From the 25th May 2018, the General Data Protection Regulations (GDPRs) imposes legal obligations upon EU businesses who collect and process personal data, which is any information relating to an identifiable person. The policy sets out what data we collect, why we need it, how we protect it and your rights.
From time to time we may change this policy by updating this page. You should regularly check this page to ensure that you are happy with any changes.
what we collect
We may collect the following information:
- Your Name
- Your Postal address
- Your Email address
- Your Telephone number
what we do with the information we gather
For general enquiries:
- To be able to respond you enquiry
- To administer your contract with us, including service delivery and invoicing
- To contact your directly to inform you of important services relating to their website and other services we provide
For website comments:
- To show your name alongside the comment on our blog comments system
who is responsible for this data?
The Data Controller is responsible for the way in which personal data is processed. For all enquiries to the Data Controller, please use the following details:
Data Controller: Laurence Cope
Address: Office 5, Rombourne Business Centre, Moy Road Industrial Estate, Moy Road, Taffs Well, Cardiff, CF15 7QR
Telephone: 029 2009 8313
how we protect your data and keep it secure
We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data. See our security policy tab for more information.
You have the right to request:
- information about how your personal data is processed
- a copy of that personal data
- that anything inaccurate in your personal data is corrected immediately
You can also:
- raise an objection about how your personal data is processed
- request that your personal data is erased if there is no longer a justification for it
- ask that the processing of your personal data is restricted in certain circumstances
If you have any of these requests, get in contact with our Data Protection Officer above, clearly stating what your request is for.
sharing your information
We will not share your information with any third parties for the purposes of direct marketing, nor for any reason unrelated to fulfil the nature of the enquiry or contractual service we provide. If we need to share your data with third parties in order to deal with your enquiry or service we provide, we will contact you for consent.
We will have contracts in place with any data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
In some circumstances we are legally obliged to share information. For example under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.
how long we keep your data
We will only retain your personal data for as long as:
- it is needed for the purposes set out in this document
- the law requires us to
In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 7 years.
links to other websites
This site contains links to other websites.
contact us or make a complaint
You can contact us via the contact form on the home page or the details above
You can make a complaint using our complaints process tab
What Are Cookies
A cookie is a small file which is placed on your computer’s hard drive to help store your user preferences, login and session states, analyse web traffic or let you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Cookies Used On This Site
The following cookies may be set.
System specific: Visit this link for more information
Third Party Cookies
How To Disable Cookies
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org. To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
The information contained in this website is for general information purposes only. Although we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.
Through this website you are able to link to other websites which are not under our control. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, we take no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.
This website and its content is copyright the website owner. All rights reserved.
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:
- You may print or download to a local hard disk extracts for your personal and non-commercial use only
- You may copy the content to individual third parties for their personal use, but only if you acknowledge the website as the source of the material
You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.
Fielder Digital takes security seriously which is why we have the following policy in place:
- We frequently update all our web hosting servers to use the latest software, which would include security and bug patch releases
- Serious security threats would be patched on the servers as soon as possible
- We have an industry leading firewall to protect the servers, in particular:
- DDoS Attacks
- Block vulnerable scripts in CMS
- Monitor suspicious activity (several password failures for example) and block IP addresses
- Closed all ports except from approved IP addresses
- No public facing control panels
- Secure password policy, at least 8 characters of random upercase and lowercase letters, numbers and symbols, including database passwords
- Virus and maliclious file scanner contnuously scanning the server for malicious files with immediate quarantine
- Connection to servers from our approved IP addresses is via Secure Shell Access methods only (SSH). We do not use insecure FTP, but secure SFTP.
- Secure password policy for logins
- Systems kept up to date where feasible*
- Reputable content management systems and plugins that has in-built security protection
- Hard to guess admin URLs
- SSLs as standard**
- We have strict guidelines, standards and a go live checklist we follow to build websites to a high standard and to ensure security is met
WordPress in particluar additionally has:
- Security and firewall plugins to monitor and protect it from malicious access
- Includes virus and maliclious file scanner contnuously scanning the server for malicious files with immediate quarantine
- Automatic and frequent updates to WordPress core, themes and plugins
- Disabled XMLRPC and JSON API
- Only reputable themes and plugins and used, with high ratings and frequent updates.
- We try our best NOT to use WordPress themes that are abundantly available online, due to securiy, bug and usage issues. ***
- Further information about WordPress security can be found here
- All our eCommerce websites do NOT store credit card information. We use third party gateways to process the payments (e.g. Stripe or Paypal)
- Where possible we encourage customers to use offsite payment processing where the user is directed to the payment gateway site for payment, or to use Stripe, so card data never passes through our system (some eCommerce websites do process card data via the payment gateway plugins and so could technically be hijacked if malicious users gain access. The above security policy is aimed to prevent this access).
And of course, expert developers on hand to deal with any issues that do arise.
