The impending GDPR deadline of 25th May 2018 is fast approaching.
Tensor has been asked by many of our customers for our stance regarding data stored in the products we manufacture & install and how any other aspect of our service is affected by GDPR. Therefore, we can provide the following advice.
All of Tensor’s products are sold with no data (personal or otherwise) populated with Tensor currently not offering a fully managed/hosted solution or service. Any personal data either resides within a customer’s premises or at a location chosen or controlled by our customers.
Any personal data that is then used to populate Tensor’s products is under the control of our customers (i.e. our customers are the data processor and/or data controller) and therefore our customers must ensure that they have appropriate GDPR policies in place and appropriate data protection policies in order to protect any personal data. Equally, if our customers choose to externally host elements of their IT infrastructure including personal data records held within Tensor’s software, then our customers must ensure that an appropriate Data Processing Agreement is in place with all necessary safeguards implemented by the organisation hosting the personal data.
Many questions have been raised regarding biometric data which is classed as ‘special data’ under GDPR. Biometric data should be secured in the same way as personal data. There is an argument however that the loss of fingerprint biometric data (i.e. such as the biometric data stored within Tensor’s products) is deemed a very low risk and certainly much lower than the loss of other types of personal data due to the biometric data being encrypted to AES256 encryption levels and that the actual fingerprint is never stored. Tensor stores the mathematical location of up to 50 minutiae including on each finger with the minutiae swirl direction and so it is impossible to replicate a full fingerprint in an attempt to identify an individual from the fingerprint biometric data stored by Tensor.
Tensor is planning to release a cloud-based option for some of our products which may offer a hosted & fully managed solution on behalf of our customers. Under these circumstances, Tensor would then become the data processer on behalf of our customers and therefore this would present a different scenario and require further documentation to be provided by Tensor to process and store customer’s personal data on their behalf.
Tensor does require access at times to customer data of which some may be deemed as personal data, to carry out our support duties under both our warranty & maintenance service offerings. Tensor has amended some of our internal procedures on how customer data is handled to further protect customer data and ensure that customer data is not unnecessarily shared within Tensor and is kept as much as possible in single locations under the direct control of Tensor’s IT department.
Tensor has also implemented automatic purging of customer data & files that have not been accessed for 60 days or more in order to comply with GDPR. If any of our customers require Tensor to enter a Data Processing Agreement, please email or post these to our Data Protection Officer at Tensor plc, Hail Weston House, Hail Weston, St Neots, CAMBS, PE19 5JY or firstname.lastname@example.org. Alternatively, Tensor has a standard Data Processing Agreement that can share with our customers that may be of assistance.
Please also contact Tensor’s Data Protection Officer if you require further information regarding Tensor’s GDPR policies.
Tensor’s Internal IT Systems & Data Protection
Following an 18-month IT infrastructure review which included implementation of further IT systems & policies, Tensor gained external certification to demonstrate that we are a secure organisation who has sound infrastructure and IT based data protection measures in place. Tensor was awarded the CyberEssentials certification during February 2018 (certificate no. IASME-A-05294) and are aiming to undertake the CyberEssentials+ certification during 2018.
The Cyber Essentials certification programme is a UK Government-backed scheme that guides businesses in protecting themselves against cyber threats; allowing organisations to demonstrate to customers and partners that cyber security is taken seriously.
Supported by industry as a whole, the certification aims to ensure that security controls are in place and working effectively ensuring risks are mitigated from online threats through the secure configuration of an organisation’s computing resources. For more information, please go to – https://www.cyberessentials.ncsc.gov.uk/