General Data Protection Regulation Policy
- Policy prepared by: G Watkins, Helpdesk Manager
- Approved by: P Rawsthorne, N Arnold, T Richards; Company Directors
- Policy became operational on: 21 May 2018
- Last review date: 28 May 2021
- Next review date: 28 May 2022
Haven Systems needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how personal data is collected, handled and stored to meet the company’s data protection standards and to comply with the law.
Why this policy exists
This data protection policy ensures Haven Systems:
- Complies with General Data Protection Regulation (GDPR) law and follow good practice
- Protects the rights of staff, customers and partners
- Is transparent about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
General Data Protection Regulation Law
The General Data Protection Regulation 2018 describes how organisations including Haven Systems must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and securely and not disclosed unlawfully.
GDPR is underpinned by the following principles:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, are erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organisational measures
Article 5(2) requires that:
“The controller shall be responsible for, and be able to demonstrate, compliance with the principles”
PEOPLE, RISKS AND RESPONSIBILITIES
This policy applies to:
- All Haven Systems sites and offices
- All staff and volunteers of Haven Systems
- All contractors, suppliers and other people working on behalf of Haven Systems
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of GDPR. This can include:
Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- IP addresses
- Information relating to an individual
Data protection risks
This policy helps to protect Haven Systems from data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately
- Failing to offer choice. For instance, all individuals should be be free to choose how the company uses data relating to them
- Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data
Each team that handles personal data must ensure that it is handled and processed in line with this policy and GDPR Principles.
However, these people have key areas of responsibility:
The Directors of Haven Systems are ultimately responsible for ensuring that Haven Systems meets its legal obligations.
The Operational Director, Peter Rawsthorne, is responsible for:
- Reviewing all data protection procedures and related policies, in line with an agreed schedule
- Arranging data protection training and advice for the people covered by this policy
- Handling data protection questions from staff and anyone else covered by this policy
- Dealing with requests from individuals to see the data Haven Systems holds about them (also called ‘subject access requests’)
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data (‘Processors’)
The Technical Director, Neil Arnold, is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards
- Performing regular checks and scans to ensure security hardware and software is functioning properly
- Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services
The Marketing Director, Tim Richards, is responsible for:
- Approving any data protection statements attached to communications such as emails and letters
- Addressing any data protection queries from journalists or media outlets like newspapers
- Where necessary, working with other staff to ensure marketing initiatives abide by GDPR principles
- The only staff able to access data covered by this policy are those who need it for their work
- Data must not be shared informally. When access to confidential information is required, employees can request it from their line managers
- Haven Systems will provide training to all employees to help them understand their responsibilities when handling data
- Employees should keep data secure, by taking sensible precautions and following the guidelines below:
- are enforced and they must never be shared
- Personal data must never be disclosed to unauthorised people, either within the company or externally
- Employees must request help from their line manager or person responsible for data protection if they are unsure about any aspect of data Protection
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required or used should be deleted and disposed of securely.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the Technical Director or the Helpdesk Manager.
When data is stored on paper, it must be kept in a secure place where unauthorised people cannot see or access it.
These guidelines also apply to data that is usually stored electronically but has been printed out:
When not required, the paper or files must be kept in a locked drawer or filing cabinet
Employees should make sure paper and printouts are not left where unauthorised people could see them, on a printer for instance
Data printouts must be shredded and disposed of securely when no longer required.
