GDPR Compliance

Overview

MDHosting Ltd processes personal data as a data controller and processor for web hosting services. This document outlines our compliance with the UK General Data Protection Regulation (UK GDPR) and provides procedures for maintaining ongoing compliance.

Regulatory Framework: - UK GDPR (retained EU law post-Brexit) - Data Protection Act 2018 - Privacy and Electronic Communications Regulations (PECR)

Supervisory Authority: Information Commissioner's Office (ICO) ICO Registration: ZB044018 Company Number: 09796097 (incorporated 25 September 2015)

German Server Location

All client data is hosted on servers located in Germany (Hetzner datacentres), providing strong EU data protection under both UK GDPR and EU GDPR frameworks.

Data Protection Officer

DPO Appointment Status

MDHosting Ltd has not appointed a Data Protection Officer (DPO). This decision is compliant with UK GDPR, which does not mandate DPO appointment for all organisations.

Legal Requirements for DPO Appointment

Under UK GDPR Article 37, DPO appointment is mandatory only when:

1. Public Authority: The controller or processor is a public authority or body (except courts acting in judicial capacity)
2. Core Activities: The core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale
3. Special Category Data: The core activities consist of large-scale processing of special categories of data (Article 9) or criminal conviction data (Article 10)

Why MDHosting Does Not Require a DPO

Organisational Size: - Small hosting provider (under 250 employees) - Limited scope of processing operations - Not a large-scale processor by GDPR definitions

Processing Activities: - Standard web hosting services (not special category data) - No systematic monitoring beyond security logging - No profiling or automated decision-making - Processing proportionate to business size

Data Categories: - Client account data only (name, email, billing details) - No processing of special category data: - No health data - No biometric data - No political opinions, religious beliefs, or trade union membership - No criminal convictions data

Scale Assessment: - Approximately 30 active hosting accounts - Not considered "large scale" under UK GDPR - ICO guidance suggests large scale involves thousands of individuals or significant geographical reach

Data Protection Responsibility

Although no formal DPO is appointed, data protection responsibilities are assigned as follows:

Data Protection Lead: Matthew Dinsdale (Director) Contact: admin@mdhosting.co.uk Responsibilities: - Oversee GDPR compliance programme - Handle data subject rights requests - Liaise with ICO if required - Approve changes to data processing activities - Maintain data protection policies and procedures - Conduct annual compliance reviews

ICO Contact

For formal regulatory matters, data subjects and clients can contact the Information Commissioner's Office:

Information Commissioner's Office (ICO) Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

Phone: 0303 123 1113 Website: https://ico.org.uk/

Future Considerations

MDHosting will reconsider DPO appointment if: - Business expands to process significantly more accounts (>1,000 active clients) - New services involve special category data processing - Core activities expand to include systematic monitoring or profiling - Regulatory guidance or legal requirements change - ICO recommends appointment following audit or assessment

DPO appointment status is reviewed annually as part of the compliance monitoring programme.

Data Protection Principles

MDHosting Ltd adheres to the seven data protection principles:

1. Lawfulness, Fairness and Transparency - Process data lawfully with clear privacy notices
2. Purpose Limitation - Collect data only for specified, explicit purposes
3. Data Minimisation - Collect only data that is necessary
4. Accuracy - Keep data accurate and up to date
5. Storage Limitation - Retain data only as long as necessary
6. Integrity and Confidentiality - Secure data with appropriate measures
7. Accountability - Demonstrate compliance with all principles

Legal Basis for Processing

Data Controller Activities

MDHosting Ltd processes personal data under the following legal bases:

1. Contract Performance (Article 6(1)(b)) - Processing necessary to provide hosting services - Account setup and management - Technical support delivery - Billing and payment processing

2. Legitimate Interests (Article 6(1)(f)) - Server security monitoring and logging - Fraud prevention and detection - Network performance optimisation - System administration and maintenance

3. Legal Obligation (Article 6(1)(c)) - Compliance with tax and accounting requirements - Response to valid legal requests - Retention of business records

4. Consent (Article 6(1)(a)) - Marketing communications (opt-in required) - Optional service features - Testimonials and case studies

Data Processor Activities

When acting as a data processor for client websites: - Processing instructions defined in hosting agreements - Client retains data controller responsibilities - MDHosting provides technical and organisational measures - Data processing agreements (DPAs) in place with clients

Consent Management

When MDHosting processes personal data on the basis of consent (Article 6(1)(a)), we ensure consent is freely given, specific, informed, and unambiguous. This section details our procedures for obtaining, recording, and managing consent.

When Consent is Required

Consent is used as the legal basis for:

Marketing Communications: - Email newsletters and product updates - Service announcements (optional communications beyond essential service emails) - Promotional offers and special deals - Event invitations and webinars

Optional Features: - Beta programme participation - User experience research and surveys - Analytics beyond essential service metrics - Third-party integrations that share data

Public Use of Information: - Testimonials and case studies - Use of company name in client lists - Before-and-after examples of work - Public references or recommendations

Not Based on Consent: - Essential service provision (contract basis) - Security monitoring (legitimate interests) - Billing and invoicing (contract basis) - Legal compliance (legal obligation basis)

Obtaining Consent

Consent Request Requirements:

1. Clear and Plain Language
2. Avoid legal jargon and technical terminology
3. Use short, simple sentences
4. Explain what will happen in practical terms

5. Written in British English appropriate for general audience

6. Granular Consent

7. Separate consent for different purposes
8. Individual opt-in for each type of marketing
9. No pre-ticked boxes or assumed consent

10. Each consent stands alone (unbundled)

11. Freely Given

12. Consent not a condition of service (unless genuinely necessary)
13. No detriment for refusing consent
14. Easy to refuse without penalty

15. Service provided regardless of marketing consent

16. Affirmative Action Required

17. Active opt-in via checkbox or button
18. No pre-selected options
19. No implied consent from silence or inactivity
20. Clear statement of agreement

Consent Mechanisms:

Website Signup Forms: - Separate checkbox for marketing emails (unchecked by default) - Clear label: "I would like to receive news and offers from MDHosting by email" - Link to privacy notice immediately visible - Optional field, not required to complete registration

Client Portal: - Preferences section for consent management - Toggle switches for each consent type - Immediate effect when changed - Confirmation message displayed

Email Requests: - Explicit request with clear yes/no options - Link to online consent form - Reply confirmation required - Record stored in consent database

Phone Requests: - Verbal consent recorded and confirmed in writing - Follow-up email with consent details - Opt-in link sent for written confirmation - Not relied upon until written confirmation received

Recording Consent

For each consent given, MDHosting records:

Consent Record Contents:

1. Data Subject Identification
2. Name and email address
3. Client account ID (if applicable)

4. Unique consent reference number

5. Consent Details

6. Date and time consent given (timestamp)
7. Specific purpose consented to
8. Exact wording of consent request shown

9. Version of privacy notice in effect

10. Consent Source

11. How consent was obtained (web form, email, portal, phone)
12. IP address of consent submission (web)
13. User agent and device information (web)

14. Staff member who recorded consent (phone/email)

15. Consent Status

16. Active or withdrawn
17. Withdrawal date and time (if applicable)
18. Reason for withdrawal (if provided)
19. Renewal date (if consent refreshed)

Storage and Format:

• Consent records stored in secure database (not publicly accessible)
• Encrypted at rest and in transit
• Access restricted to authorised staff only
• Audit trail of all consent record changes
• Regular backups per retention policy
• Segregated from other data for easy retrieval

Audit Trail:

All changes to consent records logged: - Timestamp of change - User who made change - Previous and new values - Reason for change (if manual update) - IP address of change request

Consent Withdrawal

Data subjects have the right to withdraw consent at any time, as easily as consent was given.

Withdrawal Methods:

1. Unsubscribe Links
2. Every marketing email contains unsubscribe link
3. One-click unsubscribe (no login required)
4. Immediate processing (within 24 hours)
5. Confirmation page displayed

6. Confirmation email sent

7. Client Portal

8. Login to portal preferences
9. Toggle off consent switches
10. Immediate effect

11. Confirmation message shown

12. Email Request

13. Email to admin@mdhosting.co.uk
14. Subject: "Withdraw Consent" or "Unsubscribe"
15. Processed within 48 hours

16. Confirmation sent when complete

17. Written Request

18. Post to registered office address
19. Processed within 5 business days
20. Written confirmation sent

Withdrawal Processing:

1. Immediate Actions
2. Flag consent as withdrawn in database
3. Add to suppression list for relevant processing
4. Record timestamp and method of withdrawal

5. Stop processing within 24 hours (email within 48 hours)

6. Notification

7. Send confirmation to data subject
8. Explain what has stopped
9. Clarify what continues (essential service emails)

10. Inform of right to complain to ICO

11. Impact Communication

12. Withdrawal does not affect:
    • Existing contract obligations
    • Past processing that was lawful
    • Other legal bases (contract, legitimate interests)
    • Essential service communications

13. May affect:

    • Access to optional features requiring consent
    • Participation in beta programmes
    • Receipt of service improvement communications

14. Retention

15. Withdrawn consent records retained for 6 months
16. Necessary to prevent re-contacting
17. Suppression list maintained indefinitely
18. Demonstrates compliance with withdrawal request

Marketing Consent (PECR Compliance)

Under Privacy and Electronic Communications Regulations (PECR), electronic marketing requires specific consent.

Email Marketing:

New Clients (No Prior Relationship): - Explicit opt-in required before any marketing - Cannot send marketing without clear consent - Cannot use pre-ticked boxes - Must identify clearly as marketing

Existing Clients (Soft Opt-in): - May send marketing about similar products/services - Only if client details obtained during sale/negotiation - Client must be given clear opt-out at collection - Every message must include unsubscribe option - Opt-out must be honoured immediately

Business-to-Business vs. Consumer: - Individual email addresses require consent (B2C rules) - Generic corporate emails (@company.com) may be less restricted - When in doubt, apply B2C rules - Named individuals at businesses treated as consumers

Unsubscribe Requirements: - Present in every marketing email - Simple and straightforward process - Free of charge - No login or authentication required - Processed within 24 hours

Suppression List Management: - All unsubscribe requests added to suppression list - Checked before every email send - Retained permanently - Prevents accidental re-contact - Shared with email service providers

Third-Party Marketing: - MDHosting does not share data with third parties for their marketing - No consent requests for third-party marketing - Client data not sold or rented - Sub-processors may not use data for their own marketing

Consent Refresh and Renewal

Consent does not expire automatically, but MDHosting implements consent refresh to ensure ongoing validity.

