GDPR Q&A for Virtual Data Room Clients

This Q&A provides a quick overview of what Imprima is doing to help our clients comply with the General Data Protection Regulation (GDPR) in relation to client data held in our data room or otherwise processed on behalf of our clients.

NOTE: This is a confidential document prepared for Imprima’s clients only. You must not share it with any third parties, except with your advisors or other individuals approved by Imprima, provided they are subject to confidentiality. Its content is not exhaustive or complete. It is not intended as legal advice and it may not be relied on as such by any party.

How will Imprima ensure compliance with the General Data Protection Regulation by May 2018? With regard to the GDPR, our clients as data controllers engage the services of Imprima which acts on their behalf as a data processor. Imprima has a really strong security framework already in place and our priority has always been to assist our clients to comply with all data protection obligations. To this end, Imprima have:

  • Issued GDPR-compliant data processing terms to each client – This gives each client control over the processing of their data and confirms the client’s instruction to Imprima to process data in connection with our services
  • Updated our platform end user (click-through) agreement to give our clients more control over End User conduct
  • Issued GDPR-compliant data processing terms to our suppliers and contractors
  • Updated our website privacy notice

What personal data about clientsand on clients’ behalf, does Imprima handle? As a data processor acting on behalf of our clients we securely host the data uploaded to our data room. The data room content will vary depending on our clients and their business needs. We do not process special categories of personal data unless uploaded to the data room by our clients. For completeness, as a data controller we process the usual business details, such as names, roles, telephone numbers and email addresses, of our client contacts. In addition to client details we may also process details of client nominees, such as their advisors, bidders, investors or other relevant parties. This is only to the extent that these nominees are authorised by our clients to access parts of the data room. We hold information about user profiles set up by each end user. Dates of birth and other memorable information may be required purely for identity verification. A complete activity report of each end user is also kept.

Does Imprima transfer client personal data outside the EEA? No. All our servers are located within the EU (in Slough in the UK and in Frankfurt in Germany). However, authorised end users such as deal managers may access the data room from any location in the world. We will take steps to comply with international data transfer rules as may be required post-Brexit, as soon as the position is clarified.

How does Imprima process client personal data in connection with its services? Data room content is stored on our servers and processed solely to provide our services. Where clients provide content for us to upload on their behalf (e.g. on USB, hardrive, via FTP or hard copy documents for scanning) this is safeguarded by appropriate security measures such as CCTV. The content is not reviewed but the files are treated and optimised by specialist ISO27001 trained customer service & support representatives in our offices. They are then subsequently uploaded to our server using an SSL-encrypted secure dedicated fibrelink. Where clients use our self-service portal to upload content, we do not access the content. Our Technical Support teams have access the data room to assist with client or end user technical or file processing queries. As data controller we process contact details in our CRM and other systems for business purposes.

Does Imprima use client personal data for any other purposes? No. As a data controller we may use the contact details of our clients for marketing purposes, subject to prior consent or as otherwise permitted by law. Just like every business, we keep an anonymised record of service utilisation and business activity for trend analysis and business development purposes.

What documentation does Imprima have in place? We have a Data Privacy Policy accompanied with a full suite of GDPR documentation, including a Privacy Impact Assessment Procedure. On the client data side, we have a Client Data Policy, Security Policy, Access Control Policy, Purging Policy, Data Processing Terms, Records of Processing Activities and a Statement of Applicability setting out which ISO measures are in place.

Does Imprima employ a data protection officer? No, however, our Chief Executive Officer, Gary McKeown, and our Head of Technology, Tom Horsman, have responsibility for the implementation of our GDPR program.

Does Imprima engage any contractors or service providers who further process client data? Yes. We lease rack space from Equinix Limited, an ISO 27001 accredited company, to host Imprima-owned servers. Equinix provide space, cooling and power supply for our equipment, with no access to our servers or networking equipment. We will also be offering a Microsioft Azure cloud solution which is managed by DataPipe Limited, an ISO 27001 accredited company. Secure Data Recycling Limited securely dispose our confidential paper waste, hard drives and media. We employ a number of onsite contractors. All contractors are subject to our GDPR-compliant data processing terms.

What technical and administrative security measures are deployed to safeguard client data? We are fully accredited in ISO27001:2013 to cover all our people, processes, platform and datacentres. Our technical security measures include firewalls, least privilege user access control with user IDs and passwords with limited lifetime,  restricted remote access and multi-factor authentication for remote access, real-time protection anti-virus, anti-malware and anti-spyware software, compliance with hardware and software manufacturer instructions, data separation according to client and purpose where appropriate, regular software updates, secure wiping of decommissioned devices, encryption of portable data storage devices and encryption of personal data in transit with 256Bit AES encryption, intrusion detection and prevention systems, regular network penetration testing, logging and monitoring of user activity (without access to data room content), data backup with regular testing and disaster recovery procedures. Our administrative security measures include personnel vetting, prohibition of BYOD, least authority physical access control, non-disclosure agreements for personnel, and training of personnel on confidentiality.

Does Imprima vet personnel, and are personnel subject to confidentiality and data protection training? Yes. We carry out background checks on all new employees. All personnel execute confidentiality agreements and acknowledge adherence to acceptable use agreements, ISO awareness documentation and physical security documentation such as ISO Screen locking, Clean desk policy etc. Staff have clearly assigned responsibilities based on clearly defined job specifications.

Who has access to client personal data and why? How does Imprima ensure access control? Our Customer Service & Technical Support teams may have access to data room content where a client or end user has asked us to assist with technical or file processing queries. Our teams adhere to service level agreements in relation to our handling of queries (levels 1, 2 and 3). Access privileges are assigned according to job specifications on a need to know basis, as per our Access Control Policy. Access is monitored for suspicious activities, such as front door attacks. Each authorised representative must select a password with at least medium complexity. On the client side, end users designated by the client are assigned minimal access privileges by default. Further privileges are subject to the deal manager’s approval. If an end user becomes inactive for an extended period, the account is automatically blocked.

What records does Imprima keep about client personal data? All end user activity is logged e.g. lists with user privileges, record of who accessed the data, when, what changes were made, or what data was deleted. We maintain a Record of Processing Activities as a data processor. Deal managers can view activity reports.

How does Imprima ensure that all client data are erased or returned at the end of the service? As a general practice, all data room content is automatically deleted from our primary servers within 3 months of termination of services in accordance with our Purging Policy, unless otherwise required by law. We issue deletion certificates on request. We will return or destroy any DVDs and other media on request.

What procedure do you have in place to report personal data breaches to us without delay? As part of ISO27001:2013 we have a formal incident management process in place. An incident form is sent to our ISO inbox and then handled by our incident response team. Clients are informed according to our Service Level Agreement and Data Processing Terms. Each incident goes through the stages of notification, classification, mitigation and containment, breach notification, recovery, and dissemination.

How does Imprima deal with personal-data related requests from individuals? We would only very rarely receive such requests. All requests are handled in accordance with our Subject Access Request Policy. Any requests relating to client data are passed to the client without delay.

Imprima Group

April 2018