Lolagrove Security Questionnaire

We are undertaking a company-wide GDPR programme which includes updating privacy policies, terms and conditions, employee training (including putting a team member through a GDPR training course to become a Certified GDPR Practitioner), reviews of all supplier relationships, data minimisation and classification and data retention policies across the business.

Yes it does, it has a team that has variant responsibilities towards security, and a full time Project Lead in the field of information security and compliance and a DPO.

All staff under data protection training when they first start, and then as they have been with the business they under further training. The training covers company policies, data privacy law and best practice.

They are currently under review, however they cover the following areas: risk assessment, management responsibility, traceability and responsibility, acceptable use, passwords, access control, virus prevention, internet and network security, system and server security, backups, data storage, elimination, outsourcing, data transfers, endpoint, incident reporting, test data and vulnerability alerts.

We will be storing data for as long as the data owner specifies. As previously stated data uploaded for suppression purposes is not permanently stored anywhere, it is processed and output before being deleted

This is not applicable to LolaGrove, as we are acting as a data processor for The Economist and its Publishers, Lolagrove is not a data controller.

When data is stored is stored it is in an encrypted at rest state within an ISO 27001 environment. As previously mentioned, data uploaded for Suppression purposes is not permanently stored.

We have not undertaken a penetration test however they are scanned for vulnerabilities on a daily basis, and it is continually scanned for abnormalities. If a vulnerability or abnormality is detected, a procedure of escalation is followed to identify, resolve and mitigate any risk.

Access is forbidden, and granted only on a basis of least privilege.

Rackspace Data Center, Hayes

Only Rackspace EMEA Data Centre employees are allowed access to the server floor.

We follow ICO procedure for reporting data leaks, and if it included any client data we would contact them directly by phone and email to report the incident.

It would depend on the security violation, if it were an employee security violation we would follow the Disciplinary Policy (attached), if it were a technical security issue we would follow the System Vulnerability/Alert Management policy. In any eventuality, the risk to client data is immediately assessed and remedied according to the level of severity, which is determined by key personnel and the CEO.

We do not understand this question. Can you provide more information about what you mean. For instance can you give an example of data stored without an identifier and what you mean by “discover and identify”.

If a Data Owner wished us to delete data from Suppression, they would need to provide the file of records and follow the Data Destruction procedure (attached). As previously mentioned data uploaded for Suppression is not permanently stored anywhere.

Rackspace Limited store the data. No other third parties have access to the data.