Refresh Triggers:

1. Time-Based Refresh (2 years)
2. Marketing consent refreshed every 2 years
3. Email sent requesting consent renewal
4. If no response, cease marketing after 30 days

5. Move to suppression list if no renewal

6. Material Changes

7. Significant changes to processing purposes
8. New data sharing arrangements
9. Changes to sub-processors

10. Privacy notice material updates

11. Inactivity

12. No engagement with marketing for 18 months
13. No clicks, opens, or website visits
14. Considered "inactive"

15. Consent re-confirmation requested

16. Regulatory Changes

17. New legal requirements
18. ICO guidance changes
19. PECR amendments
20. Best practice updates

Refresh Process:

1. Re-consent Email
2. Sent to all consented individuals
3. Explains why re-confirmation needed
4. Clear opt-in link (not opt-out)

5. 30-day deadline for response

6. No Response Handling

7. After 30 days, cease marketing
8. Retain on suppression list
9. Do not assume continued consent

10. Can still send essential service emails

11. Renewed Consent

12. New consent record created
13. Fresh timestamp and details
14. Supersedes previous consent
15. Audit trail maintained

Documentation: - All consent refresh campaigns logged - Response rates tracked - Unsubscribes recorded - Annual review of refresh effectiveness

Consent Records Access

Data subjects can request copies of their consent records under Article 15 (Right of Access).

What We Provide: - All current active consents - History of withdrawn consents - Dates of consent and withdrawal - Purposes for which consent was given - Methods of consent collection

Request Process: - Submit via Subject Access Request (see Data Subject Rights section) - Identity verification required - Provided within 1 month - Free of charge

Data We Process

Client Account Data

Data Type	Purpose	Legal Basis	Retention
Name, email, phone	Account management, support	Contract	Duration + 6 years (tax)
Billing address	Invoicing, tax compliance	Contract, legal obligation	Duration + 6 years (tax)
Payment details	Payment processing	Contract	Not stored (via payment processor)
IP addresses (admin)	Security, access logs	Legitimate interests	12 months
Technical support logs	Service delivery, troubleshooting	Contract	24 months
Website files/databases	Hosting service provision	Contract	Duration + 30 days

End-User Data (as Processor)

For data stored on client websites, clients are the data controllers: - Website visitor data (analytics, cookies) - Customer databases (e-commerce, CRM) - Form submissions and enquiries - User accounts and profiles

Client Responsibilities

Clients must ensure their own GDPR compliance for data they collect via hosted websites. MDHosting provides the technical infrastructure but does not control website data collection practices.

Cookie Consent & PECR Compliance

The Privacy and Electronic Communications Regulations (PECR) complement UK GDPR and impose specific requirements for cookies and electronic marketing. This section covers MDHosting's compliance with PECR.

UK PECR Requirements

PECR requires: - Consent for storing or accessing information on user devices (cookies and similar technologies) - Consent for electronic marketing communications (email, SMS) - Clear and comprehensive information about cookies - Easy opt-out mechanisms

Exceptions: - Strictly necessary cookies do not require consent - Essential service communications do not require marketing consent

Cookie Categories and Consent

Cookies fall into four categories with different consent requirements:

1. Strictly Necessary Cookies

Purpose: Essential for website operation Consent Required: No Examples: - Session management cookies - Authentication tokens - Load balancer cookies - Security cookies (CSRF tokens) - Shopping basket functionality

MDHosting Usage: - cPanel/control panel session cookies - Client portal authentication - Billing system session management - No consent required per PECR Regulation 6(4)

2. Performance/Analytics Cookies

Purpose: Collect information about website usage Consent Required: Yes Examples: - Google Analytics - Traffic analysis - Page view counters - Error tracking

MDHosting Usage: - Website analytics (if implemented) - User behaviour tracking for service improvement - Consent obtained via cookie banner before setting

3. Functional Cookies

Purpose: Remember user choices and preferences Consent Required: Yes (unless strictly necessary for requested service) Examples: - Language preferences - Region selection - Interface customisation - Accessibility settings

MDHosting Usage: - Minimal functional cookies - Where used, consent obtained via banner

4. Marketing/Targeting Cookies

Purpose: Track users across websites for advertising Consent Required: Yes Examples: - Advertising cookies - Social media tracking pixels - Retargeting cookies

MDHosting Usage: - Not currently used - Would require explicit consent if implemented

MDHosting Website Cookie Compliance

Current Cookie Implementation:

1. Essential Cookies Only
2. MDHosting website uses only strictly necessary cookies
3. Session management for client portal
4. Authentication for control panels

5. No analytics or marketing cookies currently deployed

6. Cookie Banner

7. If non-essential cookies added, cookie consent banner will be implemented
8. Displayed on first visit
9. Clear explanation of cookie types
10. Accept/reject options for each category

11. Link to detailed cookie policy

12. Cookie Policy Page

13. Available at mdhosting.co.uk/cookie-policy
14. Lists all cookies used
15. Explains purpose and duration
16. Provides opt-out instructions
17. Updated when cookies change

Cookie Information to Provide:

For each cookie, we document: - Cookie name - Purpose and function - Duration (session or persistent) - First-party or third-party - Data collected - Third parties with access

Cookie Consent Implementation (if non-essential cookies added):

1. Banner Display
2. Shown before cookies set (except necessary)
3. Does not block content unnecessarily
4. Clear and concise language
5. British English

6. No scrolling or browsing as consent

7. Granular Control

8. Category-by-category consent
9. Accept all / reject all options
10. Customise preferences

11. Save preferences in essential cookie

12. Consent Storage

13. Consent choice stored in cookie (ironic but necessary)
14. Duration: 12 months then re-prompt
15. Can be changed at any time via policy page

16. Withdrawal as easy as granting

17. Prior Consent Requirement

18. Non-essential cookies not set until consent given
19. Scripts blocked until user accepts
20. Re-check consent on each visit if expired
21. No assumed consent

Email Marketing PECR Compliance

PECR imposes specific rules on electronic marketing beyond GDPR consent requirements.

Unsolicited Marketing Rules

To Individual Subscribers (B2C): - Opt-in consent required before sending any marketing - Cannot use pre-ticked boxes - Soft opt-in exception: existing customers for similar products - Must identify sender clearly - Must provide free opt-out method - Opt-out must be honoured immediately

To Corporate Subscribers (B2B): - Limited PECR restrictions on generic corporate email addresses - Individual named addresses still require consent - Best practice: treat all as B2C

MDHosting Approach: - Treat all email addresses as B2C (strictest standard) - Always require explicit opt-in - Never purchase email lists - Honour opt-outs within 24 hours

Soft Opt-In Exception

MDHosting may send marketing to existing clients without prior consent if:

Conditions (all must be met): 1. Contact details obtained during sale or negotiations for sale 2. Marketing is for MDHosting's own similar products/services 3. Client given clear opportunity to opt-out at collection 4. Client given clear opt-out in every message

Similar Products/Services: - Web hosting upgrades and add-ons - Related services (email hosting, domains) - Service improvements and new features

Not Similar: - Unrelated third-party products - Services outside hosting/domains - Products requiring separate contracts

Opt-Out Implementation: - Clear "unsubscribe" link in every email - Prominent placement (footer minimum) - One-click unsubscribe (no login required) - Immediate processing (within 24 hours) - Confirmation sent when complete

Message Content Requirements

Every marketing email must include:

Mandatory Elements:

1. Clear Identification
2. Sender name: "MDHosting Ltd"
3. From address: marketing@mdhosting.co.uk or similar

4. Not misleading or deceptive

5. Contact Information

6. Valid reply-to address
7. Physical address (registered office)

8. Company number: 09796097

9. Clear Marketing Identification

10. Recognisable as marketing
11. Not disguised as service emails

12. Subject line not misleading

13. Opt-Out Mechanism

14. Unsubscribe link in every message
15. Clear instructions
16. Free of charge
17. Simple process

Prohibited Practices: - Misleading headers or subject lines - Concealing sender identity - Failing to provide opt-out - Charging for opt-out - Making opt-out difficult or complex

Suppression List Management

MDHosting maintains a suppression list of individuals who have opted out of marketing.

Suppression List Purpose: - Prevent sending marketing to those who opt-out - Demonstrate PECR compliance - Avoid complaints and ICO investigation - Protect reputation

List Contents: - Email addresses of all opt-outs - Date of opt-out - Method of opt-out - Reason (if provided) - Permanent retention

Suppression Process:

1. Adding to List
2. All unsubscribe requests added immediately
3. All complaint-based opt-outs added
4. Regular import from email service provider

5. Manual additions processed within 24 hours

6. List Checking

7. Check before every marketing send
8. Automated checking in email platform
9. Manual review for small sends

10. No marketing to suppressed addresses

11. List Maintenance

12. Regular audits (quarterly)
13. Remove duplicates
14. Verify accuracy

15. Never remove valid opt-outs

16. Third-Party Sharing

17. Suppression list shared with email service providers
18. Necessary for automated checking
19. Processor agreement in place
20. No other sharing

Re-consent: - Cannot remove from suppression without explicit new consent - Must be separate, affirmative opt-in - Cannot assume silence is consent - Document new consent clearly

Client Website Cookie Guidance

MDHosting assists clients in achieving cookie compliance for their hosted websites.

