As of 25 May 2018, European data protection legislation will be updated for the first time in 20 years. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding their personal data and seeks to harmonize data protection laws across Europe, regardless of where that data is processed.
You can rest assured that One Beyond is committed to GDPR compliance. We are also committed to helping our customers comply with the GDPR by providing stringent privacy and security protections that are built into our service and contracts.
What are your responsibilities as a data controller?
One Beyond customers will typically act as the ‘data controller’ for any personal data they provide to One Beyond in connection with their use of One Beyond’s services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. One Beyond is a ‘data processor’ and processes personal data on behalf of the data controller when it uses One Beyond’s services.
Data controllers and data processors are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Their obligations arise from the data protection principles which require lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.
If you are a data controller, you will find guidance on your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority. In the case of the UK, this is the Information Commissioner’s Office at ico.org.uk.
You should also seek independent legal advice relating to your status and obligations under the GDPR, for legal advice specifically tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, or should be used as a substitute for, such legal advice.
Where should you start?
Now is the time for you to begin preparing for the GDPR and we are here to help. Here are some considerations:
- Firstly, familiarize yourself with the provisions of the GDPR, especially the changes that it will make to your current data protection obligations.
- Consider creating an updated inventory of personal data that you handle. One Beyond can help identify and classify your data.
- Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR. If not, build a plan to address any areas that need amending.
- Monitor updated regulatory guidance as it becomes available.
- Consult a lawyer to obtain legal advice specifically applicable to your business circumstances.
Our commitments to the GDPR
Alongside other duties, data controllers are required to only use data processors that provide adequate guarantees as to appropriate technical and organisational measures so that data processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of One Beyond:
- EXPERT KNOWLEDGE – One Beyond employs and works with security and privacy professionals to maintain its systems, develop security review processes, build security infrastructure, and implement security policies. Its teams engage with customers, industry stakeholders, and supervisory authorities to shape its services in a manner that helps customers meet their compliance needs.
- OUR POLICIES – One Beyond’s data processing agreements clearly articulate its privacy commitments to customers. The terms have been amended over the years to reflect feedback from customers and regulators. We plan on specifically updating our terms to reflect the GDPR, and will make these updates available in advance of the GDPR coming into force to facilitate our customers’ compliance assessment and GDPR readiness when using One Beyond’s services. The updated terms will take effect from 25 May 2018, when the GDPR comes into force.
- FUNCTIONALITY – We have verified that our hosting facilities have all of the necessary functionality for compliance with the GDPR – not least because they are based in the United Kingdom. In addition, the method we use for deletion and retention of data is acceptable under the GDPR. This verifies to our customers they are using software that is going to keep them compliant when 25 May 2018 comes around.
- DATA PROCESSING – We promise to maintain a high level of security, and will ensure timely breach reporting to meet all GDPR expectations. To reflect this, we utilise a number of security features through our hosting partners, Rackspace and Azure including WAF, IDS and Log storage. Our security practices also include breach detection and timely notification and then recovery. We’ve purchased this protection on behalf of all of our customers. It’s incumbent upon each data controller to ensure that its data processors have the right infrastructure in place to process personal data.
- PROCESSING ACCORDING TO INSTRUCTIONS – Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions.
- EMPLOYEE CONFIDENTIALITY – All of One Beyond’s employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy training.
- USE OF SUBPROCESSORS – One Beyond directly conducts all data processing activities required to provide its services other than storage. Its hosting partners, Rackspace and Azure, who stores the data for us holds all the necessary and expected security accreditations.
- DATA RETURN & DELETION – Where your app’s features do not include automatic deletion of data, One Beyond’s helpdesk will delete and/or export (return) data at any time during the term of our service agreement. One Beyond/Rackspace/Azure stores data backups for two weeks before the backups are replaced fully and any old data is removed.
- DATA CONTROLLERS – How One Beyond assists data controllers:
Data Subject’s Rights – One Beyond can provide an export of customer data, at any time during the term of the agreement.Data Protection Officer – The One Beyond Data Protection Officer is Nick Thompson. Any questions can be directed to him regarding data protection concerns.Incident Notifications – One Beyond will provide contractual commitments around incident notification. We will continue to promptly inform you of incidents involving your customer data in line with the data incident terms in our current agreements and the updated terms that will apply from 25 May 2018, when the GDPR comes into force.Certifications – Our customers and regulators expect independent verification of security, privacy, and compliance controls. One Beyond carries current ISO 27001 and Cyber Essentials Plus certifications.
