How has FastTrack implemented its privacy practises?

Organisational commitment – As part of ISO27001 the business has to have a proven and implemented set of practises, standard and policies to protect data. FastTrack’s policies are known and approved by the management team and education is provided to all staff on an ongoing basis.

 Appointing a data protection officer – FastTrack has a Data Protection Officer to manage privacy with all regions where our service is utilised.

 Data protection framework/document- record keeping system - information security - FastTrack has implemented/adheres to and is certified to the practises of ISO27001 – Information Security – Management Systems. This covers core aspects of GDPR and Privacy by Design:

• Information classification and handling policy – Defining and classifying the data that is collected/managed and hosted. This is then used to assess risk, privacy, and security controls.

• Risk assessment – Based on the information classification (control A.8.2.1 Classification of information) and assessing all practise/policies, all risks must be documented and classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.

• Compliance - Control A.18.1.1 (Identification of applicable legislation and contractual requirements), it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements.  Control A.18.1.4 (Privacy and protection of personally identifiable information) of ISO27001 guides organizations through the implementation of a data policy and protection of personally identifiable Information.

• Asset management - Control A.8 (Asset Management) covers both infrastructure, system and data assets where personal data is involved; where to store it, how long, what is its origin, and who has access. This includes the segregation of data where all EU based data is hosted in AWS – UK and APAC data is hosted in AWS - Australia. Any data processing and support activities that requires access to such data is always maintained within the region of origin.

• Privacy by design - Control A.14 (System acquisitions, development, and maintenance) ensures that “information security” is an integral part of information systems across the entire lifecycle. For clarity this covers; Hosting procurement/management, platform design &security, data protection (Encryption in transit and at rest), environment provisioning, secure product development practises, internal testing, and independent vulnerability assessments.

• Breach notification – Based on the operating region and governing regulations any data breach must be notified to the appropriate data authorities i.e. EU - within 72 hours after a breach of personal data has been discovered. The implementation of ISO27001 control A.16.1 (Management of information security incidents and improvements) will ensure a consistent and effective approach to the management of information security incidents, including communication on security events. Such requirements exist within each region FastTrack operates in.

• Supplier relationships - Control A.15.1 (Information security in supplier relationships) requires the protection of the organization’s assets that are accessible by suppliers. This must be formalised via contractual agreements.

• Security measures – covering. All aspects of ISO27001 are independently audited to ensure FastTrack is complying with these practises.

  • Internal/third party/mobile computing security policies

  • Access control / network security policies

  • Acceptable use policies and ensuring all staff are educated in these policies.

  • Platform patch management practises

  • Data update policy

Privacy training – All FastTrack employees must review/accept all policies on an annual basis.