Client Responsibilities:

Clients are data controllers for their websites and must: - Implement cookie consent mechanisms - Provide clear cookie information - Obtain consent for non-essential cookies - Honour user preferences - Maintain cookie policies

MDHosting Support:

1. Technical Implementation
2. Assist with cookie consent plugin installation
3. Provide hosting for cookie consent scripts
4. Support cookie blocking implementations

5. Troubleshoot consent tool issues

6. Plugin Recommendations

7. Cookie Consent plugins for WordPress
8. Compliance tools compatible with hosting environment
9. Free and premium options

10. UK GDPR/PECR compliant solutions

11. Resources Provided

12. Cookie policy templates (on request)
13. PECR compliance guidance
14. Links to ICO resources

15. Best practice documentation

16. What MDHosting Does Not Do

17. Audit client websites for compliance
18. Provide legal advice on PECR
19. Accept liability for client non-compliance
20. Configure client consent tools (unless contracted separately)

Recommended Cookie Consent Plugins:

For WordPress sites: - Cookie Notice & Compliance (free, UK-friendly) - Complianz GDPR/CCPA Cookie Consent (premium, comprehensive) - CookieYes (freemium, easy implementation)

For custom sites: - Cookiebot (paid service, robust) - OneTrust (enterprise solution) - Osano (good for small businesses)

Client Independence

MDHosting provides infrastructure and support but clients remain solely responsible for their website's PECR compliance. Clients should seek legal advice for complex compliance questions.

PECR Enforcement and Penalties

ICO Enforcement Powers: - Issue monetary penalties up to £500,000 - Enforcement notices requiring specific actions - Stop processing orders - Prosecution for certain breaches

Common PECR Violations: - Sending unsolicited marketing emails without consent - Failing to provide opt-out mechanisms - Setting non-essential cookies without consent - Misleading marketing messages - Concealing sender identity

MDHosting Compliance Measures: - Regular staff training on PECR - Documented consent procedures - Suppression list maintenance - Cookie policy updates - Annual compliance reviews

PECR Compliance Checklist

• Only strictly necessary cookies set without consent
• Cookie policy page published and accessible
• Marketing emails only to opted-in recipients
• Unsubscribe link in every marketing email
• Suppression list maintained and checked
• Soft opt-in conditions met for existing customers
• Email sender clearly identified
• Cookie consent banner implemented (if non-essential cookies used)
• Client guidance provided on website cookies
• Annual PECR compliance review conducted

Further Resources

ICO PECR Guidance: - https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/ - https://ico.org.uk/for-organisations/guide-to-pecr/

Cookie Guidance: - https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/cookies/

Email Marketing: - https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/electronic-and-telephone-marketing/

Data Subject Rights

MDHosting supports all UK GDPR data subject rights. This section details the operational procedures for handling data subject requests.

Request Management Procedures

Request Intake and Logging

Channels for Requests:

Data subjects can submit requests through multiple channels:

1. Email
2. Primary: admin@mdhosting.co.uk
3. Alternative: support email addresses
4. Automatic forwarding to request queue

5. Acknowledgement sent within 48 hours

6. Client Portal

7. Dedicated "Data Rights Request" form
8. Secure submission with automatic authentication
9. Confirmation displayed immediately

10. Email confirmation sent

11. Postal Mail

12. Registered office address (see contact details)
13. Scanned and logged upon receipt
14. Acknowledgement sent by return post

15. Processed same as email requests

16. Support Ticket

17. Can be submitted via normal support channels
18. Flagged for priority handling
19. Routed to data protection lead
20. Subject line tagged: [DATA SUBJECT REQUEST]

Request Logging:

Every data subject request is logged in the Data Subject Request Register:

Log Entry Contains: - Unique reference number (format: DSR-YYYY-MM-###) - Date and time received - Data subject name and contact details - Request type (access, erasure, portability, etc.) - Requested action or information - Channel received (email, portal, post) - Assigned handler - Status (received, verifying, assessing, processing, completed) - Deadline date (1 month from receipt) - Completion date - Outcome and actions taken

Log Location: - Secure internal documentation (not in git repository) - Access restricted to authorised staff - Encrypted storage - Regular backups - Retained for 6 years for audit purposes

Identity Verification Procedures

Before processing any data subject request, identity must be verified to prevent unauthorized disclosure.

Standard Verification (Low-Risk Requests):

For routine requests from known clients:

1. Email from Registered Account
2. Email received from address on file
3. Matches client account email
4. No additional verification required

5. Processed immediately

6. Client Portal Submission

7. Authenticated login required
8. Username/password verification
9. Already verified identity
10. Processed immediately

Enhanced Verification (High-Risk Requests):

For sensitive requests (e.g., large data access, erasure requests, requests from unknown parties):

1. Additional Information Required
2. Government-issued photo ID (driving licence, passport)
3. Proof of address (utility bill, bank statement)
4. Account-specific information (invoice number, service details)

5. Submitted via secure method

6. Verification Timeline

7. Request additional documents within 24 hours of initial request
8. Allow 5 business days for data subject to provide
9. Verify documents within 2 business days

10. Clock for 1-month response starts after verification complete

11. Verification Methods

12. Secure file upload via client portal
13. Encrypted email attachment
14. Postal mail to registered address
15. In-person verification (by appointment)

Failed Verification:

If identity cannot be verified: - Inform data subject of failure - Explain what additional information is needed - Provide 10 business days for compliance - If still unverified, request can be refused - Document refusal reason - Inform of right to complain to ICO

Verification Records:

• Method of verification documented in request log
• Copies of ID retained only as long as necessary (destroyed after request complete)
• Verification failure reasons documented
• Audit trail maintained

Request Assessment

Once identity is verified, assess the request for validity and complexity.

Validity Assessment:

1. Is This a Valid GDPR Request?
2. Does it relate to personal data processing?
3. Is it one of the recognised rights (Articles 15-22)?
4. Is the data subject making the request (or authorised representative)?

5. Is the request clear and specific?

6. Exemptions and Limitations

7. Legal privilege (legal advice, court proceedings)
8. Management forecasting
9. Negotiations with data subject
10. References given in confidence
11. Examination scripts and marks

12. Regulatory investigations

13. Manifestly Unfounded or Excessive?

14. Clearly frivolous or vexatious
15. Repetitive requests without reasonable interval
16. Grossly disproportionate effort required
17. If yes: can charge reasonable fee or refuse
18. Must justify and document decision
19. Inform data subject of refusal reason

Complexity Determination:

Determines response timeline (1 month standard, extendable to 3 months if complex):

Simple Requests (1-month timeline): - Single data subject - Small amount of data - Straightforward retrieval - Clear request scope - No legal assessment required

Complex Requests (may extend to 3 months): - Multiple systems or databases - Large volume of data - Requires redaction (third-party data) - Legal assessment needed (exemptions) - Unclear request requiring clarification - Multiple requests received simultaneously

Extension Notification: - If extending to 3 months, notify data subject within 1 month - Explain reasons for extension - Provide new deadline date - Offer interim update if possible

Execution Workflows

Who Handles Requests:

1. Data Protection Lead (Director)
2. Oversees all data subject requests
3. Approves complex or sensitive requests
4. Handles erasure and rectification decisions
5. Liaises with ICO if complaints arise

6. Final authority on refusals or extensions

7. System Administrators

8. Retrieve data from systems and databases
9. Perform technical deletions or restrictions
10. Extract data for portability requests
11. Implement rectifications in systems

12. Provide technical assessments

13. Support Staff

14. Initial request intake and logging
15. Identity verification
16. Routine correspondence with data subjects
17. Assembly of data for access requests
18. Escalate complex issues to data protection lead

Escalation Procedures:

Escalate to Data Protection Lead if: - Identity verification fails - Request appears manifestly unfounded - Legal exemptions may apply - Erasure conflicts with retention obligations - Objection requires balancing test - Extension beyond 1 month needed - Data subject disputes response - Complaint threatened or made to ICO

Required Approvals:

Data Protection Lead approval required for: - All erasure requests (permanent data deletion) - Refusals or partial refusals - Fee charges for excessive requests - Timeline extensions to 3 months - Restriction of processing decisions - Objection rejections (legitimate grounds assessment)

No approval needed for: - Routine access requests (verified identity, clear scope) - Simple rectifications (obvious errors) - Consent withdrawals (always honoured) - Portability exports (standard format)

Response Procedures

Response Format:

1. Secure Delivery Methods
2. Email: Encrypted attachment to verified email address
3. Portal: Secure download link in client portal (password-protected)
4. Postal: Registered post to verified address

5. In-Person: By appointment with ID verification

6. Access Request Response Contents

7. Cover letter explaining contents
8. Copy of personal data (organized and clear format)
9. Processing information (purposes, legal basis, recipients)
10. Retention period information
11. Information about rights and complaint procedures
12. ICO contact details

13. No charge (unless excessive)

14. Other Request Responses

15. Confirmation of action taken
16. Explanation of any limitations or exemptions
17. Next steps if applicable
18. Contact for further questions
19. ICO complaint rights

Response Templates:

MDHosting maintains templates for: - Access request cover letters - Erasure confirmation letters - Rectification confirmation letters - Portability data delivery notices - Refusal letters (with exemption explanations) - Extension notifications - Fee assessment letters

Fee Assessment:

Generally free of charge, but fees may apply:

When Fees Permitted: - Request is manifestly unfounded or excessive - Repetitive requests for copies (beyond first copy) - Fee must be reasonable (based on administrative cost) - Maximum: typically £10-50 depending on effort

Fee Process: 1. Assess whether fee applicable 2. Calculate reasonable amount 3. Notify data subject of fee and reason 4. Provide invoice for payment 5. Clock stops until fee paid 6. Process request upon payment 7. Document fee decision

Zero Fees for: - First access request copy - Rectification requests - Erasure requests - Restriction requests - Portability requests - Objection requests - Consent withdrawal

Tracking and Monitoring

Request Status Tracking:

All requests tracked through defined stages:

1. Received
2. Request logged in register
3. Acknowledgement sent
4. Unique reference assigned

5. Deadline calculated

6. Verifying

7. Identity verification in progress
8. Additional documents requested

9. Awaiting data subject response

10. Assessing

11. Validity being determined
12. Complexity evaluation
13. Exemptions considered

14. Approval sought if needed

15. Processing

16. Data being retrieved/compiled
17. Actions being executed
18. Response being prepared

19. Quality check in progress

20. Completed

21. Response sent to data subject
22. Actions confirmed complete
23. Log entry finalised

24. Case closed

25. Refused/Suspended

26. Identity not verified
27. Manifestly unfounded
28. Awaiting fee payment
29. Reason documented

Deadline Monitoring:

• All requests have automatic deadline tracking
• Alerts sent 7 days before deadline
• Escalation if approaching deadline without completion
• Extension notification sent before original deadline expires
• Missed deadlines flagged and reviewed

Performance Metrics:

Tracked annually: - Total requests received (by type) - Average response time - Percentage within 1-month deadline - Extensions granted (number and reasons) - Refusals (number and reasons) - Complaints to ICO (number and outcomes) - Most common request types - Trends over time

Annual Reporting:

• Performance metrics reviewed annually
• Included in compliance monitoring report
• Trends identified and addressed
• Process improvements implemented
• Staff training needs identified
• Report to senior management

Individual Data Subject Rights

MDHosting provides the following specific rights under UK GDPR:

1. Right of Access (Article 15)

Request Process: 1. Verify identity (email from registered account) 2. Respond within 1 month (extend to 3 months if complex) 3. Provide copy of personal data and processing information 4. Free of charge (excessive requests may incur fee)

What We Provide: - Copy of all personal data held - Processing purposes and legal basis - Data recipients and retention periods - Rights information and complaint procedures

2. Right to Rectification (Article 16)

Process: - Clients can update account details via control panel - Email requests processed within 1 month - Notify any third parties if data was disclosed - Confirm corrections to data subject

3. Right to Erasure / "Right to be Forgotten" (Article 17)

When Applicable: - Data no longer necessary for original purpose - Consent withdrawn (where consent was basis) - Object to processing (legitimate interests basis) - Data processed unlawfully

Limitations: - Cannot delete if required for legal obligations (e.g., tax records) - Cannot delete if necessary for legal claims - Business records retained for 6 years per UK tax law

Process: 1. Assess whether legal grounds for retention exist 2. If erasure granted: delete from live systems and backups 3. Confirm erasure within 1 month 4. Document decision and actions taken

4. Right to Restrict Processing (Article 18)

Grounds for Restriction: - Accuracy of data is contested - Processing is unlawful but erasure refused - Data no longer needed but required for legal claims - Objection to processing is pending verification

Action: Flag account/data as "restricted" - store but do not process

5. Right to Data Portability (Article 20)

Applies to: - Data provided by contract or consent - Automated processing only

We Provide: - Website files (ZIP/tar archive) - Database exports (SQL format) - Email exports (maildir/mbox format) - Account data (CSV/JSON format)

Delivery: Secure download link or direct transfer to new provider

6. Right to Object (Article 21)

Grounds: - Processing based on legitimate interests - Direct marketing (must cease immediately)

Assessment: - Evaluate whether compelling legitimate grounds override - Document decision - Respond within 1 month

7. Rights Related to Automated Decision-Making (Article 22)

Current Status: MDHosting does not use automated decision-making or profiling.

Data Breach Notification

Definition

A personal data breach is: - Unauthorised or accidental access, loss, alteration, or disclosure of personal data - Includes ransomware, hacking, accidental deletion, lost devices

Notification Obligations

To ICO (within 72 hours if high risk): 1. Discover breach 2. Assess severity and risk to individuals 3. Contain breach and secure systems 4. Notify ICO via their online portal if high risk 5. Document breach in breach register

To Data Subjects (without undue delay if high risk): - Direct communication to affected individuals - Clear description of breach and consequences - Measures taken and recommended actions - Contact point for further information

Breach Assessment Criteria

Low Risk (no notification required): - Encrypted data accessed but keys not compromised - Data already public - Breach contained before access occurred

High Risk (ICO + subjects notification required): - Large scale breach affecting many individuals - Sensitive data exposed (passwords, financial data) - Breach could lead to identity theft or fraud - Children's data affected

Breach Response Procedure

Immediate Actions (0-24 hours): 1. Isolate affected systems to prevent further compromise 2. Preserve evidence (logs, system snapshots) 3. Assess scope: what data, how many subjects, how accessed 4. Notify senior management 5. Begin breach log documentation

Short-term Actions (24-72 hours): 1. Complete risk assessment using ICO criteria 2. Implement containment measures 3. Notify ICO if required (within 72 hours) 4. Prepare communications for affected data subjects 5. Notify relevant third parties (e.g., payment processors)

Medium-term Actions (72 hours - 1 month): 1. Notify affected data subjects if high risk 2. Implement remediation measures 3. Monitor for ongoing issues 4. Update security measures to prevent recurrence 5. Complete breach register entry

Long-term Actions: 1. Review and update security procedures 2. Staff training on lessons learned 3. Update risk assessments 4. Review insurance coverage 5. Complete post-incident report

Breach Register

All breaches (even low risk) must be logged: - Date and time of breach discovery - Nature and scope of breach - Data categories and number of subjects affected - Likely consequences - Measures taken to mitigate - Notification decisions and communications - Lessons learned and preventive actions

Location: Secure internal documentation (not committed to git)

Data Retention and Deletion

Retention Policy

Data Type	Retention Period	Justification
Active Accounts	Duration of service	Contract performance
Closed Accounts	6 years after closure	UK tax and legal requirements
Financial Records	6 years	HMRC requirements
Website Backups	30 days	Service delivery, disaster recovery
Access Logs	12 months	Security monitoring, legal interests
Support Tickets	24 months	Service quality, reference
Marketing Consent	Until withdrawn + 6 months	Consent management
Email Communications	24 months	Business records

Deletion Procedures

Scheduled Deletions: - Automated backup rotation (30-day cycle) - Quarterly review of closed accounts (6+ years old) - Annual review of marketing database - Log rotation per retention policy

On-Demand Deletions (Right to Erasure): 1. Verify identity and assess legal grounds 2. If approved: - Remove from live databases - Mark for deletion in backup rotation - Purge from active backups where feasible - Update CRM/billing systems 3. Confirm completion to data subject 4. Document in deletion log

Deletion Methods: - Database records: Permanent deletion, not soft delete - File systems: Secure deletion (overwrite, not just unlink) - Backups: Allow natural expiry unless immediate removal required - Physical media: Destruction according to security standards

Data Minimisation

Practices: - Collect only data necessary for service provision - Regular data audits to identify unnecessary data - Automatic removal of redundant files (e.g., old logs) - Privacy-by-design in new systems

Privacy by Design and Default

Privacy by Design (PbD) and Privacy by Default are foundational principles embedded into MDHosting's operations, ensuring data protection is considered from the outset of any new system, service, or process.

Privacy by Design Principles

MDHosting follows the seven foundational principles of Privacy by Design:

1. Proactive Not Reactive; Preventative Not Remedial

• Anticipate and prevent privacy risks before they occur
• Risk assessments conducted before launching new services
• Security measures built into systems from the start
• Regular reviews to identify emerging threats
• Don't wait for breaches to improve security

Implementation: - Threat modelling for new features - Security review before deployment - Regular penetration testing - Monitoring and alerting systems - Incident prevention procedures

2. Privacy as the Default Setting

• Maximum privacy protection delivered automatically
• No action required from data subjects to protect their privacy
• Privacy-protective settings as standard, not optional extras
• Users can reduce privacy if they choose, but secure by default

Implementation: - Strong passwords required (not optional) - HTTPS enforced for all connections - Encryption enabled by default - Minimal data collection from the start - Opt-in (not opt-out) for non-essential processing

3. Privacy Embedded into Design

• Privacy is integral to system design, not added as an afterthought
• Embedded into business processes and technologies
• Essential component, not a separate add-on
• Organisational practices and physical architecture include privacy

Implementation: - Security requirements in project specifications - Privacy considerations in all change requests - Developer training on secure coding - Infrastructure designed with security zones - Access controls embedded in systems

4. Full Functionality - Positive Sum, Not Zero Sum

• Privacy and functionality coexist (not trade-offs)
• Achieve both privacy and business objectives
• Avoid false dichotomies (security vs. usability)
• Win-win solutions prioritised

Implementation: - Secure AND user-friendly authentication - Data minimisation WITHOUT reducing service quality - Encryption WITHOUT performance degradation - Monitoring WITH privacy preservation (anonymisation)

5. End-to-End Security - Full Lifecycle Protection

• Data protected throughout entire lifecycle
• From collection to destruction
• Secure retention during use
• Secure disposal when no longer needed
• Cradle to grave protection

Implementation: - Encryption in transit and at rest - Secure backups with retention limits - Automated data deletion schedules - Secure disposal of decommissioned hardware - Documented data lifecycle procedures

6. Visibility and Transparency

• All stakeholders can verify privacy practices
• Open and accountable operations
• Components and operations remain visible
• Independent verification possible
• "Trust but verify" approach

Implementation: - Published privacy notices - Clear data processing documentation - This GDPR compliance document - Regular audits and reviews - Transparent communication with clients - Third-party security certifications pursued

7. Respect for User Privacy

• User-centric design and operation
• Strong privacy defaults
• Notice given to users
• User-friendly options provided
• Individual interests prioritised

Implementation: - Clear consent mechanisms - Easy data rights request processes - Responsive support for privacy concerns - Privacy-focused product development - Client control over their data

Privacy by Default Implementation

Privacy by Default means systems and services provide the highest level of privacy protection automatically, without requiring user action.

Default Settings at MDHosting

Account Creation: - Minimum data required for account setup - Optional fields clearly marked - No unnecessary information collected - Marketing consent opt-in (not pre-selected) - Strong password requirements enforced

Data Collection: - Only essential cookies set initially - Analytics cookies require consent - No third-party tracking by default - Minimal logging (security essentials only) - No data sharing without explicit permission

Security Settings: - TLS/HTTPS enforced (cannot be disabled) - Strong encryption algorithms (modern standards) - Secure authentication (SSH keys, strong passwords) - Firewall enabled on all servers - Regular security updates applied

Communication Preferences: - Only essential service emails sent automatically - Marketing emails require opt-in - Granular communication preferences - Easy unsubscribe mechanisms - Suppression list respected

Data Retention: - Automatic deletion after retention period - Backups limited to 30 days - Logs rotated per retention policy - Deleted accounts purged after legal minimum - No indefinite data retention

Privacy Impact Assessment Process

For new systems, features, or significant changes, MDHosting conducts Privacy Impact Assessments (PIAs, also called DPIAs - Data Protection Impact Assessments).

