GDPR Commitment

The General Data Protection Regulation (GDPR) imposes more stringent rules on companies that offer goods and services to people in the European Union (EU), or that collect and analyze data relating to European residents. We believe that the GDPR is an important step forward in clarifying and protecting individual privacy rights. Open minds High Availability Solutions (Open Minds) takes the protection and privacy of all data seriously. We understand that you may have questions, and even some concerns, about how we handle your data and the impact of these significant ongoing regulatory changes. Therefore, we have prepared this document to address some of the key questions around how we have addressed our own GDPR compliance. We ensure that the protection of your client data is not compromised, thus we are fully compliant with our legal and regulatory responsibilities. And we continue to provide the highest standard of services to you, as our clients, globally. We at Open Minds have taken all the necessary steps to ensure our compliance with the GDPR:

• We carried out a personal data audit to document our processing activities

• We carried out any applicable risk assessments and mitigation’s as required under GDPR

• We updated existing and implemented new policies and procedures to comply with the enhanced and new rights and obligations

• We introduced new and improved training for our employees to ensure continued “good data handling”

• We audited our supply chain to ensure our suppliers are complying with the GDPR and are subject to compliant contract terms and conditions

• We kept a watching brief on and implemented best practice and regulatory guidance in the countries that we carry on business And we will continue to maintain and improve these activities on an ongoing basis.

What personal data does Open Minds process?

What personal data Open Minds processes will depend on the products and services that you purchase from us. In most cases, Open minds will process only very limited (non-sensitive) personal data of you as our client. For normal transactional business (being the provisioning and supply of standard third party products and services), the data is likely to be limited to the contact details of client employees as necessary to receive, fulfil and deliver your order, and for normal account management and reporting purposes (where required). If we provide you with consultancy, managed or other professional IT services then the processing will be focused on the fulfilment of the services engagement. Ordinarily there will be a statement of work or similar document which details the specific services (which helps to explain the type of data processing activities required). Again there will be the normal account management and possibly reporting services requested by you.

It is important to point out that Open Minds does not always have a link in the data processing chain in respect of all products and services purchased by you as our client. An example is where you purchase third party Cloud or other standard services (e.g. software support and maintenance) which are performed by the third party under a direct agreement with you as client. In this instance, Open Minds only transacts the services, and would normally only process data as described under the normal transactional business paragraph above. Any data processed by the third party service provider as part of the products or services will be subject to the terms agreed directly between yourself and the service provider, which is often contained in the End User License Agreement or similar terms. An exception may be where Open Minds has access to some personal data to provide direct services, in which case Open Minds would be processing only the data it has access to in order to perform those services. © Open Minds 2019 Unless we agree otherwise directly with you then our privacy policy available online (www.openminds.co.uk) details the way in which we handle and use your personal data. Our privacy policy also applies to how we use contact data for marketing. If your individual employees consent to receive direct marketing from us then they are free to change their preferences or opt-out of receiving further marketing communications at any time. Our standard terms and conditions of business have also been updated to be compliant with the GDPR, pursuant to which we confirm our commitment to process client data in accordance with the GDPR. A Global IT Organization – Data Residency We recognize that the residency or location of personal data is important for many companies. There is a small minority of client personal data which is processed outside Europe. However, such data is mostly limited to reporting for global clients and is ordinarily restricted to the basic business contact information of those individuals involved in receiving our services. Any such processing is in line with any contractual arrangements we have with particular clients, and would be covered by the legal framework we have in place to effect such transfers. Insight maintains a dual framework for the legal transfer and processing of personal data outside of Europe.

Information Security

Information security is one of the most important elements of the GDPR. Open Minds recognises that ensuring the confidentiality, integrity and availability of information entrusted to Open Minds by its partners and clients is vital. Open Minds maintains a formal global Information Security program that implements standards and controls aligned with industry standards and best practices to facilitate the proper measures of protection across the organisation. With the frequency of change that occurs in the threat landscape that continues to pose a risk to this type of information as well as the continued changes in information protection and privacy laws around the globe, Open Minds as a standard practice, continually reviews, assesses and updates it’s security program and controls as necessary to meet these emerging threats and risks.

Open Minds Information Security program ensures a standard of controls across all layers of organisation to address risks at the staff, business process and technology levels to include, but not limited to the following:

• Polices and Standards

• Third-party due diligence

• Employee training and awareness

• Business Continuity and Disaster Recovery

• Risk Management and Mitigation

• Data Breach/Incident Management

In Summary Open Minds has conducted a detailed and comprehensive program of compliance to the enhanced requirements of the GDPR, and we are committed to processing your data in accordance with this high standard.