Data protection policy
Policy & compliance statement.
Deeson Group Limited and Deeson Publishing Ltd (Deeson) is committed to compliance with the GDPR legal requirements. This statement outlines the enhanced requirements that Deeson must adhere to and our implemented/planned approach to ensuring compliance obligations are met.
Overview.
The General Data Protection Regulations (GDPR) are new legal requirements by which the European Commission intends to strengthen and unify data protection for individuals. From 25th May 2018, this affects every organisation that processes EU residents personally identifiable information (PII), and it will be necessary to abide by a number of provisions.
The data protection principles, as set out in the Data Protection Act (DPA) remain but they have been condensed into six as opposed to eight principles. Article 5 of the GDPR states that personal data must be:
Processed fairly, lawfully and in a transparent manner in relation to the data subject
Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes
Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed
Accurate and, where necessary, kept up to date Kept in a form that permits identification of data subjects for no longer than necessary for purposes for which personal data is processed
Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
GDPR policy statement.
Deeson is required to collect personal information to effectively and compliantly carry out our everyday business functions and services. Such data is collected from employees, clients, suppliers and includes (but is not limited to), name, address, email, data of birth, identification numbers, bank details, and other confidential information.
In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to collecting, processing, storing and destroying all information in accordance with the General Data Protection Regulation (GDPR), UK data protection laws and specific data protection codes of conduct.
Deeson has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the GDPR and its principles, including staff training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and safety of personal and/or special category data belonging to the individuals with whom we deal is paramount to our company ethos.
We are proud to operate a 'Privacy by Design' approach and aim to be proactive not reactive; assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business.
Simon Wakeman
Managing Director
May 2018
Review.
This document has been approved in preparation for the forthcoming change in legislation. This policy is to be fully reviewed following implementation of the new legislation, release of further official guidance, and planned/ongoing assessment/certification to the ISO 27001 standard.
Compliance statement.
Deeson process personal data on behalf of our Clients (the data controller). This personal data includes:
Name
Contact details (email/telephone)
Employer and Job Title
Usernames & passwords
Communication / Transaction History
A full list of specific database fields is available upon request.
Lawful basis for processing.
GDPR requires that there is a valid lawful basis in order to process personal data.
Processing our client’s personal data would be necessary in fulfilment of contractual requirements between the supplier and client, and as such would not require separate explicit consent.
Our standard terms and conditions of business will apply to all service provisions by Deeson, unless superseded by a client specific contract.
Individual rights.
Right to be Informed.
Individuals have the right to be informed about the collection & use of their personal data.
We endeavour to provide such privacy information at the point of collection and additional information can be given upon request.
Right to access.
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
Deeson will only supply information directly to the individual the data is concerning. Direct requests received outside this will be communicated back to the Data Controller, for an authorised and verified representative to formally (in writing) request action to be taken.
Information will be processed and returned promptly, for issue within the statutory one-month timeframe.
A fee must not be charged to the individual, and to support Deeson will not levy a fee for the processing within standard circumstances.
Right to rectification.
GDPR gives individuals the right to have personal data rectified if it is inaccurate or incomplete.
Should Deeson receive direct notification in this circumstance, the same procedure as Right to Access listed above will apply. Only changes as formally notified by an authorised and verified representative of the Data Controller are to be implemented.
Right to erasure.
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Right to restrict processing.
Individuals have a right to ‘block’ or suppress processing of personal data.
Should Deeson receive direct notification in this circumstance, the same procedure as Right to Access listed above will apply. Only changes as formally notified by an authorised and verified representative of the Data Controller are to be implemented.
Right to data portability.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Client requests to transfer data to alternate systems can be processed by individual arrangement.
Right to object.
The right to object to processing of data would typically not be applicable with contractual fulfilment as the lawful basis of processing. Any directly received objections, complaints, concerns or feedback will be reviewed on an individual basis.
Rights related to automated decision making.
This requirement is not applicable to Deeson activities as no decision-making or profiling process is involved.
Accountability and governance.
Documentation.
GDPR contains explicit provisions about documenting processing activities.
Deeson will require written confirmation instructions for all processing activities in order to ensure documented traceability of instructions from any data controller.
Other key documented information to support compliance to the requirements includes:
Standard Operating Procedures
ISM Risk Register (Data Impact Assessment)
Management System Audits
Records of Breaches
Data protection by design and default.
Under the GDPR, there is a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
The GDPR requirements sit within the broader subject of Information Security Management (ISM), which is an area that Deeson regards to be a critical part of the business operations.
Deeson holds the ISO27001, ISO9001 and Cyber Essentials Plus certifications.
Data protection impact assessments.
As part of our ISM management system, a full risk register has been compiled to ensure we have identified and assessed any threats to the confidentiality, integrity or availability of all information held (electronic and hard copy). This requirement encompasses and expands on the DPIA, covering a wide range of elements from an asset based approach. A fundamental requirement of the standard is continual improvement and the register and resulting risk treatment plan are subject to regular review.
Codes of conduct and certification.
The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.
As general and industry specific codes are released, they will be reviewed for suitability by top management and adopted/communicated across the organisation and to our stakeholders.
Security.
GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.
This general requirement is incorporated within our management systems and operational processes.
International transfers.
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Adequate Safeguards.
You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
Data breaches.
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority and, in some cases, directly to the individuals affected.
Any identified breach must be escalated immediately to a Deeson Director for a full investigation. Staff are trained in this process to understand what constitutes a breach, and how to report it.
Personal data breaches can include:
access by an unauthorised third party
deliberate or accidental action (or inaction) by a controller or processor
sending personal data to an incorrect recipient
computing devices containing personal data being lost or stolen
alteration of personal data without permission
loss of availability of personal data
At this stage, the resulting risk to individuals will be assessed and the necessary action plan created, including notification (Client, Individuals, ICO), mitigating actions, and corrective actions to prevent recurrence.
A Deeson director is to report any breach to a Client’s personal data as soon as possible (<24 hours) after an event has been confirmed.
Where a defined notifiable breach has occurred, the Client (controller) must be report this to the ICO within 72 hours of being made aware. Deeson will support in gathering the necessary information, and notifying individuals where required.
Last updated