Digital Velocity Limited (Digital Velocity), as Data Controller, is committed to ensuring its compliance with the requirements of the law governing the management and storage of Personal Data (as defined below), which is set out in the UK’s Data Protection Act and the EU’s General Data Protection Regulation 2016 (GDPR). We recognise the importance of Personal Data to our business and the importance of respecting the privacy rights of individuals. This Data Protection Policy (the Policy) sets out the principles which we will apply to our Processing (as defined below) of Personal Data so that we not only safeguard one of our most valuable assets, but also Process Personal Data in accordance with applicable laws.
Compliance with the GDPR is overseen by the UK data protection regulator which is the Information Commissioner’s Office (ICO). Digital Velocity is accountable to the ICO for its data protection compliance.
This policy aims to protect and promote the data protection rights of individuals and of the business, by informing everyone working for the business of their data protection obligations and of the business procedures that must be followed in order to ensure compliance with GDPR. Information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.
This policy covers all Personal Data and special categories of Personal Data, however Processed (on computers or manually). In the event that any staff process Personal Data through working at home, for example, this Guidance and all it entails applies equally to such data.
This Policy and the Guidance (which is set out in the following pages) applies to all staff (including managers), consultants and any third party that this policy has been communicated to, as it is the responsibility of all to assist Digital Velocity in complying with its obligations as Data Controller. All members of staff should familiarise themselves with both this Policy and the Guidance and apply their provisions in relation to any Processing of Personal Data. Failure to comply with the GDPR, the Policy and the Guidance could amount to misconduct, which is a disciplinary matter, and could ultimately lead to summary dismissal. Serious breaches could also result in personal criminal liability.
For these reasons, it is important that all employees familiarise themselves with this Policy and the Guidance and attend any training sessions in respect of the care and handling of Personal Data.
This Policy and the Guidance may be amended from time to time to reflect any changes in practice or legislation. Tom Kemp, who is the business’s Privacy Manager is responsible for monitoring the business’s compliance with this policy and any queries as to data protection procedures or requirements should be directed to him.
This Policy has been approved by the Board. It will be reviewed annually or as and when a change in the data protection regime requires it to be updated.
This Guidance Note (“the Guidance“) forms part of the Data Protection Policy and provides supplementary information to enable staff to better understand and comply with the Data Protection Policy.
Digital Velocity, as Data Controller, is required to comply with the GDPR in respect of its Processing of Personal Data (such as information about our staff, suppliers and clients (and their customers, although we act as Data Processor in respect of our Processing of our client’s customers). Compliance with data protection legislation is the responsibility of all members of the business who process personal information and it is therefore important for all staff to familiarise themselves with both the Data Protection Policy and this Guidance and act in accordance with their content.
Any day-to-day data protection issues or any questions about the Policy or the Guidance should be raised with the Privacy Manager.
The GDPR is intended to protect the rights and privacy of individuals and to ensure that data about them is not processed without their knowledge and, wherever possible, is processed with their consent. Whilst the GDPR covers Personal Data relating to individuals, you should bear in mind that if you handle personal details of, for example, officers of companies, this will still constitute Personal Data and therefore be subject to the GDPR’s requirements.
It should be noted that the business is authorised to process data connected to the delivery of our services to clients and their customers; the promotion of our services; maintaining our accounts and records and managing our staff. Anyone who is, or intends Processing data for purposes not included in the business’s entitlements should seek advice from the Privacy Manager.
In this Guidance, the following definitions are used:
Consent is agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.
Data Controllers means the natural or legal person, public authority, agency or other body who alone or jointly with others, determine the purposes for which, and the manner in which, any Personal Data is processed. They have a responsibility to establish practices and policies in line with the GDPR. Digital Velocity is the Data Controller of all Personal Data used in our business, except for data relating to our clients’ customers/contacts, where we act as Data Processor.
Data Processors include any person who processes Personal Data on behalf of a Data Controller. Employees of Data Controllers are excluded from this definition but it could include suppliers which handle Personal Data on our behalf.
Data Subjects (for the purpose of this policy) include all living, identified or identifiable individuals about whom Digital Velocity holds Personal Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Personal Data. This will include, and is not limited to, staff, clients (and their customers/contacts), suppliers and business contacts.
