Data Privacy - Vistra...transmission of information. l. communication, etc.Third Party Controls:...

3
© 2018 Radius | +1-888-881-6576 | www.radiusworldwide.com Having a robust approach to data privacy has been a longstanding capability of our business both in terms of advising clients on their data responsibilities and protecting the data we process for our clients. We have an acute sense of responsibility for the data we hold, arising from our appreciation of the pivotal role played by a data processor. A data controller’s ability to meet their statutory duties is ultimately dependent on the data protection capabilities of their data processors. As a global business we have extensive knowledge of the regulatory landscape we operate in and deploy a global standard to our data processing. We meet the requirements of the strictest countries and exceed the requirements of the rest. This is reflected in our ability to uphold the standards required by the EU General Data Protection Regulation (GDPR), the new global benchmark for personal data processing that comes into force May 25, 2018. For the last two years Radius has been continually improving our policies and practices to ensure we meet GDPR requirements ahead of the deadline. This statement describes our approach to ensuring your personal data is safely processed. Our Data Privacy Focus CONTROLS We continually invest in the advancement of organizational and technical controls that can meet the processing principles of the GDPR so that data is only ever processed: Lawfully, fairly and in a transparent manner For a specified, explicit and legitimate purpose In a way that ensures it is adequate, relevant and limited to the purpose for which it was collected In a way that ensures it is accurate and kept up-to-date For as long as it is required and no longer In a manner that ensures the appropriate level of security for the type of data, so that it is protected against unauthorized or unlawful processing and against accidental loss, destruction or damage Our controls are wide-ranging and always under review. Some of our most critical controls are detailed on the following page. Data Privacy Radius’ Compliance With GDPR

Transcript of Data Privacy - Vistra...transmission of information. l. communication, etc.Third Party Controls:...

Page 1: Data Privacy - Vistra...transmission of information. l. communication, etc.Third Party Controls: Sharing of information with third parties is avoided to the extent possible. In case

© 2018 Radius | +1-888-881-6576 | www.radiusworldwide.com

Having a robust approach to data privacy has been a longstanding capability of our business both in terms of advising clients on their data responsibilities and protecting the data we process for our clients.

We have an acute sense of responsibility for the data we hold, arising from our appreciation of the pivotal role played by a data processor. A data controller’s ability to meet their statutory duties is ultimately dependent on the data protection capabilities of their data processors.

As a global business we have extensive knowledge of the regulatory landscape we operate in and deploy a global standard to our data processing. We meet the requirements of the strictest countries and exceed the requirements of the rest.

This is reflected in our ability to uphold the standards required by the EU General Data Protection Regulation (GDPR), the new global benchmark for personal data processing that comes into force May 25, 2018. For the last two years Radius has been continually improving our policies and practices to ensure we meet GDPR requirements ahead of the deadline.

This statement describes our approach to ensuring your personal data is safely processed.

Our Data Privacy Focus CONTROLS

We continually invest in the advancement of organizational and technical controls that can meet the processing principles of the GDPR so that data is only ever processed:

› Lawfully, fairly and in a transparent manner

› For a specified, explicit and legitimate purpose

› In a way that ensures it is adequate, relevant and limited to the purpose for which it was collected

› In a way that ensures it is accurate and kept up-to-date

› For as long as it is required and no longer

› In a manner that ensures the appropriate level of security for the type of data, so that it is protected against unauthorized or unlawful processing and against accidental loss, destruction or damage

Our controls are wide-ranging and always under review. Some of our most critical controls are detailed on the following page.

Data PrivacyRadius’ Compliance With GDPR

Page 2: Data Privacy - Vistra...transmission of information. l. communication, etc.Third Party Controls: Sharing of information with third parties is avoided to the extent possible. In case

© 2018 Radius | +1-888-881-6576 | www.radiusworldwide.com

Data Privacy | Radius’ Compliance With GDPR

a. Accountability: Radius’ data protection officer (DPO) is accountable for the design, development, adherence, review and continual improvement of policies, systems and controls.

b. Policy: All Radius employees are required to abide by the organization’s information security policies, including its code of conduct, communication policy and data protection policy.

c. Asset Management: All equipment is inventoried, coded and registered against users. Only company-registered hardware can access company infrastructure.

d. Training: All Radius employees are required to complete training on data protection, anti-money laundering, anti-bribery and anti-corruption upon joining and on an annual basis thereafter.

e. Audit Controls: Radius’ processes and procedures are continuously audited specifically against data protection criteria by the company’s internal audit department and independent third-party auditors as part of our SSAE18 accreditation.

f. Process Controls: Stringent process controls are in place to provide assurance over the system’s availability, processing integrity, confidentiality and data security.

g. Paper/Work Station Controls: Paper records are to be held on an “exceptions” basis only and filed in locked storage for no longer than is required. Paper records are shredded when no longer required.

h. Incident Management: Incident response procedures are in place and communicated to all stakeholders. These procedures are periodically tested for effectiveness and updated accordingly to maintain relevance.

i. Change Management: A well-documented change management process is in place. Changes are only carried out in the IT infrastructure after approval from the relevant change approval board (CAB).

j. Data Management Controls: Data classification and handling procedures are in place to ensure that appropriate security mechanisms are deployed at all stages of the data lifecycle (generation, transmission, processing, storage, use, retention, disposal, etc.)

k. Communication: Radius’ data protection and communication policies mandate need-based, least-privilege access and secure transmission of information.

l. Third Party Controls: Sharing of information with third parties is avoided to the extent possible. In case of unavoidable circumstances, only relevant information is transferred to the approved third party after due execution of a non-disclosure agreement and/or standard processing agreement.

m. Contingency Control: Up-to-date operational procedures are in place to account for disruptions such as fire, vandalism, system failure, crises, natural disaster, sabotage, etc.

n. Backup & Restore: Data backups are performed daily and an encrypted copy of the data backup is sent to a secure offsite location for safekeeping. Test restoration of backup data is carried out regularly to ensure readability.

