Technical and Organisational Measures for Data Protection
This document provides an overview of the technical and organisational measures which Natural HR Limited (“Natural HR”) have in place to ensure the protection of personal data processed by the company.
Designed by HR professionals for HR professionals, Natural HR is all-in-one Human Resource Management and payroll software for growing businesses with over 100 employees.
Our comprehensive suite includes a core HR database, self-service, recruitment, performance management, time and attendance, expenses, payroll, reporting and analytics.
1.1 Natural HR Data Centres
Natural HR makes available its HR cloud-based platform to customers as a Software as a Service (SaaS) from U.K. data centres based in Manchester with a complete backup program to a data centre in Leeds. In this document, the sections named “Data Centres” demonstrate how protection of personal data stored in Natural HR’s databases is done so in accordance with the measures outlined at the UK Fast.Net Ltd (“UKFN”) or Heart Internet Ltd (“Heart”) data centres.
All personal data relating to Natural HR’s customers and respondent data collected and processed is hosted on external servers in the data centres controlled by UKFN and backed up by Heart in locations listed below. All data centres have been certified to the required international information security standards with UKFN being certified as follows with copies of the certifications available here :
- ISO/IEC 27001:2013
- ISO/IEC 27017:2015
- ISO 22301:2012
- PCI-DSS Compliant
- Cyber Essentials Plus
- Approved through the G-Cloud 11 Framework
|Data Centre Provider||Address||Country|
|UKFast.Net Ltd||UKFast Campus
|Heart Internet Ltd||Waterfront House
Beeston Business Park
1.2 Natural HR Offices
Natural HR processes personal data relating to employees, customers, visitors and suppliers in accordance with Natural HR’s Information Security Management System (“ISMS”) and using the company’s own platforms which reside in the data centres listed in section 1.1.
In this document, the sections named “Office” demonstrate how protection of personal data is ensured at the Natural HR’s offices listed below. Natural HR is certified to ISO/IEC 27001:2013 and the company’s risk management process follows ISO/IEC 27005 around information security risk management. Natural HR is also PCI-DSS compliant and is Cyber Essentials certified.
|Natural HR Ltd||4th Floor, Regent House
50 Frederick Street
1.3 Fulfilment of the General Data Protection Regulation (“GDPR”)
The document describes how Natural HR fulfils its obligations for processing personal data on behalf of its customers in accordance with the requirements in the GDPR for technical and organisational measures. The relevant requirements are found in the GDPR Articles 5, 17, 19, 24, 25, 28, 29, 32, 33, 35 and 39. The technical and organisational measures described in this document are set out by Natural HR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk for the rights and freedoms of natural persons, referencing GDPR Article 32.
2. Official Laws and Regulatory Compliance
Natural HR processes all personal data in the U.K. and fully complies with the laws in England and Wales such as the Data Protection Act 2018. Natural HR is committed to reporting to the Information Commissioner’s Office (“ICO”) any data breach incident within 72 hours.
3. Organisation of Information Security
Natural HR information security structure is set out below:
- Natural HR has a comprehensive set of information security policies fully integrated and adopted as part of the company’s ISMS with the implementation of all applicable mandatory processes, records and controls of the International Standard 27001; all approved by senior management and disseminated to every staff member.
- Natural HR’s ISMS Manager has overall responsibility for the information security policy.
- All job applicants follow a screening process according to the principles of the Natural HR background check policy before formally becoming staff members.
- All staff receive an induction and are given regular information security training according to their assigned roles and responsibilities.
- All staff have signed approved confidentiality and intellectual property agreements.
- Regular awareness discussions and training on data protection are provided to all staff.
- Natural HR commits to continuous monitoring to the effectiveness of its information safeguards through a structured audit programme as outlined in section 12.
- Key information security policies are reviewed at least annually.
- Natural HR contracts a Third-Party expert to provide regular information security assistance and information reviews for the company on its systems and processes.
- Natural HR shall establish a Security Review Board led by the CEO and senior management to monitor and assess the company’s effectiveness of its security operations and incident management.
4. Privacy Policies and Procedures
Natural HR shall maintain appropriate data privacy and information security program, including policies and procedures for physical and logical access restrictions, data classification, access rights, credentialing programs, record retention, data privacy, information security and the treatment of personal data and sensitive personal data throughout its lifecycle.
5. Physical and Environmental Security
This section describes Natural HR’s measures that are in place to prevent unauthorised individuals from physically accessing the data processing systems that are employed to process or use personal data.
5.1 Data Centres
5.1.1 Centre in Manchester, U.K.
The standards of ISO 27001 certification apply to the data centre building.
Entry to each facility is rigorously controlled to monitor and manage visitor access, both into and within each data centre. Extensive CCTV video camera surveillance is in place, inside and out, across each facility, along with security breach alarms and controlled physical barriers. All data centres also include:
- Proximity cards for access.
- SIA-accredited UKFN staff working 24/7/365.
- 8m secure fencing and razor wire perimeter fence.
- 24hr NSOI-accredited security patrol.