Haven Systems ensure that no documents containing personal data are kept longer than necessary. Relevant documentation required by law is kept and archived. Archived documents are reviewed regularly to remove documents and data that are no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data must be protected by strong passwords that are changed regularly and never shared between employees
- If data stored on removable media (like CD or USB stick), these are kept locked away securely when not being used and securely disposed of when finished with
- Data is only stored on designated drives or servers, and only uploaded to approved cloud computing services when required
- Servers containing personal data are sited in a secure location, away from general office space
- Data is backed up frequently. These backups are be tested regularly, in line with Haven System’s standard backup procedures
- Data must never be saved directly to laptops or other mobile devices like tablets or smartphones
- All servers and computers containing data are protected by approved security software and a firewall
Personal data is of no value to Haven Systems unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended
- Data must be encrypted before being transferred electronically. The Technical Director can explain how to send data to authorised external contacts
- Personal data must never be transferred outside of the European Economic Area
- Employees must not save copies of personal data to their own computers. Always access and update the central copy of any data
- Due to the nature of Haven Systems business in providing technical support for our customers, there are many occasions where customer data needs to be tested onsite at Haven Systems offices. To do this effectively a randomised copy of customer data is put onto the test systems at Haven Systems. Once testing is complete the copy of customer data is removed from the test systems and securely disposed of. Details of this process are provided for each customer in their Service Level Agreement.
A list of all current data sources containing personal data is kept, listing where the data is stored, what personal data is included and the lawful basis for having the data.
Lawful Basis Compliance Checklist
- We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
- We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.
- We have documented our decision on which lawful basis applies to help us demonstrate compliance.
- We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.
- Where we process special category data, we have also identified a condition for processing special category data, and have documented this.
- Where we process criminal offence data, we have also identified a condition for processing this data, and have documented this.
The law requires Haven Systems to take steps to ensure data is kept accurate and up to date.
Haven Systems should ensure that all personal data is accurate and if it is discovered that data is not accurate, should be corrected immediately.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Staff should take every opportunity to ensure data is up to date. For instance, from time to time, confirming a customer’s details when they call
- Haven Systems will make it easy for data subjects to update the information Haven Systems holds about them.
- Data must be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database
- It is the Sales Director’s responsibility to ensure marketing databases are checked against industry suppression files every six months
SUBJECT ACCESS REQUESTS
All individuals who are the subject of personal data held by Haven Systems are entitled to:
- Ask what information the company holds about them and why
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed how the company is meeting its data protection obligations
- Receive a digital copy of any or all personal data held by Haven Systems in a suitable format
If an individual contacts Haven Systems requesting this information, this is called a subject access request.
Subject access requests from individuals should be made via email, addressed to the data controller at firstname.lastname@example.org. The data controller will supply a standard request form, although individuals do not have to use this.
The subject access request is free of charge to the individual and Haven Systems will have 30 days to fulfill the request.
Haven Systems will always verify the identity of anyone making a subject access request before handing over any information.
DISCLOSING DATA FOR OTHER REASONS
Haven Systems will never disclose personal data to a third party without the direct written permission of the Data Controller. However, In certain circumstances (ie. a court order), GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Haven Systems will disclose requested data and inform the data controller. However, the data controller will ensure the request is legitimate, seeking assistance from the Company Directors and the company’s legal advisers where necessary.
Haven Systems aims to ensure that individuals are aware that their data is being processed, and that they understand
- How the data is being used
- How to exercise their rights
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.
The privacy notice is available on the Haven Systems Website.
CONTROLLER / PROCESSOR AGREEMENTS
An agreement will be put in place by Haven Systems with its partners with whom data is shared. It will be made clear in the agreement which partner is the Controller and which is the Processor.
If no data processing takes place for a partner, the agreement will set out any Haven Systems involvement in data handling for partners including data storage, etc.
Sales and Marketing
When we contact other businesses to discuss sales, the contact details will be held on the CRM system. If the lead converts to a customer the details will continue to be held on the CRM until the customer is no longer a customer, and then removed. If no business is concluded then the customers personal details will be removed after 6 months, or sooner if requested.
Contact details held are as follows
- Full Name
- Company Name
- Position held within company
- Business address
- Telephone number
- Email address
If marketing lists are used, we will, regularly, ensure that permission has been given by businesses to be included on the list.
Customers will be asked regularly if it acceptable to hold their information and to ensure that their details are accurate.