ORGANIZATIONAL CONTROLS

a. Accountability: The chief information officer (CIO) is accountable for the adequacy, maintenance and upgrading of technical controls.

b. Physical/Environmental Controls: Physical access to office premises is controlled through authorized radio frequency identification (RFID). Server room access is restricted to select IT personnel. Controls are implemented to monitor and maintain temperature and humidity. Adequate power backup is available at all times.

c. Technical Access Control: Principle of least privilege is followed while granting need-based access to information-processing facilities and IT infrastructure. Strong password policy specifying minimum length and complexity with mandatory periodic change of password is in place.

d. Security Infrastructure: The company has the following security systems in place.i. Firewall: Industry-standard, high availability tier-one firewalls are

deployed at all sites, and we regularly perform penetration testing.ii. Malware: Industry-standard, tier-one centrally managed anti-virus

software is deployed across all end points globally. Employees are required to take necessary precautions to guard against viruses etc. per company policy.

iii. Insider Threat: Industry standard end-point security solutions are implemented to restrict the use of portable storage devices, prohibit the use of cloud-based file sharing services and ensure that adequate web filters are in place.

iv. Remote Access: Industry standard authentication is applied to encrypted VPN.

v. Monitoring: Internal IT department routinely monitors all core equipment. Automated tools are deployed to monitor the internal and external security of Radius’ infrastructure.

vi. Mobile devices: All company mobile devices are encrypted and centrally managed. All laptops have full industry standard end-point hard-disk encryption.

vii. Physical: Company servers are located in secure, climate controlled data centers with fire suppression. Access control systems ensure that only authorized personnel have server access. All critical systems are power protected with generators and UPS systems.

viii. Disaster Recovery: Onsite and offsite disaster recovery facilities are maintained to ensure business continuity.

e. Backup & Restore Procedures: Data is backed up onto electronic tapes and stored securely in accordance with company operating procedures and is subject to annual SSAE18 audit testing.

f. Secure Disposal/Redeployment: Data is securely disposed of when no longer required. The hardcopies are shredded under supervision and the electronic storage media is degaussed (shredded) to ensure safe disposal of data. Data that is not relevant to the next user is permanently removed when equipment is redeployed.

g. User Responsibilities: Users are bound by the company’s information security policies pertaining to data protection, encryption, communication, etc.

h. Electronic Transfer Controls: Appropriate controls (SSL and TLS) are implemented to ensure adequate security of data that is transferred electronically.

i. Testing: Internal technical vulnerability assessments are performed regularly. The controls are periodically assessed by an independent third party for adequacy and effectiveness. The threats and risks identified are addressed in a timely manner to strengthen security.

j. Change Management Procedures: Changes, including application of patches, are carried out in accordance with Radius’ change management policy and procedures. Initially, a change request having adequate details, including roll-back procedures, is logged in the system for approval of the CAB.

TECHNICAL CONTROLS

Page 3: Data Privacy - Vistra...transmission of information. l. communication, etc.Third Party Controls: Sharing of information with third parties is avoided to the extent possible. In case

© 2018 Radius | +1-888-881-6576 | www.radiusworldwide.com

INTERNATIONAL TRANSFERS

As a global business we understand the additional nuances of cross-border data transfers. When data is transferred across borders additional restrictions apply; restrictions are particularly numerous when EU personal data is involved.

There are a number of additional measures that can be taken to ensure the legal transfer of personal data from the EU/EEA to a non-EU/EEA country. Radius continually evaluates and applies the best option for our business and our clients. This includes Radius’ membership in the EU-US Privacy Shield Scheme for US-bound transfers and the use of EU standard contractual clauses for transfers to other international locations.

THIRD-PARTY ASSURANCE

All organizations use third parties to assist with their business processing, however not all organizations manage these relationships with data protection in mind. Radius considers all third-party activities as an extension of our own business. To ensure the same data privacy standards are applied to all transactions, we operate a structured assurance process for the procurement and engagement of our partners and ensure each one signs and is committed to the terms of a data processing agreement which upholds the standards of the GDPR. You can view a list of our current third-party partners on our OverseasConnect platform.

AWARENESS

Radius has a specialist team of data privacy and cybersecurity experts tracking and reacting to the latest threats and regulatory developments. In addition to professional formal training, our global workforce receives regular updates on the latest developments from our experts.

Through the adoption of “privacy by design” initiatives, data protection is an increasing part of our employees’ working life. All employees are required to consider data privacy when adopting a new process or making a change to an existing process. Through our programs, data privacy has become an instinctive consideration across our organization.

COMPLIANCE

We operate an active governance program to monitor, test and react to vulnerabilities. This end-to-end process is owned by our information security group, working in partnership with our data protection officer and our internal compliance team. The process incorporates regular penetration and vulnerability testing of our networks, combined with periodic assessments of our operating processes and controls. In addition to our internal accreditation framework, our key data protection controls are subject to quarterly testing by an independent third party as part of our SSAE18 SOC1 and SOC2 attestations.

This statement provides insight into our data protection strategies and assurance that Radius is GDPR compliant.

Radius is committed to being at the forefront of privacy design and will continue to adapt our procedures to best meet the most stringent privacy standards and protect the data we hold. If you would like more information on our data security standards please email me at [email protected].

Jamie Paddon Data Protection Officer Radius

Data Privacy | Radius’ Compliance With GDPR