- Full monitoring of systems including;
- Network connectivity and latency CCTV systems.
- Cage and entry door access controls as well as the physical grounds.
- Temperature, moisture and humidity levels in individual suites.
- Power levels (down to individual power bars within racks).
5.1.2 Centre in Strasbourg, France
“Confidentiality means that personal data is protected against unauthorized disclosure.”
We use a variety of physical and logical measures to protect the confidentiality of its customers’ personal data. Those measures include:
- Physical access control systems in place (Badge access control, Security event monitoring etc.)
- Surveillance systems including alarms and, as appropriate, CCTV monitoring
- Clean desk policies and controls in place (Locking of unattended computers, locked cabinets etc.)
- Visitor Access Management
- Destruction of data on physical media and documents (shredding, degaussing etc.)
Access Control & Prevention of Unauthorized Access
- User access restrictions applied and role-based access permissions provided/reviewed based on segregation of duties principle
- Strong authentication and authorization methods (Multi-factor authentication, certificate based authorization, automatic deactivation/log-off etc.)
- Centralized password management and strong/complex password policies (minimum length, complexity of characters, expiration of passwords etc.)
- Controlled access to e-mails and the Internet
- Anti-virus management
- Intrusion Prevention System management
- Encryption of external and internal communication via strong cryptographic protocols
- Encrypting PII/SPII data at rest (databases, shared directories etc.)
- Full disk encryption for company PCs and laptops
- Encryption of storage media
- Remote connections to the company networks are encrypted via VPN
- Securing the lifecycle of encryption keys
- PII/SPI minimization in application, debugging and security logs
- Pseudonymization of personal data to prevent direct identification of an individual
- Segregation of data stored by function (test, staging, live)
- Logical segregation of data by role-based access rights
- Defined data retention periods for personal data
- Penetration Testing for critical company networks and platforms hosting personal data
- Regular network and vulnerability scans
“Integrity refers to ensuring the correctness (intactness) of data and the correct functioning of systems. When the term integrity is used in connection with the term “data”, it expresses that the data is complete and unchanged.” Appropriate change and log management controls are in place, in addition to access controls to be able to maintain the integrity of personal data such as:
Change & Release Management
- Change and release management process including (impact analysis, approvals, testing, security reviews, staging, monitoring etc.)
- Role & Function-based (Segregation of Duties) access provisioning on production environments
Logging & Monitoring
- Logging of access and changes on data
- Centralized audit & security logs
- Monitoring of the completeness and correctness of the transfer of data (end-to-end check)
“The availability of services and IT systems, IT applications, and IT network functions or of information is guaranteed, if the users are able to use them at all times as intended.” We implement appropriate continuity and security measures to maintain the availability of its services and the data residing within those services:
- Regular fail-over tests applied for critical services
- Extensive performance/availability monitoring and reporting for critical systems
- Incident response programme
- Critical data either replicated or backed up (Cloud Backups/Hard Disks/Database replication etc.)
- Planned software, infrastructure and security maintenance in place (Software updates, security patches etc.)
- Redundant and resilient systems (server clusters, mirrored DBs, high availability setups etc.) located on off-site and/or geographically separated locations
- Use of uninterruptible power supplies, fail redundant hardware and network systems
- Alarm, security systems in place
- Physical Protection measures in place for critical sites (surge protection, raised floors, cooling systems, fire and/or smoke detectors, fire suppression systems etc.)
- DDOS protection to maintain availability
- Load & Stress Testing
Physical access to the main office is secured with 24-hour alarm services and access is only gained through a controlled process using security cards and keys for the main doors, with only key staff having key access.
Visitors must report at the reception with the entrance door equipped with a digital locking system, only being able to be opened by staff. Visitors are always accompanied by a staff member as long as they are on the business premises.
6. Data Access Control
Any staff with access to private data can only access the data that is necessary for the purpose of the activities under their responsibility. Access authorisation is provided based on the ‘need to know’ and ‘need to access’ and is either role-based or name-based. Access logs are in place and the responsibility for access control is overseen by senior management.
The following measures are in place:
- Set procedures are in place for staff to comply with the applicable Natural HR security and data protection policies.
- Defined work instructions on handling private data.
- Procedures for checking compliance with procedures and work instructions are in place.
- User (password) codes protect access to private data.
- Access Logging and control.
- Controlled destruction of data media.
- All data access to the data centres is strictly controlled to ensure only the CEO and Senior Developer Manager can access the administration systems remotely.
7. Security and Confidentiality of Personal Data
The process and use of personal data is limited to serve the customers’ needs only and Natural HR does not transfer data to third, non-involved parties.
Based on risk assessments aligned to the ISMS (and if required an additional DPIA), Natural HR will ensure a level of security appropriate to the risk, which could include the following measures:
- The anonymisation and pseudonymisation of personal data by the customer’s own selection of that feature for their data set.
- The encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- Ensure a logical data separation between the company, customers and suppliers.
- Setup a process to keep processed data accurate, reliable and up-to-date.
- Process registers according GDPR requirements.