When PIA Required

Mandatory for: - New data processing activities - Significant changes to existing processing - New technologies deployment - Large-scale data processing - Processing that may result in high risk to individuals

Examples: - Implementing new analytics platform - Adding biometric authentication - Large-scale email processing - New third-party integrations - Automated decision-making systems

Not typically required for: - Minor system updates - Bug fixes - Performance optimisations without data changes - Routine maintenance - Replacing like-for-like systems

PIA Procedure

Step 1: Identify Need - Screening questionnaire completed - Decision documented - Approval from Data Protection Lead - Scope defined

Step 2: Describe Processing - What personal data is processed? - Why is it processed (purposes)? - Who has access (recipients)? - How long is it retained? - Where is it stored/transferred? - What technologies are used?

Step 3: Assess Necessity and Proportionality - Is processing necessary for stated purpose? - Is there a less intrusive alternative? - Is the amount of data proportionate? - Is retention period justified? - Are security measures adequate?

Step 4: Identify and Assess Risks - Risk to data subject rights and freedoms - Unauthorised access risk - Data loss or destruction risk - Unauthorised disclosure risk - Inability to exercise rights risk - Impact severity (low, medium, high) - Likelihood (unlikely, possible, probable)

Step 5: Identify Mitigation Measures - Technical measures to reduce risk - Organisational measures needed - Additional safeguards - Monitoring and auditing - Staff training requirements - Third-party assurances

Step 6: Document and Approve - PIA report completed - Residual risks identified - Approval by Data Protection Lead - If high residual risk: consult ICO - Implementation only after approval

Step 7: Review and Monitor - Periodic review schedule set - Monitoring arrangements established - Re-assessment triggers defined - Changes trigger new assessment

Privacy by Design Checklist

For all new projects and significant changes:

Planning Phase: - [ ] Privacy requirements identified - [ ] Privacy Impact Assessment completed (if required) - [ ] Data minimisation considered - [ ] Legal basis identified - [ ] Privacy notice requirements understood

Design Phase: - [ ] Security requirements specified - [ ] Data protection measures designed in - [ ] Default privacy settings maximised - [ ] Data subject rights facilitated - [ ] Third-party processors assessed

Development Phase: - [ ] Secure coding practices followed - [ ] Encryption implemented - [ ] Access controls developed - [ ] Audit logging included - [ ] Privacy testing conducted

Deployment Phase: - [ ] Privacy notice updated - [ ] Staff training completed - [ ] Data processing records updated - [ ] Security review passed - [ ] Monitoring configured

Operational Phase: - [ ] Regular privacy reviews scheduled - [ ] Incident response procedures ready - [ ] Data subject rights processes working - [ ] Compliance monitoring active - [ ] Documentation maintained

Privacy by Design Examples at MDHosting

Website Hosting Service: - Minimal client data collected (name, email, billing address) - No unnecessary analytics or tracking - Client files encrypted at rest - HTTPS enforced for all websites - Automatic backup retention limits (30 days) - Easy data export (portability)

Client Portal: - Strong authentication required - Session timeouts implemented - Privacy preferences easily accessible - Consent management built-in - Data rights request form provided - Activity logging for security

Email Hosting: - Spam filtering protects privacy - No email content scanning for advertising - Encryption options available (TLS) - Client control over retention - No sharing with third parties - Webmail over HTTPS only

Billing System: - Payment data handled by PCI-compliant processors - Card details never stored by MDHosting - Tokenization used for recurring billing - Minimal invoicing data collected - Secure client portal access - Automatic invoice retention limits

Continuous Improvement

• Annual review of Privacy by Design implementation
• Staff suggestions for privacy improvements
• Client feedback on privacy features
• Industry best practices monitoring
• Regulatory guidance incorporated
• Technology updates evaluated for privacy impact

Third-Party Processors

MDHosting uses the following sub-processors:

Infrastructure Providers

Hetzner Online GmbH - Service: Server hosting and infrastructure - Location: Germany (EU) - Data Processed: All hosted data - DPA: Standard Hetzner DPA in place - Adequacy: EU-based, GDPR compliant

Service Providers

Stripe, Inc. - Service: Payment processing (primary) - Location: USA (Privacy Shield certified) - Data Processed: Payment transactions (card details not stored by MDHosting) - DPA: Stripe Data Processing Agreement in place - Adequacy: Stripe's EU-US data transfer mechanisms (Standard Contractual Clauses) - Privacy: https://stripe.com/gb/privacy

PayPal Holdings, Inc. - Service: Payment processing (optional alternative) - Location: USA - Data Processed: Payment transactions (handled entirely by PayPal) - DPA: PayPal processes as independent controller - Adequacy: Standard Contractual Clauses for international transfers

Note on GoCardless: - Previously used for Direct Debit processing - Status: Discontinued and no longer in use - All historical data subject to GoCardless retention policies

Blesta LLC - Service: Billing automation and client management platform - Location: USA - Data Processed: Client account data, billing records, service provisioning - Card Data: Not stored by Blesta - uses gateway tokenization (cards stored as tokens via Stripe/PayPal) - PCI Compliance: Blesta bypasses card data entry to payment processors, reducing PCI scope - Privacy: https://www.blesta.com/privacy/ - Features: Client portal (https://mdhosting.co.uk/billing), automated invoicing, support tickets - Integration: Connects with Stripe and PayPal for payment processing

Card Obfuscation

Customer card details stored within Blesta client accounts are obfuscated through tokenization. Raw card numbers are never stored in Blesta - only payment gateway tokens are retained, allowing recurring billing without PCI DSS Level 1 compliance requirements.

Sub-Processor Changes

• Clients notified 30 days before new sub-processor added
• Clients may object and terminate if they cannot accept new sub-processor
• This section (lines 301-348) serves as the authoritative sub-processor list for MDHosting Ltd. Updated when processors are added or removed.

Sub-Processor Due Diligence and Auditing

MDHosting ensures all sub-processors meet GDPR requirements through rigorous due diligence before onboarding and ongoing compliance monitoring.

Pre-Onboarding Due Diligence

Before engaging a new sub-processor, MDHosting conducts comprehensive due diligence:

Step 1: Initial Assessment

• Business need identified and documented
• Alternative solutions considered
• Decision to use sub-processor approved by Data Protection Lead
• Budget and contractual terms reviewed

Step 2: Security Assessment

Evaluate sub-processor's security measures:

Technical Security: - Encryption in transit and at rest - Access controls and authentication - Network security and firewalls - Intrusion detection and prevention - Vulnerability management - Patch management procedures - Secure development practices - Disaster recovery capabilities

Physical Security: - Data centre security (Tier rating) - Physical access controls - Environmental controls - Redundancy and resilience - Geographic location of data storage

Information provided via: - Security questionnaire completion - Third-party audit reports (SOC 2, ISO 27001) - Security certifications - Publicly available security documentation - Direct communication with security team

Step 3: GDPR Compliance Verification

Verify sub-processor's GDPR compliance:

Documentation Review: - Privacy policy and GDPR compliance statement - Data Processing Agreement (DPA) terms - Sub-processor's own sub-processors list - Data subject rights procedures - Breach notification procedures - Data retention and deletion policies - International transfer mechanisms (if applicable)

Compliance Evidence: - GDPR compliance certifications - Privacy Shield certification (if US-based, historical) - Standard Contractual Clauses (SCCs) availability - Adequacy decision coverage - Binding Corporate Rules (if applicable) - ICO or other EU supervisory authority approvals

Key Questions: - Do they process data lawfully? - Can they demonstrate GDPR compliance? - Have they had data breaches? How handled? - Do they cooperate with data subject requests? - Where is data stored and processed? - What are their sub-processors?

Step 4: Data Processing Agreement Review

Examine sub-processor's DPA:

Must Include: - Processing scope and limitations - Processor obligations (security, confidentiality, assistance) - Sub-processor provisions - Breach notification requirements - Audit rights - Data return or deletion on termination - Liability and indemnity - Governing law and jurisdiction

MDHosting Requirements: - DPA must meet UK GDPR Article 28 requirements - Terms must flow down to sub-processor's sub-processors - MDHosting retains liability for sub-processor - Right to audit must be included - Breach notification within 24 hours - Termination rights if non-compliant

Approval: - DPA reviewed by Data Protection Lead - Legal review for significant processors - Negotiations if terms inadequate - Must sign before processing begins

Step 5: Sub-Processor Questionnaire

Complete detailed questionnaire covering:

Company Information: - Legal entity name and registration - Primary business activity - Years in operation - Customer base size - Geographic presence

Data Processing: - Types of data processed for MDHosting - Processing locations (countries) - Data storage locations - Access by sub-processor staff (who, where) - Sub-processor's own sub-processors

Security and Compliance: - Security certifications (ISO 27001, SOC 2, etc.) - Last external security audit date - Penetration testing frequency - Staff security training - Incident response procedures - Business continuity plans

GDPR Compliance: - DPO appointed? Contact details - GDPR compliance programme - Data subject rights procedures - Previous data breaches (number, nature, outcome) - Supervisory authority interactions - Privacy Impact Assessments conducted

Step 6: Risk Assessment and Decision

Assess overall risk and make decision:

Risk Scoring: - Low risk: Established processor, strong security, GDPR compliant, EU-based - Medium risk: Non-EU but adequate safeguards, some security gaps, limited GDPR history - High risk: No GDPR certification, weak security, unclear location, no audit rights

Decision Criteria: - Risk level acceptable for processing type? - Can gaps be remediated before onboarding? - Is sub-processor essential or alternative exists? - Cost vs. risk balanced?