- STANDARDS & CERTIFICATIONS Our customers and regulators expect independent verification of security, privacy, and compliance controls. One Beyond carries current ISO 27001 and Cyber Essentials Plus certifications. One Beyond has been independently audited, and meets the requirements for BS EN ISO 27001:2013 registration. The scope covers how we manage information security in providing services to our customers.
|__hssrc||session||This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.|
|AWSALBCORS||7 days||This cookie is managed by Amazon Web Services and is used for load balancing.|
|cookielawinfo-checkbox-advertisement||1 year||Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .|
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|
|CookieLawInfoConsent||1 year||Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.|
|JSESSIONID||session||The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.|
|__cf_bm||30 minutes||This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.|
|__hssc||30 minutes||HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.|
|aqcamp||1 month||This cookie is used to customize the application behavior to user preferences.|
|bcookie||2 years||LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.|
|bscookie||2 years||LinkedIn sets this cookie to store performed actions on the website.|
|lang||session||LinkedIn sets this cookie to remember a user's language setting.|
|lidc||1 day||LinkedIn sets the lidc cookie to facilitate data center selection.|
|messagesUtk||1 year 24 days||HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.|
|UserMatchHistory||1 month||LinkedIn sets this cookie for LinkedIn Ads ID syncing.|
|vuid||2 years||Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.|
|_gaexp||1 month 10 days 11 hours||Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.|
|_uetsid||1 day||Bing Ads sets this cookie to engage with a user that has previously visited the website.|
|_uetvid||1 year 24 days||Bing Ads sets this cookie to engage with a user that has previously visited the website.|
|ADRUM_BTa||past||This cookie is used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.|
|AWSALB||7 days||AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.|
|__hstc||1 year 24 days||This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).|
|_ga||2 years||The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.|
|_ga_CNWWV4VG3L||2 years||This cookie is installed by Google Analytics.|
|_gat_UA-3669062-1||1 minute||A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.|
|_gcl_au||3 months||Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.|
|_gid||1 day||Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.|
|_hjAbsoluteSessionInProgress||30 minutes||Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.|
|_hjFirstSeen||30 minutes||Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.|
|_hjIncludedInPageviewSample||2 minutes||Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.|
|_hjIncludedInSessionSample||2 minutes||Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.|
|_hjTLDTest||session||To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.|
|ajs_anonymous_id||20 years||This cookie is set by Segment to count the number of people who visit a certain site by tracking if they have visited before.|
|ajs_user_id||never||This cookie is set by Segment to help track visitor usage, events, target marketing, and also measure application performance and stability.|
|CONSENT||2 years||YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.|
|hubspotutk||1 year 24 days||HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.|
|_fbp||3 months||This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.|
|_opt_expid||past||Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.|
|fr||3 months||Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.|
|IDE||1 year 24 days||Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.|
|MUID||1 year 24 days||Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.|
|test_cookie||15 minutes||The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.|
|VISITOR_INFO1_LIVE||5 months 27 days||A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.|
|YSC||session||YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.|
|yt-remote-connected-devices||never||YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.|
|yt-remote-device-id||never||YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.|
|yt.innertube::nextId||never||This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.|
|yt.innertube::requests||never||This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.|
|_ce.s||1 year||No description|
|_dc_gtm_UA-3669062-1||1 minute||No description|
|_gaexp_rc||past||No description available.|
|_hjSession_1933882||30 minutes||No description|
|_hjSessionUser_1933882||1 year||No description|
|_obid||1 year||No description|
|adzab_all||1 month||No description|
|adzuna_epoch||1 year||No description|
|adzuna_in_your_inbox||1 month||No description|
|adzuna_session_ads||1 hour 30 minutes||No description|
|alr||30 minutes||No description|
|AnalyticsSyncHistory||1 month||No description|
|aqcamplast||session||No description available.|
|asst||30 minutes||No description available.|
|cass||2 hours||No description available.|
|dcid2||2 years||No description|
|gdId||10 years||No description|
|gdsid||6 hours||No description|
|GSESSIONID||2 hours||No description available.|
|li_gc||2 years||No description|
|SameSite||past||No description available.|
|session||session||No description available.|
|trs||1 year||No description available.|