- Access relevant log systems’ use for the purposes of being able to detect unauthorised access attempts. Unless a different agreement is specified in the contract between Natural HR and the customer, the data server logs are kept for a minimum of 12 months.
- Customer data (including back-ups and archives) will only be stored in the nominated data centres noted in section 1.1 for as long as it serves the purposes for which the data was collected unless there is a legal or contractual obligation to retain the data for a longer period of time. On termination of the company’s services, the data is removed from live systems by the customer and all backup data expires after 30 days.
8. Availability of Personal Data
Article 32 of the GDPR defines availability control as a requirement to ensure the security of processing. This section describes Natural HR’s measures to ensure that personal data is available, whilst preventing that it is not accidentally destroyed or lost, hereunder routines for backup and recovery to ensure appropriate resilience is in place.
8.1 Data Centres
8.1.1 Centre in Manchester, U.K
- Every four hours data is copied from the primary to the secondary site in Manchester, with the data being backed up to the tertiary site every four hours. This provides an RTO of up to four hours with a targeted RPO of four hours if the secondary site is accessible, with a contingency of forty-eight hours if it is not accessible.
- Senior approved Natural HR staff verify data backup log files regularly.
- Regular training of data recovery and data readability checks are carried out as part of emergency drills.
- N+1 redundancy power specification (UPS and generators).
- Climate control with air-cooled DX chillers.
- Fire protection through gaseous-based suppression systems using world-class VESDA (Very Early Smoke Detection Apparatus) and alarm systems. These highly sensitive two-stage smoke detectors are linked to the DCIM system and monitored continually from UKFN’s network operations centre.
8.1.2 Centre in Leeds, U.K
Need details from Heart Internet
Any backup processes or measures?
File server/DC is backed up each night – email backed up each night?
9. Data Transmission
Natural HR shall, to the extent it has control over any electronic transmission or transfer of personal data, take all reasonable steps to ensure that such transmission or transfer cannot be read, copied, altered or removed without proper authority during its transmission or transfer. For any access to the nominated data centres stated in section 1.1, the measures will include:
- Implementation of industry-standard encryption practices in its transmission of personal data. All databases containing client data are encrypted at rest, using at least AES256, as well as specific sensitive fields being encrypted at a column level. For data in transit, all connections are encrypted under TLS > 1.2 protocol in order to provide communications security and privacy.
- For Internet-facing applications that may handle sensitive personal data and/or provide real-time integration with systems on the network that contains such information, software Intrusion Detection System (“IDS”) and Intrusion Prevention System (“IPS”) are used to provide an additional layer of input checking and attack mitigation.
10. End-User Device Protection
All staff, whether they are based in the main office or working remotely, are covered by strict guidelines and policies; including the Remote Access Policy. All users working with laptops on Natural HR’s secure network incorporate the following security measures:
- Encryption of the hard disk on company assigned laptops.
- Centrally managed with up-to-date anti-virus protection.
- Management and monitoring of the software to control only authorised software installations.
- Vendor supplied updates are systematically installed.
- A strong overwriting process before any used machine is reassigned.
- Login ID and password controls are implemented to access information.
- Periodic access review is implemented.
- E-mails are automatically scanned by approved anti-virus and anti-spam software.
11. Incident Management
Natural HR maintains a security incident response policy and related plan and procedures which address the measures that the company will take in the event of loss of control, theft, unauthorised disclosure, unauthorised access, or unauthorised acquisition of personal data. These measures may include incident analysis, containment, response, remediation, reporting and the return to normal operations.
Natural HR ensures that:
- There is an up-to-date incident response plan that includes responsibilities, how information security events are assessed and classified as incidents and response plans and procedures.
- Tests are regularly undertaken around the company’s incident response plan with “table-top” exercises and continual improvement processes to improve the plan.
- In the event of a security breach, Natural HR will notify customers without undue delay after becoming aware of the security breach following the procedures stated in GDPR Articles 4, 33 and 34. These dictate that within a maximum period of 72 hours, Natural HR will report to the ICO and all person and parties affected on the nature, scope and consequences of the breach.
This section describes Natural HR’s measures ensuring that its policies, including the policies described in this document, are adhered to through the organisation, and the process for regularly testing, assessing and evaluating the effectiveness of these technical and organisational measures.
12.1 Security Audits
Regular audits of Natural HR are part of the ISO 27001 certificate requirements which are undertaken annually by an accredited ISO certification body.
Apart from the ISO audit, Natural HR has committed to an external security consultant to help ensure the company continually strives for improvement of its ISMS with quarterly internal security meetings to review the effectiveness of the measures outlined in this document. Also, regular self-audits are undertaken by senior management to ensure continual improvement and data protection compliance.
12.2 External Vulnerability Audits
To comply with the high requirement towards the platforms’ security, as well as ISO 27001 certification requirements, Natural HR utilises accredited Third-Party security experts to conduct annual penetration tests of the company’s systems. These systems are independently verified and assessed for vulnerabilities with all penetration tests being aligned with recognised penetration testing methodologies such as OWASP, OSSTM or ISSAF.