Approval Levels: - Low risk: Data Protection Lead approval - Medium risk: Director approval + monitoring plan - High risk: Reconsider or require improvements first

Step 7: Documentation

Document due diligence: - Questionnaire responses filed - Security assessment summary - DPA signed and stored - Risk assessment recorded - Approval documented - Onboarding date logged - Added to sub-processor register

Ongoing Compliance Monitoring

After onboarding, MDHosting monitors sub-processor compliance:

Annual Compliance Review

Each sub-processor reviewed annually:

Review Components:

1. Security Certifications
2. Verify ISO 27001, SOC 2, or equivalent current
3. Review audit reports if available
4. Check expiry dates and renewals

5. Request updated certificates

6. Service Performance

7. Uptime and reliability metrics
8. Incident frequency and severity
9. Support responsiveness

10. Service level agreement compliance

11. Contractual Compliance

12. DPA terms still adequate?
13. Any material changes to service?
14. Pricing and billing correct?

15. Renewal terms acceptable?

16. GDPR Compliance

17. No reported data breaches?
18. Data subject rights still supported?
19. Privacy policy updates reviewed?

20. New sub-processors disclosed?

21. News and Reputation

22. Media reports of breaches or issues?
23. Regulatory actions by ICO or others?
24. Customer complaints or concerns?
25. Financial stability concerns?

Annual Review Procedure: 1. Review scheduled (calendar reminder) 2. Information gathered from sources above 3. Sub-processor contacted for updates 4. Assessment summary prepared 5. Approved by Data Protection Lead 6. Continue, monitor, or terminate decision 7. Review documented and filed

Data Breach Notification Monitoring

• Subscribe to sub-processor security bulletins
• Monitor industry news for breaches
• Review sub-processor incident reports
• Check ICO breach notifications database
• Google alerts for sub-processor name + "data breach"

If Sub-Processor Breach Occurs: 1. Assess impact on MDHosting and clients 2. Obtain full details from sub-processor 3. Determine if MDHosting clients affected 4. Notify affected clients within 24 hours 5. Assess if MDHosting ICO notification required 6. Review sub-processor response adequacy 7. Consider termination if response inadequate

Security Updates and Changes

Monitor for: - Major security updates or patches required - Changes to security practices - New certifications obtained - Failed audits or compliance issues - Changes in key security personnel

Contract and Terms Monitoring

Track: - Contract renewal dates - Price changes or new fees - Terms of service updates - DPA amendments - SLA modifications - New sub-processor notifications

Service Level Monitoring

Track performance: - Availability/uptime metrics - Response times - Support ticket resolution - Planned maintenance windows - Unplanned outages - Performance degradation

Documentation and Records

Sub-Processor Register Maintenance

Central register contains: - Sub-processor name and legal entity - Service provided - Data processed - Countries of processing - Date added - Due diligence completion date - Last audit/review date - Next review due date - Risk rating - Current status (active, monitoring, terminated) - DPA on file (yes/no, date) - Certifications held

Regular Updates: - Updated when new sub-processor added - Updated when sub-processor removed - Updated annually after review - Version control maintained - Accessible to Data Protection Lead

Audit Records and Findings

For each sub-processor audit: - Audit date and type - Auditor (internal or third-party) - Scope of audit - Findings and issues identified - Risk level assigned to each finding - Remediation required - Sub-processor response - Remediation verification date - Close-out documentation

Retention: - Audit records retained 6 years - Available for ICO inspection - Provided to clients on request

Non-Compliance Issue Tracking

If sub-processor non-compliance identified:

Issue Log Contains: - Date identified - Nature of non-compliance - Severity (low, medium, high, critical) - Impact on MDHosting and clients - Sub-processor notified date - Response deadline - Sub-processor response - Remediation plan - Verification method - Resolution date - Escalation if not resolved

Escalation Process: - Low: 30 days to remediate - Medium: 14 days to remediate - High: 7 days to remediate - Critical: Immediate action or termination

Remediation Verification

Once sub-processor claims remediation: - Evidence requested (updated policies, audit reports, etc.) - Evidence reviewed and verified - Re-audit if necessary - Acceptance or rejection of remediation - Issue closed or escalated

Termination Procedures

If sub-processor must be terminated:

Termination Triggers: - Material breach of DPA - Serious data breach with inadequate response - Persistent non-compliance despite remediation - Failure to maintain security certifications - Financial insolvency or business closure - Loss of adequacy decision (international transfers) - MDHosting no longer needs service

Termination Process:

1. Decision and Notice
2. Termination decision approved by Director
3. Reasons documented
4. Notice period per contract (typically 30-90 days)

5. Written termination notice sent

6. Data Return or Deletion

7. Request return of all MDHosting/client data
8. Format and method specified (secure transfer)
9. Deletion of all copies required
10. Deletion timeline specified (within 30 days)

11. Certification of deletion obtained

12. Client Notification

13. Clients informed of sub-processor termination
14. Explanation of reason (if appropriate)
15. Alternative arrangements communicated
16. No impact to service continuity assured

17. 30 days notice provided (if possible)

18. Alternative Processor Selection

19. Identify replacement sub-processor
20. Conduct full due diligence (as per onboarding)
21. Migration plan developed
22. Client notification of new sub-processor

23. 30-day objection period honored

24. Documentation

25. Termination reason documented
26. Data deletion certification filed
27. Client notifications logged
28. Sub-processor removed from register
29. Lessons learned recorded

Emergency Termination:

If immediate termination required (critical breach): - Immediate cessation of processing - No notice period - Emergency data return within 48 hours - Client notification immediate - Alternative arrangements activated - Full investigation and documentation

Sub-Processor Audit Rights

MDHosting reserves right to audit sub-processors per DPA:

Audit Frequency: - At least annually for critical sub-processors - Every 2-3 years for lower-risk sub-processors - Ad-hoc if incident or concern arises - Upon client request (reasonable frequency)

Audit Methods:

1. Self-Assessment Questionnaire
2. Annual compliance questionnaire
3. Updated security information
4. Certification renewals

5. Changes disclosure

6. Document Review

7. Updated policies and procedures
8. Recent audit reports (SOC 2, ISO 27001)
9. Penetration test results

10. Incident reports and statistics

11. On-Site Inspection

12. Physical data centre visit (if appropriate)
13. Staff interviews
14. System demonstrations
15. Security controls verification

16. Rare, typically for high-value processors

17. Third-Party Audit

18. Commission independent auditor
19. Comprehensive technical assessment
20. Penetration testing
21. Used for critical or high-risk processors
22. Cost shared or borne by MDHosting

Audit Preparation: - 30 days notice provided (except ad-hoc incidents) - Audit scope defined - Information requests sent in advance - Confidentiality agreements signed - Audit schedule agreed

Audit Reporting: - Findings documented - Issues rated by severity - Recommendations provided - Remediation deadlines set - Follow-up audit scheduled if needed

International Transfers

Current Status: No international transfers outside UK/EU

All data is stored in Germany (EU), which is subject to: - EU GDPR (Germany) - UK GDPR adequacy decision for EU - No additional transfer mechanisms required

If Future Transfers Required: - Use appropriate transfer mechanisms (Adequacy decisions, SCCs, BCRs) - Conduct transfer impact assessments - Update privacy notices - Obtain consent where necessary

Client Data Processing Agreements

When MDHosting acts as a data processor for client websites, Data Processing Agreements (DPAs) establish the legal framework for processing personal data on behalf of clients.

Legal Requirement

Under UK GDPR Article 28, processors must have a contract or other legal act with the controller that sets out: - Subject matter and duration of processing - Nature and purpose of processing - Type of personal data and categories of data subjects - Controller's obligations and rights - Processor's obligations

MDHosting Position: - MDHosting is a data processor for website data hosted on behalf of clients - Clients are data controllers for their website visitors' personal data - DPA required for GDPR compliance - All hosting clients must have DPA in place

When DPA is Required

Mandatory DPAs for: - All web hosting services (client websites process personal data) - Email hosting (client emails contain personal data) - Database hosting (likely to contain personal data) - Any service where client uses MDHosting infrastructure to process personal data

Examples of Client Processing: - WordPress website with contact forms - E-commerce sites with customer databases - Email lists managed by clients - CRM systems hosted on client accounts - Forum or membership sites - Analytics data collection

Not Required When: - Client uses hosting only for static informational websites with no data collection - No forms, cookies, analytics, or user accounts on website - (However, DPA recommended for all clients as good practice)

Standard DPA Terms

MDHosting's standard Data Processing Agreement includes:

1. Processing Scope and Limitations

Subject Matter: - Provision of web hosting, email hosting, and related infrastructure services - Storage and processing of data uploaded by clients

Duration: - Term of hosting agreement - Plus retention period for backups (30 days after termination)

Nature and Purpose: - Processing solely for purpose of providing hosting services - No use of client data for MDHosting's own purposes - No data mining, profiling, or analytics beyond service provision

Types of Personal Data: - As determined by client (MDHosting doesn't control what data clients collect) - May include names, emails, IP addresses, contact details, payment information - Client specifies in DPA schedule

Categories of Data Subjects: - Client's website visitors - Client's customers and users - Client's employees (if applicable) - Any individuals whose data client processes

2. Processor Obligations

Processing Instructions: - Process data only on documented instructions from client - Instructions provided via control panel, support requests, or direct communication - No processing beyond client's instructions - Inform client if instruction violates UK GDPR

Confidentiality: - Staff authorised to process personal data committed to confidentiality - Confidentiality obligations survive termination - No unauthorised disclosure

Security Measures: - Implement appropriate technical and organisational measures (see Technical and Organisational Measures section) - Encryption, access controls, monitoring, backups - Regular security reviews and updates - Measures proportionate to risk

Sub-Processors: - MDHosting may engage sub-processors (Hetzner, payment processors, etc.) - Client informed of sub-processors (listed in this document) - Client may object to new sub-processors - Sub-processors bound by same obligations - MDHosting remains liable for sub-processor performance

Data Subject Rights: - Assist client in responding to data subject requests - Provide necessary information and access - Implement technical measures to facilitate rights (data export, deletion, etc.) - Response within reasonable timeframes

