Overview
This policy requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in accordance with the General Data Protection Regulation (the “GDPR”) given the purposes for which those data were obtained;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Policy
Impact of GDPR
- As an organisation that holds personal data we need to comply with GDPR.
- Personal data means: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- This includes personnel records, customer details, sales and marketing, prospect information, online identifier data etc. We are accountable to their Information Commissioner’s Office (“ICO”). Whilst this accountability is not a new requirement GDPR requires all organisations to record and document compliance with all applicable aspects of GDPR, the regulation gives individuals more rights in respect of their data including more control and visibility of how their personal data is being used and the right to have that information removed or moved if requested.
The kind of information we hold about you
We may collect, store, and use the following categories of personal information about you:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- Date of birth.
- Gender.
- Marital status and dependants.
- Next of kin and emergency contact information.
We may also collect, store and use the following "special categories" of more sensitive personal information:
- Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
- Trade union membership.
Lawful basis for processing
- We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
Provision of Contractual Services
- For the provision of legal services, the appropriate lawful basis is contract. Data processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Provision of Marketing Further Information
We may undertake marketing activities therefore we have carried out the following steps to ensure that when we do so we are complaint:
- We have checked that consent is the most appropriate lawful basis for processing
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in.
- We tell individuals they can withdraw their consent.
- We ensure that individuals can refuse to consent without detriment.
Recording consent
- We keep a record of when and how we got consent from the individual.
- We keep a record of exactly what they were told at the time.
Data Controllers and Data Processors
- GDPR applies to controllers and processers.
- A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach. If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
As a data controller
- We shall be responsible for, and be able to demonstrate, compliance with the principles.
As a data processor
- We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
- We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.
- We have documented our decision on which lawful basis applies to help us demonstrate compliance.
- We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.
- Where we process special category data, we have also identified a condition for processing special category data, and have documented this.
Our policy is to process personal data in accordance with applicable data protection laws and individuals' rights as set out below and comply with the following data protection principles.
Data Protection Principles
Personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Compliance with GDPR
- We undertake data-mapping to understand our data sources and storage for all stages of data custody we look to identify what we are doing with data, how we are protecting data and how we are ensuring we do not infringe on the rights of the subject of that data. That includes that personal data should be obtained for one or more specified purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Understanding our data uses for the specific purposes for which the data is being collected (legitimate interests, records of processing, consent, ensuring that data is adequate, relevant and not excessive in relation to the purpose).
Data sharing
- We may have to share your data with third parties, including third-party service providers and other entities in the group.
- We require third parties to respect the security of your data and to treat it in accordance with the law.
- We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.
- We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Which third-party service providers process my personal information?
- "Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers: holding client contact details through raised Service Ticket Desks and supporting clients through various third party software’s, provisions and quotations.
How secure is my information with third-party service providers and other entities in our group?
- All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
When might you share my personal information with other entities in the group?
- We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.
What about other third parties?
- We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
- We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, disclosures to stock exchange regulators and disclosures to shareholders such as directors' remuneration reporting requirements.
- No data relating to a client shall be disclosed in any way except:
- A client matter file requires access to perform main contract agreement and only after specific permission is given by the agreed client contacts.
- Basic client information contained on devices that cannot be reasonably avoided to comply with the contract.
- No information relating to our client or their client should be disclosed in any form other than to:
- An employee of the company.
- An employee of Chris Bowker Limited to provided such disclosure is essential to perform the contract.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
Handling your data
We will do the following when handling personal data:
- We will implement appropriate technical and organisational measures to protect data against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- We will take reasonable steps to ensure that employees and contractors do not breach the duty of confidentiality of this statement.
- We will be allowed to audit, obtain information, inspect records to comply with the contract.
- We will be allowed to hold client employee contact details (name, email address, phone number) for the contract.
- We will implement appropriate controls to avoid that data is transferred to a country or territory outside the European economic area unless that country or territory ensures that an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.
Data Breaches
Preparing for a personal data breach
- We know how to recognise a personal data breach.
- We understand that a personal data breach is not only about loss or theft of personal data.
- We have prepared a response plan for addressing any personal data breaches that occur.
- We have allocated responsibility for managing breaches to a dedicated person or team.
- We know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Responding to a personal data breach
- We have in place a process to assess the likely risk to individuals as a result of a breach.
- We know who is the relevant supervisory authority for our processing activities.
- We have a process to notify the ICO, where appropriate, of a breach within 72 hours of becoming aware of it, even if we do not have all the details yet.
- We know what information we must give the ICO about a breach.
- We have a process to inform affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.
- We know we must inform affected individuals without undue delay.
- We know what information about a breach we must provide to individuals, and that we should provide advice to help them protect themselves from its effects.
- We document all breaches, even if they do not all need to be reported.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
Implementation and Review
If you have any question or concerns relating to our GDPR compliance, please contact Louise Nicolaichuk.
This policy takes effect from 25 May 2018 and will be subject to a periodic review after its implementation.