You have probably heard of the GDPR (General Data Protection Regulation) which came into effect in the Spring of 2018. This is a European regulation designed to protect individuals privacy, and will remain in force in the UK after we leave the EU. You can find out more about it from the UK Information Commissioner's Office here https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
Under the GDPR, you are the 'Data Controller' - you decide what data to enter into CertSuite, and you control who gets to see that data. For example, you may enter the addresses of your clients and you will enter details about the condition of their electrical installations. This is personal information and you are obliged to treat it properly and carefully.
CertSuite is the 'Data Processor', and we are obliged to keep your data safe and secure, and we must not use it in ways that you would not expect or have not consented to, unless we have very good reason.
What information will CertSuite collect about me?
When you register an account in CertSuite, you need to provide a suitable email address that you own. This is so that we can contact you and provide you with important information and news about the CertSuite service. We verify that you own the email address during the registration process, so that we can be sure that you really are you.
You might choose to register other users within your CertSuite account and although we ask you to provide an email address for each of these, we don't actually verify them. If they are not real addresses, those users may miss on out on receiving important information about our service from time to time.
You have to enter a password when you register with CertSuite but, believe it or not, we do not store your password in our system. Instead we store a very complicated 'hash' of your password. The clever thing is that it's easy to turn a password into a hash, but it's impossible for us to turn the hash back into your password. Therefore we can test the password you provide each time you log on, by hashing it and comparing it to the hash we have stored for you, but we can never work out what your password actually is.
When you register, we ask you to enter your name, company name, phone number etc. We use your name and your company abbreviation in the service to make it more personal to you. Giving us your phone number is optional, but it helps us support you and welcome you on board if we have it.
As mentioned earlier, you are very likely to enter a significant amount of personal data about your clients into CertSuite. This will include their names and addresses, and many details about their electrical installation and its condition. CertSuite will never share this information with any third party, in fact we will never look at this data or use it any way other than to provide you with the service you expect, with two exceptions:
- If we have your explicit permission, we may look at some data that you have stored in CertSuite in order to investigate and resolve a problem that you are experiencing with the service
- If we are instructed to provide data to lawful authority under instruction from a court of law - though it's hard to imagine that such a case would ever arise.
Where does CertSuite store your data?
The CertSuite cloud service runs in Microsoft Azure, just like many other thousands of highly secure services.
All the data that you enter directly into CertSuite, your client addresses, job information, electrial installation details, electrical measurements and assessments, etc, are stored securely in Microsoft Azure. In the CertSuite team, only the Chief Technical Officer can access this data, and she never does without good reason as described above.
When you log on, data is downloaded from the CertSuite cloud and is stored in your browser to allow you to work 'offline'. This data includes job details and your contacts and addresses.
All this data in Azure is encrypted and held within the UK.
You can read about Microsoft Azure's commitment to the GPDR here https://www.microsoft.com/en-us/TrustCenter/CloudServices/Azure/GDPR
Third Party Tools
Just like most other companies, Megger Ltd uses some third party tools to help us manage our communications with you, our customers.
- We use SAP as our CRM (Customer Relationship Manager). When you register with CertSuite, we enter your name, email address, phone number etc into SAP, and we record some details about every communication we have with you. We only use this data to help us provide you with the best service we can.
- Here is Megger Ltd's privacy statement https://uk.megger.com/privacy-policy
- We use HelpScout to help us manage any emails you send to email@example.com. Again we keep a record of each support incident, and we only use this information to help us deliver the best service we can, and to help us improve CertSuite in general.
- Here is HelpScout's privacy statement https://www.helpscout.net/company/legal/privacy/
- We use MailChimp to send out an email to many or all of you in one go. By necessity, we send MailChimp a list of email addresses to send to.
- Here is MailChimp's privacy statement https://mailchimp.com/legal/privacy/
Other than described above, we do not pass any of your details on to any other third party. We do not use any of your details for any purpose other than to deliver and improve CertSuite.
We do not handle any personal information concerned with payment such as credit card details, as that is all handled through a third party, currently PayPal.
Other GDPR Rights
The GDPR also gave you certain rights which we are obliged to deliver.
- You have the right to request to have all your data deleted from CertSuite. If you want to do this, please send us an email to firstname.lastname@example.org. We will delete your data from our system, provided this does not conflict with our other legal obligations. For example, we may be obliged to retain certain records for accountancy regulations.
- You have the right to extract your data in a standard, computer readable form, so that you can then use it yourself in another service. You can already download all the details for each of your installation reports into JSON format. If you wish to find out more about this, email to email@example.com.
- You have the right to object to the processing of your data - though we really hope you won't need to - but if you do, send us an email to firstname.lastname@example.org. We hope we can resolve any issue amicably but, if we can't, you have the right to take your complaint to the Information Commissioner's Office.
We store some cookies in your browser to help deliver the service to you. For example one cookie means that you don't have to keep logging back into the service every few minutes. Another cookie allows you keep working in your browser even when you are not connected to the Internet.
The only other cookie we store in your browser is for Google Analytics.
None of these cookies store any personal data about you.
- We use Google Analytics to help us understand how our users are using our service. For example, it will help us identify parts of our service which are used most frequently and perhaps other areas which are hardly used at all. It will also tell us the most typical pattern of use of our service.
- This analysis is done on our user base as a whole and is used to identify trends across all our users. It is not used to investigate how you as an individual use our service.
- You can find out more about Google Analytics and their commitment to privacy here https://support.google.com/analytics/answer/6004245?hl=en
- You can also find out how to prevent tracking by Google Analytics here http://tools.google.com/dlpage/gaoptout