Breach Notification: - Notify client of personal data breaches without undue delay - Notification within 24 hours of breach discovery - Provide details to assist client's ICO notification (if required) - Cooperate in breach investigation and remediation

Audits and Inspections: - Make available information necessary to demonstrate compliance - Allow for and contribute to audits and inspections - Client or appointed auditor may audit annually (on reasonable notice) - MDHosting cooperates fully

Data Return or Deletion: - On termination, return all personal data to client or delete it - Client chooses return or deletion - Data deleted from live systems and backups - Certification of deletion provided - Exception: data required to be retained by law

3. Controller Obligations

Clients (as data controllers) must:

Lawful Instructions: - Provide only lawful processing instructions - Ensure they have legal basis for processing - Not instruct MDHosting to process data unlawfully

Own GDPR Compliance: - Maintain own compliance for website data collection - Provide privacy notices to website visitors - Obtain consent where required - Respond to data subject requests - Maintain records of processing

Data Quality: - Ensure personal data is accurate and up-to-date - Implement data minimisation on their websites - Not collect excessive data - Delete data when no longer needed

Cooperation: - Cooperate with data subject requests affecting hosted data - Respond to MDHosting requests for breach investigation - Notify MDHosting of compliance issues - Provide necessary information for DPA compliance

Sub-Processor Acceptance: - Accept MDHosting's use of documented sub-processors - Object to new sub-processors if cannot accept (may terminate)

4. Data Transfers

• Data stored in Germany (EU) - adequate protection
• No transfers outside UK/EU without client consent
• If future transfers required: Standard Contractual Clauses or other approved mechanism
• Transfer impact assessment conducted before transfer

5. Liability and Indemnity

MDHosting Liability: - Liable for damage caused by processing only if failed to comply with UK GDPR processor obligations - Not liable if followed client's lawful instructions - Liability limited per hosting agreement terms

Client Liability: - Client liable for their own GDPR compliance - MDHosting not liable for client's website data collection practices - Client indemnifies MDHosting for client's GDPR breaches

Limitation: - Liability subject to hosting agreement limitations - No liability for indirect or consequential losses - Maximum liability as specified in hosting terms

DPA Management

DPA Acceptance

New Clients: - DPA provided during account signup - Acceptance required before service activation - Electronic acceptance via signup process - Copy available in client portal

Existing Clients: - DPA terms incorporated in hosting agreement - Acceptance implied by continued use of services - Updated DPA provided when terms change - 30 days notice of material changes

Documentation: - DPA stored securely (not in public git repository) - Accessible in client portal - Reference number logged - Acceptance date recorded

Storage and Tracking

Where DPAs are Stored: - Client account records (secure database) - Client portal documents section - Internal compliance documentation - Encrypted backup storage

Tracking System: - DPA status for each client (accepted, pending, declined) - Version control for DPA document - Acceptance date and method logged - Renewal and review dates tracked

Review and Amendment

Annual Review: - DPA terms reviewed annually - Updated for regulatory changes - Updated for service changes - Updated for new sub-processors

Amendment Process: 1. Material changes identified 2. Updated DPA drafted 3. Clients notified 30 days in advance 4. Acceptance requested via portal 5. Non-acceptance = option to terminate 6. Record amendment and acceptance

Client Requests: - Clients may request specific DPA terms - Reasonable requests accommodated - Custom DPA for enterprise clients - Approval by Data Protection Lead

Client Signature Requirements

Standard DPA: - Electronic acceptance sufficient - Checkbox acceptance in portal - Email confirmation sent - No handwritten signature required

Enterprise/Custom DPA: - May require formal signing - DocuSign or similar e-signature platform - Mutual execution by both parties - Originals retained by both parties

Record Keeping: - Acceptance records retained 6 years after termination - Audit trail of all amendments - Version history maintained - Available for ICO inspection

Sub-Processor Disclosure

Clients informed of sub-processors via:

1. This GDPR Document
2. Current sub-processors listed in Third-Party Processors section
3. Publicly accessible

4. Updated when changes occur

5. DPA Schedule

6. Attached to client DPA
7. Lists all current sub-processors

8. Updated with DPA amendments

9. Change Notifications

10. 30 days notice before adding new sub-processor
11. Email notification to all clients
12. Portal notification
13. Right to object

Client Objection Process: - Client notifies objection within 30 days - MDHosting considers objection - If accommodation impossible: client may terminate without penalty - If accommodation possible: alternative arrangement discussed

DPA Compliance Monitoring

Quarterly Reviews: - Review DPA compliance across client base - Check for new sub-processors requiring disclosure - Verify security measures remain adequate - Update documentation as needed

Annual Audit: - Comprehensive DPA compliance audit - Sample client files reviewed - Sub-processor obligations verified - Improvements identified and implemented

Metrics Tracked: - Percentage of clients with DPA in place - Sub-processor change notifications sent - Client objections received - Breach notifications to clients (number and response time) - Audit requests received and fulfilled

DPA Templates and Resources

Available to Clients: - Standard MDHosting DPA (in client portal) - Sub-processor list (in this document and portal) - Security measures summary - Data return/deletion request form - Audit request procedure

Internal Use: - DPA acceptance tracking spreadsheet - Amendment notification templates - Breach notification to client template - Audit cooperation checklist - Data return/deletion procedure

Privacy Notices

Client Privacy Notice

Location: Website, provided at account signup

Contents: - Identity and contact details of data controller - Data protection officer contact (if appointed) - Purposes and legal basis for processing - Categories of data processed - Recipients of data (sub-processors) - Retention periods - Data subject rights and how to exercise - Right to lodge complaint with ICO - Whether providing data is contractual requirement

Review: Annually or when processing changes

End-User Privacy (Client Websites)

Client Responsibility

Clients must provide their own privacy notices for website visitors. MDHosting is not responsible for client privacy notices.

Support Provided: - Template privacy policy available on request - Guidance on cookie consent requirements - Technical implementation support

Data Protection Impact Assessments (DPIAs)

When Required

DPIA required when processing is likely to result in high risk, including: - Large-scale systematic monitoring - Large-scale processing of special category data - Systematic use of automated decision-making - Processing of children's data - New technologies with high privacy risk

Current Assessment: Standard hosting operations do not require DPIA

Future Triggers: - Implementing automated fraud detection - Large-scale email processing/scanning - Biometric authentication systems - AI/ML-based services

DPIA Process

If required in future: 1. Describe processing and purposes 2. Assess necessity and proportionality 3. Identify and assess risks to data subjects 4. Identify measures to mitigate risks 5. Document outcomes and decisions 6. Consult ICO if high residual risk remains

Technical and Organisational Measures

Security Measures

Access Control: - SSH key authentication (passwords disabled) - Non-standard SSH ports - IP whitelisting where practical - Strong password requirements for control panels

Encryption: - Data in transit: TLS/SSL for all services - SSH encryption for remote access - HTTPS enforced for all websites - Data at rest: Server-level encryption (Hetzner)

Monitoring: - Firewall (CSF) on all servers - Failed login monitoring (Fail2Ban) - Log collection and analysis - Wazuh SIEM deployment (planned Q1 2025)

Backups: - Daily automated backups - 30-day retention - Off-server storage - Regular restoration testing

See Security Overview for complete technical measures.

Organisational Measures

Policies and Procedures: - This GDPR compliance document - Security policies documented - Incident response procedures - Staff confidentiality obligations

Staff Training: - GDPR awareness training (annual) - Security best practices - Incident response procedures - Data handling requirements

Accountability: - Senior management oversight - Regular compliance reviews - Documentation of processing activities - Record of processing activities maintained

Data Processing Records

Record of Processing Activities (Article 30)

Required Information: - Name and contact details of controller - Purposes of processing - Categories of data subjects and personal data - Categories of recipients (including third countries) - Transfers to third countries and safeguards - Retention periods - Technical and organisational security measures

Maintenance: - Updated when processing changes - Available for ICO inspection - Reviewed annually

Format: Internal register (secure location, not in git)

Staff Responsibilities

All Staff

• Understand GDPR principles and company obligations
• Process data only as authorised
• Report suspected data breaches immediately
• Maintain confidentiality of client data
• Complete annual GDPR training

System Administrators

• Implement security measures
• Maintain access controls
• Monitor for security incidents
• Perform regular backups and test restorations
• Document system changes

Support Staff

• Verify identity before disclosing data
• Handle data subject requests appropriately
• Escalate complex requests to management
• Document support interactions

Management

• Oversee GDPR compliance programme
• Approve data processing changes
• Handle data subject rights requests
• Maintain processor agreements
• Liaise with ICO if required

GDPR Training Programme

MDHosting maintains a comprehensive GDPR training programme to ensure all staff understand data protection obligations and handle personal data appropriately.