Personal Data means data (however held) relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal Data can be factual (such as a name, address, date of birth or telephone number) or it can be an opinion (such as a performance appraisal). It will include passport or driving licence details. It also includes information that identifies the physical, physiological, genetic, mental, economic, cultural or social identity of a person. For the business’s purposes, our clients are Data Subjects (other individual third parties that we hold Personal Data about are also likely to be Data Subjects)
Processing (or Process) is any activity that involves use of the Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation on or regarding the data including organising, accessing, amending, merging, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring or making available Personal Data to third parties.
Sensitive Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive Personal Data can only be processed under strict conditions, and will usually require the express consent of the person concerned.
Additionally, Personal Data shall not be transferred to a country or territory outside the European Economic Area unless: (1) that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data; (2) appropriate, approved standard contractual clauses are in place; (3) the Data Subject has given explicit consent; or (4) the transfer is necessary for a reason set out in the GDPR. If this is envisaged, speak to the Privacy Manager for further guidance before transferring any data.
The business must be able to demonstrate its compliance with the above principles (‘accountability’).
In order to process all Personal Data in a manner that is compliant with GDPR, Digital Velocity will:
To expand on the practical aspects of the principles:
Fair and lawful Processing
For Personal Data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the Data Subject has Consented to the Processing, that it is in connection with us delivering our services for the Data Subject or that the Processing is necessary for our legitimate interests, provided that processing for our legitimate interests does not adversely affect the interests or rights of Data Subjects. When Sensitive Personal Data is being Processed, more than one condition must be met. In most cases, the Data Subject’s explicit consent to the Processing of such data will be required.
A Data Subject provides Consent to Processing of their Personal Data if they clearly indicate agreement to the Processing either by a statement or positive action. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.
Evidence of Consent and records of all Consents should be kept so that the business can demonstrate compliance with Consent requirements.
Specific Consent should be obtained to use Personal Data on the internet as such data could be accessed worldwide and the final data principle outlined above may be breached.
Processing for specific and limited purposes
Personal Data may only be processed for the specific purposes notified to the Data Subject when the data was first collected or for any other purposes specifically permitted by the GDPR. This means that Personal Data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the Data Subject must be informed of the new purpose and Consent obtained before any Processing occurs.
Adequate, relevant and non-excessive Processing
Personal Data should only be collected to the extent that it is required for the specific purpose notified to the Data Subject. Any data which is not necessary for that purpose should not be collected in the first place. If you are in possession of excessive data, it should be immediately deleted or destroyed.
We must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the business’s data retention guidelines.
Personal Data must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and therefore you should check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. Inaccurate or out of date data should be destroyed or updated as appropriate. You should notify the business’s Office Manager with regard to any of your own Personal Data which needs updating and you should also ensure that if any client, a client’s customer or third party provides updated personal information, the update is acted upon without delay.
Personal Data should not be kept longer than is necessary for the purpose, meaning that data should be destroyed or erased from our systems when it is no longer required. For guidance on how long certain data is to be kept before being destroyed, contact the Privacy Manager.
Processing in line with Data Subject’s rights
Data must be processed in line with Data Subjects’ rights. Data Subjects have a right to:
The GDPR requires us to keep full and accurate records of all our data Processing activities. We must keep and maintain accurate records reflecting our Processing including records of Data Subjects’ Consents and procedures for obtaining Consents. These records should include clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place.
If you have any concerns about Processing Personal Data, please contact the Privacy Manager who will be happy to discuss matters with you.
The GDPR gives rights to individuals in respect of the Personal Data organisations hold about them. Everyone must be familiar with these rights and adhere to the business’s procedures to uphold these rights.
These rights include:
A formal request from a Data Subject for information that we hold about them need not be in any particular format but it should specify the information that the Data Subject requires. If you receive a request for Personal Data and require guidance as to whether it is a “subject access request”, speak to the Privacy Manager. Digital Velocity will require the Data Subject to provide evidence of their identity (so we are not disclosing to a third party). Any member of staff who receives a written request should forward it to the Privacy Manager immediately who will assist. A request sent by email or fax is as valid as one sent in hard copy. Requests may also be validly made by means of social media. Note that information requested under a subject access request may not be fully disclosable as particular exemptions from disclosure may apply. Indeed, it may be that none of the information is disclosable. The Privacy Manager will advise as to what can be disclosed.
