Data & Privacy: Our promises
We’ll always keep your data safe and secure. Here are our policies and documentation in relation to the General Data Protection Regulation (GDPR):
The following policy outlines our practices and procedures when it comes to the collection, handling, storing and protection of your data.
What data do we collect?
In order to deliver our service to our customers, we ask for personal information such as names, email addresses, postal addresses, and any other relevant information required. We are committed to recording data accurately and securely to ensure all communications are limited to the intended recipient.
Why we collect data
We collect data in order to facilitate our business requirements. We only collect data under the following lawful bases:
(a) Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
How it is processed and stored
All of our electronic data is protected by a secure server and our secure environment is password protected. We have anti-virus software in place and our website operates under an SSL Certificate providing a secure connection for its users. Any paper data is held within locked filing cabinets inside a secure office environment which is protected through surveillance cameras and building security.
Access to our data is limited to our internal team who have all been trained on our Data and Privacy Policy.
Third party systems
We rely on AppleMail for storage of our email data.
How we protect your data
We are committed to keeping your data safe and secure. Above and beyond the practices noted in this policy, we have a dedicated Data Protection Officer to ensure our practices are being upheld and adhered to. Should any issues be detected in terms of the use or security of our data, our Data Protection Officer will firstly ensure that corrective measures are taken to prevent any further breaches. Once the breach has been contained, the event will be fully document and we will analyse its severity. If the breach is considered to be of low severity and pose little risk to individuals, we will ensure it is documented and appropriate measures are taken to prevent a repeat occurrence. If the breach is considered to of high severity and have a risk to individuals rights and freedoms, we will take all measures noted above in addition to notifying the individuals affected and notify the ICO within 72 hours.
Step 1. All staff having been adequately trained and notified, any staff member becoming aware of a data breach shall immediately notify the Data Protection Representative for the company Marc Shuttleworth with the following details being recorded:
(a) Description of the incident in as much detail as possible.
(b) Time, date and location of incident
(c) Details of how the incident occurred and any relevant events leading up to it
(d) If there has been a delay in reporting the incident to the DPR/DPO explain your reasons
(e) What personal data has been placed at risk? Please specify if any financial or sensitive
personal data has been affected and provide details of the extent.
(f) How many individuals have been affected?
(g) Are the affected individuals aware that the incident has occurred?
(h) What are the potential consequences and adverse effects on those individuals?
(i) Have any affected individuals complained to the organisation about the incident?
Step 2. The DPR/DPO, in conjunction with the Board of Directors shall determine whether the personal data breach is likely to result in a risk to the rights and freedoms of natural persons. If there is uncertainty then it should be assumed that it will.
Step 3. The DPR/DPO, or appropriate alternative, shall notify the Supervisory Authority of the incident within 72 hours. The following Form can be completed and submitted to the ICO in the event of a Data Breach
https://ico.org.uk/media/for-organisations/documents/2666/security_breach_notification_form.doc
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay, in clear and plain language, the nature of the personal data breach and contain at least the following information and measures:
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.This communication to the data subject shall not be required if any of these conditions are met:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to is no longer likely to materialise;
- it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.