* Some older systems are not easily upgradeable and require rebuilds at cost, and so would be the responsibility of the customer to instigate this. Newer systems such as WordPress are auto-updated
** SSLs as standard has only been in practice since 2017 and so older websites may not have them unless requested
*** Except DIVI which is technically theme, but unlike no other!
- Employees are required to surrender any company data they may have upon leaving employment and sign a form to state they have done so
- Passwords are then changed and any access to systems they may have are revoked
- We operate a seperate email server to web servers so it allows us to be more selective on the software running on them, and reduces the chance of malicious emails stored on web servers
- Secure password policy for email accounts
- Firewall protection as above, with IP banning after several incorrect login attempts
- Secure mail server via SSL
As a team, we do need to share passwords and other sensitive data. So we use a leading secure password and note management system to store and share passwords and notes with sensitive data within the team. The password manager uses industry standard encryption to encrypt data, and requires several authentication levels to access it.
It is rare we store sensitive data on paper, but if we do then its temporary and will be shredded afterwards. We normally transfer paper based information to digitally stored.
Mobile devices such as laptops and mobile phones, that may have access to sensitive data (e.g. in an email) are protected by password, PIN or fingerprint access that only the owner knows.
- Our office is in a shared business centre protected first by a passcode/card entry door, and then our own office door.
- CCTV exists on the premises
- The office door is locked when no one is present
- Out of general office hours the main front door is locked and the building protected by an alarm
data breach process
If in the unfortunate event we do have a data breach, we have a data breach process in place here
Data Centre Security
- Controlled access – access cards, biometrics and visual identification
- 24/7/365 manned security
- High security standards – ISO27001:2005 Security Management standard
- Audited by the governments Centre for the Protection of National Infrastructure
Data Breach Policy
data breach policy
purpose and scope
This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents
This policy relates to all personal and special categories (sensitive) data held by Amity Web Solutions regardless of format.
This policy applies to all staff at Amity Web Solutions. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of Amity Web Solutions.
The objective of this policy is to have a formal process in place to help contain any breaches, to help minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.
definitions / types of breach
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.
A personal data breach may mean that someone other than the data controller gets unauthorised access to personal data. But a personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data.
An incident includes but is not restricted to:
- Loss or theft of personal data or the equipment on which the data is stored e.g. laptop, memory stick, smartphone, or paper record
- theft or failure of equipment on which personal data is stored
- Unauthorised use of or access to personal data
- Attempts to gain unauthorised access to personal data
- Unauthorised disclosure of personal data
- Website defacement
- Hacking attack
reporting an incident
- Date and time of discovery of breach
- Details of person who discovered the breach
- The nature of the personal data involved
- How many individuals’ data is affected
- The report must include
- who is reporting it
- details of the incident
- when the breach occurred (dates and times)
- if the data relates to people and how many individuals are involved
- the nature of the information
The forms are located are the bottom of this document.
containment and recovery
The DPO will first determine if the breach is still occurring and take the appropriate steps to minimise the effect of the breach.
An initial assessment will be made by the DPO and with relevant staff members to establish the severity of the breach
The DPO will determine the suitable course of action to be taken to ensure a resolution to the incident
investigation and risk assessment
An investigation will be carried out without delay and where possible within 24 hours of the breach being discovered. The DPO will assess the risks associated with the breach, the potential consequences for the data subjects, how serious and substantial those are and how likely they are to occur
The investigation will take into account the following:
- The type of data involved and its sensitivity
- The protections in place (e.g. encryption)
- What has happened to the data
- Whether the data could be put to illegal or inappropriate use
- Who the data subjects are, how many are involved, and the potential effects on them
- Any wider consequences
If the breach is likely to adversely affect the personal data or privacy of our customers or customers’ customers, we will notify our customers of the breach without unnecessary delay. We will tell them:
- Our name and contact details;
- the estimated date of the breach;
- a summary of the incident;
- the nature and content of the personal data;
- the likely effect on the individual;
- any measures you have taken to address the breach; and
- how they can mitigate any possible adverse impact.
We do not need to notify customers about a breach if we can demonstrate that the data was encrypted (or made unintelligible by a similar security measure)
We will notify the ICO within 24 hours of becoming aware of the essential facts of the breach. This notification will include at least:
- Our name and contact details;
- the date and time of the breach (or an estimate);
- the date and time you detected it;
- basic information about the type of breach; and
- basic information about the personal data concerned.
- We will report a breach using the IPO breach notification form https://report.ico.org.uk/security-breach/
- If possible, we will also include full details of the incident, the number of individuals affected and its possible effect on them, the measures taken to mitigate those effects, and information about your notification to customers. If these details are not yet available, we will provide them as soon as possible.
We will submit a second notification form to the IPO within three days, either including these details, or tell them how long it will take to get them.
evaluation and response
Once the incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and instigate corrective action to systems, procedures and controls to minimise the risk of similar incidents occurring
data breach reporting forms
- Data Breach Form 1: Personal details and information on the affected company (not to be shared with third parties)
- Data Breach Form 2: Details on the data breach incident as per the indications in Article 33 of the GDPR, to be sent to the national supervisory authority, where feasible, no later than 72 hours after having become aware of the breach
- Data Breach Form 3: A section to be completed following the 72-hour period when more information is available on the data breach, which includes complementary data sets to gain more in-depth knowledge of the nature of the breach