedback Ferret is committed to fulfilling its legal responsibilities with respect to managing and securing such data, and has put robust measures in place to ensure it complies with all applicable data protection laws. Mark Spicer (Director) is the nominated individual within the company who has overall responsibility for our compliance processes.

In order to meet our new obligations under the GDPR we have taken the following steps:

  • We have sought advice from external auditors and legal professionals to understand the extent of our obligations;
  • We have reviewed and amended our technical and organisational security measures;
  • We have reviewed and amended our existing policies and procedures, and introduced new procedures to enable us to meet our GDPR obligations;
  • We have appointed Vian van der Berg (Business Manager) as our designated person responsible for overseeing our data protection policies and procedures;

We have introduced new terms and conditions within our MSA and other standard contracts with our customers.

 

Roles and Responsibilities

In relation to Feedback Ferret’s contracts with its customers, Feedback Ferret is a data processor and you, our customer, are the data controller.

As a data processor, we are committed to ensuring that we have systems and processes in place to enable us to process data appropriately and in accordance with your instructions.  These systems include our ability to amend and delete data at your request, to enable you, as data controller, to meet your obligations under the GDPR and ensure that the data we are processing on your behalf is kept up to date.

Where possible, we encourage our customers to provide the minimum level of personal identifiable data to us, as often it may not be strictly necessary for us to see it in order to provide our services. Where we receive data fields that we do not require, we will use reasonable efforts to avoid processing this data.

 

Nature of Data Processing

Feedback Ferret processes data it receives from its clients or prospective clients, which may contain personal data, pursuant to an agreement to produce the deliverables specified therein.

 

Data Storage

All data, including personal identifiable data, is stored using Amazon Web Services (AWS) at its secure cloud services platform located in the EU (UK, Ireland and Germany).

 

Data Protection by Design and by Default

We take a number of technical and organisational measures to protect the personal data that we are processing on behalf of our customers. These are set out in our Corporate Security Policies which are available on request.

We regularly review our security measures, including undertaking penetration testing of our systems, and we are also audited annually by an independent third party for compliance with our ISO27001 ISMS to ensure that we continue to meet current standards.

We ensure that all of our staff receive regular training and understand the risks associated with handling and processing personal data, including Security Awareness Essentials (formerly Fundamentals of Information Security).

 

Sub-contracting Arrangements

At Feedback Ferret we handle most of our data processing in-house. However, we will notify you where we may outsource some data processing activities to third parties.

Where Feedback Ferret does engage sub-contractors, we undertake due diligence on them and their businesses to gain assurance on their approach to data protection issues equivalent to those set out in this document. This enables us to give the same assurances to you, our customer.

At Feedback Ferret we ensure that all our sub-contractors sign up to equivalent contractual terms to those set out in our contracts with you, to ensure that all the personal data that we are processing on your behalf is processed securely and appropriately.

 

Records of Processing Activity

We will ensure that we maintain the appropriate records of the processing that we undertake on behalf of our customers

These records are retained for the duration of the contract with our customers, and for up to 6 years after termination of the relationship with a customer.

 

Data Security Measures

At Feedback Ferret we take a number of operational and technical security measures to ensure the personal data we process is managed securely.

Feedback Ferret holds the following Certification Scheme: ISO 27001:2013.

 

Audit

We conduct regular reviews of our own technical and organisational measures. Please contact Vian van der Berg (Business Manager) at vian.vanderberg@feedbackferret.com) for more information.

GDPR logo

Click below to download PDF of Feedback Ferret’s GDPR Audit Response Document: