Data protection best practices

As a business, you have a legal responsibility to protect any personal data that you store and to have the relevant data protection measures in place. Especially now that the UK has left the EU, new data regulations are in place for UK companies providing software services to mainland Europe. Data breaches are a very real threat, a breach can result in significant fines, compensation settlements and reputational damage, so it is an area that you have to prioritise.

Data breaches can be a result of a wide range of causes, from hacking to human error and it is important to have the highest level of data security processes and frameworks set up. With Data Privacy Day taking place on 28 January, it is a very relevant time to focus more on data protection and share some best practices.

At Bellrock, we are data protection experts and we help our clients to develop processes and implement technology solutions that ensure the highest standard of data protection. We also have a very robust data protection framework across our business to keep our clients’ data secure.

These are some of key the measures we have in place, that should also help you to understand which measures to implement in your company:

 

UK Data Centres

All data is processed using Bellrock’s proprietary software platform Concerto, which is hosted in UK data centres. This means that the data centres meet the required security levels stipulated by the Data Protection Act and General Data Protection Regulation, while offshore data centres may not have the same level of regulation and therefore are often less secure.

The Concerto application is hosted by pedigree, co-location data centres in Micorsoft Azure (UK-West and UK-South) and Bellrock has complete control over where the data is stored and processed.

 

Brexit

The UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – which amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit. As Bellrock have always stored data within our data centres in the UK, we continue to comply with UK GDPR.

You might want to check if some of your users access your platform from outside of the UK. In that case your IT team might also wish to restrict access to your web servers so they can only be accessed within the UK.

 

SSL Certificates

All web traffic is protected using the following SSL certificates: TLS 1.2, RSA, and AES_128_CBC with HMAC-SHA1. 

Traffic between the servers (I.E web and DB server) within the infrastructure use specific v-nets for the traffic and it can only be carried out using local IP addresses, this does not go over external IP’s. 

 

Data Encryption

Bellrock only use strong cryptographic algorithms such as AES 256 bit for symmetric encryption, RSA 2048 bit for asymmetric encryption and digital signatures, and SHA-256 for hash functions. 

 

Anti-malware Software

We use industry leading malware software to provide anti-malware software across all of our assets to protect data from malware attacks.

 

Backup Solutions

All virtual servers and backup appliances are replicated across two sites to ensure information and IT systems remain available in the event one site goes down. 

 

24 Hour Monitoring

All servers and services are monitored by PRTG network monitoring tool and all servers and web applications are subjected to a weekly vulnerability scan and annual penetration test. 

In addition to these measures, our staff complete regular data protection training and as a business, we hold the following certifications:

Certification  Cert No.  
ISO 27001  IS 598434 
Cyber Essentials  7305204753750848 

Only the essential database administrators are granted access, after having been stringently vetted. These limited people hold relevant security clearance status (DBS, CTC, SC). All policies and procedures adhere to the ISO 27001 standard. 

 

Data processor / data controller agreement

As part of our commercial and contractual agreements, all customers must complete a written data processor / data controller agreement before we can process any customer data. This agreement will include all data retention periods, data classification and how data will be managed throughout the duration of the project and when data is handed back to the customer. 

 

Our Team

In order to meet our requirements as a Data Processor, we employ a team of individuals who ensure that our products, technology, processes and people are compliant with current Data Protection laws in the U.K. and Europe. All team members within the business must complete an annual data protection training course as well as any new starters to the business. 

 

Bellrock welcomes GDPR as an opportunity to continue to build a stronger data protection foundation for the benefit of its customers and employees. Data privacy is an important human right, and in this data-driven world, more than ever, data protection is something that all companies should be paying closer attention to. We always provide complete transparency and promote our information security practices and credentials to build client confidence in this area.