Digital Velocity aims to comply with requests for access to personal information as quickly as possible, and, if we hold such information, will ensure that it is provided within one month of the request unless there is a proper reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
We must ensure that Personal Data is not disclosed to unauthorised third parties which includes family members, friends, government bodies and, in certain circumstances, the Police. All staff should exercise caution when asked to disclose Personal Data on an individual to a third party. Speak to the Privacy Manager if in doubt.
Personal Data may be legitimately disclosed where one of the following conditions applies:
The GDPR contains some exemptions in respect of disclosures. If you are contacted by:
you must not confirm or deny whether or not we hold information about a Data Subject. If you receive a Production Order from the Police or an Order from a government department requiring information to be disclosed, contact the Privacy Manager.
Any member of staff dealing with telephone enquiries should be careful about disclosing any personal or confidential information held by us. In particular they should:
Every member of staff that holds information about identifiable living individuals has to comply with the GDPR in managing that information.
The business will not retain Personal Data for longer than necessary.
|Data||Period of Retention|
|Data confirming payments due to you. For example, your contract of employment and any information about salary or benefits.||6 years after you leave your employment|
|Data relating to taxes, National Insurance contributions and other charges paid in relation to you.||7 years after you leave your employment|
|Data relating to any accidents or injuries at work.||3 years after you leave your employment|
|Data relating to any references given in relation to you.||1 year after the date of the reference|
The business publishes a number of items that includes Personal Data and will continue to do so. These include:
Before any electronic direct marketing is undertaken, it must be clear that the people to be contacted have Consented to receive such marketing and that a valid, up to date, consent notice is held on file. There is a limited exception for existing clients of Digital Velocity known as “soft opt in” – this allows us to send marketing texts or emails to clients of Digital Velocity if we have obtained contact details in the course of a providing services to that person, the messages are marketing similar services, and we gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message. This applies, by extension, to the customers of our clients but we should take care when marketing to them that we know whether we are marketing by Consent or as a result of the soft opt in.
For marketing by post, we are able to send postal marketing to our clients regarding new products or services, in reliance on our “legitimate interests” – we generally do not need consent to this type of mailing but we will always need to offer clients an opt-out.
The right to object to direct marketing must be explicitly offered to the Data Subject. A Data Subject’s objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
Privacy By Design and Data Protection Impact Assessments (DPIAs)
Privacy by Design involves using appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Data Privacy Impact Assessments (DPIA) involve using tools and assessments to identify and reduce risks of a data Processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.
We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures in an effective manner, to ensure compliance with data privacy principles. Privacy by Design is an ongoing measure.
DPIAs will be carried out when introducing, or making significant changes to, systems or projects involving the Processing of Personal Data. DPIAs are required to identify data protection risks and to assess the impact of these risks, as well as to determine appropriate action to prevent or mitigate the impact of these risks.
This means thinking about whether we are likely to breach the GDPR and what the consequences might be, if we use Personal Data in a particular way. It is also about deciding whether there is anything that we can do to stop or minimise the chances of potential problems identified, from happening.
DPIAs will be undertaken by the Privacy Manager and Management.
A data protection breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Everybody working for Digital Velocity has a duty to report any actual or suspected data protection breach without delay to the Privacy Manager or, in their absence, their line manager.
Breaches will be reported to the ICO by the Privacy Manager without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless, we are able to demonstrate that the Personal Data breach is unlikely to result in a risk to the rights and freedom of Data Subjects. Where there is a high risk to the rights and freedoms of individuals, we must also notify the affected individuals.
The Privacy Manager will maintain a central register of the details of any data protection breaches.
Complaints relating to breaches of the GDPR and/or complaints that an individual’s Personal Data is not being processed in line with the data protection principles should be referred to the Privacy Manager without delay.
It is important that everyone understands the implications for the business if we fail to meet our data protection obligations. Failure to comply could result in:
Breaches can have serious consequences. Digital Velocity could be fined up to 20,000,000 Euros, or up to 4% of annual turnover of the preceding financial year, whichever is the higher and depending on the breach.
This guidance has been approved by the Board. It will be reviewed annually or as and when a change in the data protection regime requires it to be updated.
This Policy was reviewed by Tom Kemp and introduced on 22nd May 2018.