Doofus Ideas Ltd
London, UK EC1V 2NX
hello@dofusidea.com
Ph: +44.800.832.1522
For Project inquiries only:
june.harington@doofusidea.com
Ph: +44.155.657.0163
Company # 12339015
For Media & Tech Inquiries:
tech@doofusidea.com
press@doofusidea.com
Ph: +44.155.657.0163
Back

GDPR

Compliance Overview

With GDPR and PECR coming into force as of 25th May, we have been working hard to consult with businesses to provide guidance to them on how they should best work towards compliance with these two EU regulations. Further to this, in the background, we have been working hard to bring ourselves into compliance well before the 25th of May.

As an accredited organisation, we already have the foundations of compliance pre-built as the technical and organisational measures required under this ISO accreditation are a good match to meet, and exceed, the test of “reasonable technical and organisational measures” required under the regulation. The purpose of ISO IEC 27001 is to help organisations to establish and maintain an information security management system (ISMS). An ISMS is a set of interrelated elements that organisations use to manage and control information security risks and to protect and preserve the confidentiality, integrity, and availability of information. These elements include all of the policies, procedures, processes, plans, practices, roles, responsibilities, resources, and structures that are used to manage security risks and to protect information. Links to the details of this accreditation (Certificate number, accreditation body etc.) are contained in our email signatures and on our websites alongside our 9001 and 13485 accreditations. The scope for this accreditation covers both our hosted and on-premise data systems.

Sub-processors

In line with the regulation, we are required to inform you of any other processors involved in the processing of your data. In our day to day operations, the vast majority of our information is stored on our internal systems here in our offices. We have sought and have recorded assurances from other processors, where they are used

Hosted Services

Where we provide hosting services to our clients we act as data processors on the behalf of our client who are data controllers under the terms of the regulation.

Data Controllers are required to seek assurances from data processors that data processing is being carried out in a manner where “reasonable technical and organisational measures” are being taken to secure the data being processed. Data Processors are required to provide this information on request. To this end, please see below the following series of statements to satisfy this requirement.

Organisational Measures

As an accredited organisation, we already have the foundations of compliance pre-built as the technical and organisational measures required under this ISO accreditation are a good match to meet, and exceed, the test of “reasonable technical and organisational measures” required under the regulation. We are also registered with the ICO as a controller and processor under the terms of the DPA (Data Protection Act).

We have engaged internal consultants who have created a GDPR compliance manual that contains all of the information required to demonstrate compliance to a regulator of Supervisory Authority should we be required to do so in line with the requirements of the regulation. Further to this, this manual acts as a GDPR Addendum to ISO27001:2013 with additional policies and records in line with the requirements of the regulation.

Access to the administrative portions of the hosting infrastructure is highly restricted, limited to a few people within the business.

Technical Measures

All hosted services are protected by multiple layers of protection. Every server is protected by a hardware firewall that only passes genuine traffic destined for specific services. Access to critical services is disabled and restricted as necessary.

Each server is further protected by an additional software firewall and physical DDOS appliance. The software firewall is configured to only allow relevant network services.

Further to this, each CMS website is protected by a software-based Web Application Firewall to provide protection against common vulnerabilities etc. We also employ intrusion detection systems on the servers that are monitored for unusual behaviour.

Website files, databases and other data relating to the website, underlying content management system files, version and so on are the sole responsibility of the customer.

Doofus Ideas is responsible for the security of the Operating System and firewall configurations alongside updating the WHM/CPanel software on the servers only.

Website Development and Design services

Where you have contracted Doofus Ideas to design or build a website or web application for you, we are neither data controllers nor data processors with respect to the function and data collection that you provide for on your site/application.

In these circumstances, the client is acting as a Data Controller and the company hosting the site is acting as a processor and the Controller should seek written assurances from the processor around the measures being taken to secure the data.

Technical IT Services

Where you have contracted Doofus Ideas to consult upon, build, and deploy internal IT systems, Doofus Ideas is not responsible for the way in which these systems are used and, as Data Controllers it is your responsibility to ensure that your IT systems and the organisational policies and procedures are compliant with the regulation. Doofus Ideas is willing to assist with this in whatever way possible.

3rd Party Hosted Services

Where you have taken advice from Blue Frontier who have recommended and/or referred you to a 3rd party processing service, such as O365 or Jungledisk, Doofus Ideas act as neither processors nor controllers with respect to these data processing systems. The Data Controller should seek written assurances from the processor around the measures being taken to secure the data.

Doofus Ideas Internal Systems

Organisational Measures

As an accredited organisation, we already have the foundations of compliance pre-built as the technical and organisational measures required under this ISO accreditation are a good match to meet, and exceed, the test of “reasonable technical and organisational measures” required under the regulation. We are also registered with the ICO as a controller and processor under the terms of the DPA (Data Protection Act).

We have engaged internal consultants who have created a GDPR compliance manual that contains all of the information required to demonstrate compliance to a regulator of Supervisory Authority should we be required to do so in line with the requirements of the regulation. Further to this, this manual acts as a GDPR Addendum to ISO27001:2013 with additional policies and records in line with the requirements of the regulation.

Data Collection Policy Statement

Doofus Ideas Ltd act, variously, as either/or data controller and data processor for our clients in line with the definitions in the regulation. Doofus Ideas Ltd is located at Kemp House, 160 City Road, London, UK EC1V 2NX with a phone number of 0800 832 1522 and a contact email address of hello@doofusidea.com. Our website with privacy policy is located at http://doofusidea.com.

We collect data in order to provide quotes to prospective clients and to fulfil contractual requirements. This information may be retained for up to 7 years for financial recording reasons as required by regulators. Further, data may be retained for the purposes of client communication, the marketing of similar services and for regulatory or legal defence reasons until such time as these details would no longer be relevant or required. If this contractually necessary information is not provided we will be unable to satisfactorily communicate with clients and so be unable to act effectively on any requests from such clients.

This data will be in the form of names, email addresses, telephone numbers and other contact details such as Instant Messaging account names, IP addresses and possibly other online identifiers.

We do not sell or transfer data onwards to other recipients, nor do we transfer data to third countries or international organisations that do not have an adequacy agreement.

Data subjects have the right to request objection, access, deletion, alteration, restriction of processing, withdrawal of consent, and data portability. We do not engage in profiling or automated decision making. To exercise these rights please contact us using the details provided above.

Data subjects also have a right to raise a complaint with the UK supervisory authority (the ICO) and their contact details can be found online.

Disclaimer

Nothing on this statement constitutes legal advice. Specialist legal advice should be taken in relation to specific circumstances.

The contents of this site are for general information purposes only. Whilst we endeavour to ensure that the information in this statement is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.

We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material.