Training Programme Structure

1. Induction Training (New Staff)

All new staff receive GDPR training during induction:

Timing: - Completed within first week of employment - Before access to personal data granted - Refresher after 30 days - Assessment required

Content: - UK GDPR fundamentals and principles - MDHosting's role as controller and processor - Types of personal data processed - Legal bases for processing - Data subject rights overview - Confidentiality obligations - Data breach reporting procedures - Where to find policies and procedures

Duration: 2-3 hours (online modules + discussion)

Delivery: - ICO online training modules - Internal policy documentation review - One-to-one session with Data Protection Lead - Written materials provided

Assessment: - Quiz on key concepts - 80% pass mark required - Retake if failed - Certificate of completion

2. Annual Refresher Training

All staff complete annual refresher training:

Timing: - Every 12 months from induction or last refresher - Reminders sent 30 days before due - Mandatory completion within 14 days of due date - Tracked in training log

Content: - GDPR principles recap - Updates to regulations or guidance - Changes to MDHosting policies - Case studies and lessons learned - Recent incidents and how to prevent - Data subject rights procedures - Current compliance challenges

Duration: 1-2 hours

Delivery: - Online training modules - Annual team meeting/workshop - Updated written materials - Q&A session

Assessment: - Short quiz on updates and key topics - 80% pass mark - Certificate updated

3. Role-Specific Training Modules

Additional training tailored to specific roles:

Frequency: Annual or when role changes

4. Incident-Based Training

Training provided when incidents occur:

Triggers: - Data breach discovered - Compliance issue identified - Near-miss incident - Client complaint - ICO guidance update

Approach: - Review what happened - Why it happened - How to prevent recurrence - Updated procedures - All relevant staff trained

Training Curriculum by Role

All Staff - Core Curriculum

Topics covered:

1. GDPR Fundamentals
2. What is GDPR and why it matters
3. Seven data protection principles
4. Lawful bases for processing

5. Data controller vs. processor roles

6. Data Handling Basics

7. What is personal data
8. Special category data
9. How to handle data securely
10. Where data can be stored
11. When to encrypt

12. Secure disposal

13. Breach Reporting

14. What constitutes a data breach
15. Examples of breaches
16. How to report immediately
17. Who to notify

18. What happens next

19. Confidentiality

20. Non-disclosure obligations
21. Discussing client data
22. Working remotely securely

23. Physical security (locked screens, papers)

24. Subject Rights

25. Seven rights overview
26. How to recognise a request
27. Who to escalate to
28. Response timelines

System Administrators - Additional Curriculum

Topics specific to technical roles:

1. Security Measures
2. Encryption implementation (TLS, SSH, disk)
3. Access control configuration
4. Firewall and CSF management
5. Security patching procedures

6. Vulnerability scanning

7. Access Controls

8. Principle of least privilege
9. User access provisioning/deprovisioning
10. SSH key management
11. Password policies enforcement

12. Two-factor authentication

13. Logging and Monitoring

14. What to log and why
15. Log retention periods
16. Log analysis for incidents
17. Monitoring tools (Fail2Ban, etc.)

18. Alert response procedures

19. Backup and Recovery

20. Backup schedules and verification
21. Restoration testing procedures
22. Off-site backup security
23. Retention period enforcement

24. Secure backup deletion

25. Data Deletion

26. Secure deletion methods
27. Backup purging procedures
28. Overwriting vs. unlinking
29. Hardware disposal (secure wiping)
30. Verification of deletion

Support Staff - Additional Curriculum

Topics for client-facing roles:

1. Identity Verification
2. Why verification is critical
3. Standard verification methods
4. Enhanced verification requirements
5. When to escalate

6. Refusing unverified requests

7. Data Subject Requests

8. Recognising DSR in support tickets
9. Immediate logging procedures
10. Timeline importance (1 month)
11. What information to collect

12. Escalation to Data Protection Lead

13. Confidentiality in Support

14. Verifying who you're speaking to
15. Not discussing client A with client B
16. Secure communication channels
17. Screen sharing precautions

18. Ticket documentation best practices

19. Handling Complaints

20. GDPR-related complaints
21. Escalation procedures
22. Response timelines
23. Documentation requirements
24. ICO complaint rights information

Management - Additional Curriculum

Topics for oversight and decision-making:

1. GDPR Compliance Oversight
2. Accountability principle in practice
3. Demonstrating compliance
4. Record of processing activities
5. Compliance monitoring metrics

6. Board/director reporting

7. Decision-Making and Approvals

8. When to approve erasure requests
9. Balancing legitimate interests
10. Assessing manifestly unfounded requests
11. Extension decisions (1 to 3 months)

12. Refusal criteria and justification

13. ICO Liaison

14. When to contact ICO (breaches, consultations)
15. How to prepare for ICO enquiries
16. Providing evidence and documentation
17. Responding to enforcement notices

18. Formal investigation procedures

19. Breach Assessment

20. High risk vs. low risk criteria
21. ICO notification requirements
22. Data subject notification requirements
23. Breach containment decisions

24. Post-incident reviews

25. Vendor Management

26. Sub-processor due diligence
27. DPA negotiation and approval
28. Ongoing vendor auditing
29. Termination decisions
30. Alternative vendor selection

Training Delivery Methods

1. Online Courses

Primary delivery method:

ICO Resources: - ICO's free online training courses - "Introduction to Data Protection" module - Sector-specific guidance modules - Video tutorials and guides - Case studies and scenarios

Advantages: - Self-paced learning - Consistent content - Automated tracking - Certificates provided - Free of charge

2. Internal Documentation Review

Supplementary method:

Documents to Review: - This GDPR compliance document - Privacy notices - Data processing records - Security policies - Incident response procedures

Approach: - Assigned reading with confirmation - Understanding checks via quiz - Discussion of application to role - Questions answered by Data Protection Lead

3. Scenario-Based Exercises

Interactive learning:

Examples: - "A client emails asking for their data - what do you do?" - "You discover a misconfigured server exposing client files - next steps?" - "Client requests deletion but has outstanding invoices - decision?"

Benefits: - Practical application - Critical thinking - Discussion and debate - Memorable learning - Identifies knowledge gaps

4. External Training (When Required)

Professional training for complex topics:

When Used: - Specialised technical training (security tools) - Legal updates requiring professional interpretation - Complex compliance topics - New regulations or major changes - Management strategic training

Providers: - ICO workshops and seminars - Legal firms (data protection specialists) - Professional training organisations - Industry conferences

Budget: - Allocated annually - Prioritised by need and role - Cost-benefit assessed

Training Records and Tracking

Training Log Contents:

For each staff member: - Employee name and role - Induction training completion date - Induction assessment score - Annual refresher due dates - Annual refresher completion dates - Annual assessment scores - Role-specific training completed - Incident training received - External courses attended - Certificates obtained - Training gaps identified

Log Format: - Spreadsheet or HR system - Accessible to Data Protection Lead and Management - Updated immediately after training - Reviewed monthly for overdue training

Tracking Methods:

1. Calendar Reminders
2. Annual refresher due dates
3. 30-day advance warnings
4. 14-day overdue notices

5. Escalation if not completed

6. Completion Tracking

7. Online course completion certificates
8. Quiz results recorded
9. Attendance registers for workshops

10. Self-certification for document reviews

11. Competency Assessment

12. Quiz scores tracked
13. Practical assessments (scenario responses)
14. Manager observations
15. Incident performance review

Competency Standards:

• Induction: 80% quiz pass required
• Annual refresher: 80% quiz pass required
• Role-specific: Competency demonstration required
• Continuous: No GDPR-related incidents attributed to lack of training

Remedial Actions if Below Standard: - Additional training provided - One-to-one coaching - Retake assessments - Increased supervision - Role reassessment if persistent failure

Refresher Scheduling

Annual Cycle:

January: - Review training materials for updates - Incorporate regulatory changes - Update quiz questions - Plan year's training schedule

Quarterly: - Review training log for compliance - Chase overdue completions - Assess training effectiveness - Address any gaps

Monthly: - Send upcoming refresher reminders - Process completed training - Update certificates - Report metrics to management

Ad-Hoc: - Incident-triggered training as needed - New hire inductions as required - Role change training when promoted/transferred

Compliance Reporting

Monthly Training Metrics: - Total staff count - Staff with current training (%) - Overdue training count - Recent completions - Average assessment scores - Training gaps identified

Annual Training Report: - Total training hours delivered - All staff training status - Assessment score trends - Training effectiveness evaluation - Incidents linked to training gaps - Improvements for next year - Budget utilisation

Reporting To: - Data Protection Lead (monthly) - Director/Management (quarterly) - Included in annual compliance review - Available for ICO inspection

Training Content Updates

Trigger for Updates: - UK GDPR amendments or new regulations - ICO guidance changes - Lessons learned from incidents - New services or processing activities - Sub-processor changes - Client feedback or complaints - Annual review recommendations

Update Process: 1. Identify need for update 2. Draft updated content 3. Review and approve 4. Distribute to relevant staff 5. Test understanding (if major) 6. Document update in training materials version control

Version Control: - Training materials versioned (v1.0, v1.1, etc.) - Change log maintained - Current version clearly marked - Archived versions retained - Staff trained on current version

Complaints and Supervisory Authority

Internal Complaints

Process: 1. Receive complaint via email or support ticket 2. Acknowledge within 48 hours 3. Investigate and assess 4. Respond with outcome within 1 month 5. Document complaint and resolution

ICO Complaints

Data subjects have the right to lodge complaints with:

Information Commissioner's Office (ICO) Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

Phone: 0303 123 1113 Website: https://ico.org.uk/make-a-complaint/

Our Cooperation: - Respond to ICO enquiries within requested timeframes - Provide requested documentation and evidence - Implement any required remedial actions - Maintain professional and cooperative relationship

Compliance Monitoring

Regular Reviews

Monthly: - Review new data processing activities - Check for new sub-processors - Review access logs for anomalies

Quarterly: - Review data retention and perform deletions - Update sub-processor list - Check for expired consents

Annually: - Full GDPR compliance audit - Staff training refresh - Privacy notice review and update - Review and update this document - Risk assessment update

Compliance Checklist

• Privacy notices up to date and accessible
• Data processing records maintained
• Sub-processor agreements current
• Breach notification procedures tested
• Staff completed GDPR training
• Data subject rights requests log current
• Security measures documented and operational
• Retention schedule followed
• Backup and recovery tested
• ICO registration current

Resources and References

Legal Framework

• UK GDPR: https://www.legislation.gov.uk/uksi/2019/419/contents/made
• Data Protection Act 2018: https://www.legislation.gov.uk/ukpga/2018/12/contents
• ICO Guidance: https://ico.org.uk/for-organisations/

ICO Resources

• Guide to GDPR: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
• SME Guidance: https://ico.org.uk/for-organisations/sme-web-hub/
• Breach Reporting: https://ico.org.uk/for-organisations/report-a-breach/

Internal Documentation

• Security Overview - Technical security measures
• Incident Response - Security incident procedures
• Backup & Recovery - Data backup procedures

---

Document Status: ✅ Complete - Comprehensive operational procedures established Last Updated: January 2026 Next Review: January 2027 Document Owner: Matthew Dinsdale (Director) Contact: admin@mdhosting.co.uk

This document establishes comprehensive GDPR compliance procedures for MDHosting Ltd, including operational workflows for data protection, consent management, data subject rights, privacy by design, client data processing agreements, sub-processor management, and staff training. It should be reviewed annually and updated when processing activities change.