Affinity Data Protection Policy
- Policy prepared by: Natalie Haydon [DPO]
- Approved by: Board of Directors
- Policy became operational: 25/05/2018
- Next Review date: 25/05/2019
Affinity status is actively registered with the ICO as a data processor. Affinity’s annual registration was reconfirmed on the 27/02/2018 under the company name: HEROES ADVERTISING & PUBLIC RELATIONS LTD
Affinity is committed to protecting the rights and freedoms of data subjects. In accordance with our legal obligation this policy outlines how affinity and their staff safely and securely processes data subjects data in line with GDPR https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation
Why this policy exists
This data protection policy ensures affinity:
- Complies with data protection law and follow good practice
- Protects the rights and data of staff, customers and clients
- Has a transparent policy about how we obtain, store, process and delete data
- Implements robust safeguards and procedures to prevent and manage data breach
The policy applies to Affinity agency and all staff working within affinity agency.
All staff must take responsibility to be familiar with the policy and implement within their daily working practice.
Any updates to the policy will be communicated and circulated to all staff. Individuals must confirm that they have read and understood all updates.
This is relating to any information relating to a living, identified or identifiable natural person. This could be directly (e.g. a person’s name) or indirectly (e.g. the owner of that business).
The definition of personal data applies to any piece of information which can be used to identify an individual, based on ‘all means reasonably likely to be used’. So for example, a user ID number is classed as personal data, because it can be matched to the name of a user on a database. The term ‘personal data’ still applies to data even if it requires the use of information elsewhere to identify an individual. Examples of personal data includes:
- Names, DOB, address, email address, credit card details etc
- Location data – is associated with data as it could be used to identify where a person live, works sleeps etc
- Online identifiers - refer to digital information such as IP addresses, cookie strings or mobile device IDs. For example, as an IP address can be used to find out where an individual is located.
- Sensitive data – Types of data that should be treated with extra protection and care. This includes Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade-union membership, Health or sex life
Accountability and transparency
To comply with data protection laws and the accountability and transparency Principle of GDPR, affinity must demonstrate compliance:
- Fully implement all appropriate technical and organisational measures
- Maintain up to date and relevant documentation on all processing activities
- Conducting Data Protection Impact Assessments
- Implement measures to ensure privacy by design and default, including:
- Data minimisation
- Allowing individuals to monitor processing
- Creating and improving security and enhanced privacy procedures on an ongoing basis
Anyone who works for affinity is responsible for ensuring that data is collected, stored, processed and deleted appropriately.
Each division that handles personal data must ensure that it is handled in line with this policy and data protection principles.
However, these people have key areas of responsibility:
- Board of Directors is ultimately responsible for ensuring that the company complies with legal obligations and;
- Ensuring that their teams abide with data protection principles in line with this policy.
- Approving data protection statements attached to emails or any other form of marketing copy
- Data protection officer Natalie Haydon is responsible:
- Keep the Board of Directors updated about data protection responsibilities, risk and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule
- Arranging adequate and frequent data protection training to all staff within affinity agency
- Handling data protection questions from staff and anyone else covered in this policy.
- Dealing with requests from individuals to see the data affinity holds about them (also called subject access request)
- Checking and approving contracts or agreements with third parties that may acquire, store, process or delete company’s sensitive data
- Overseeing regular data audits (annually) to ensure that affinity maintains up to date logs of data affinity stores, processes and any third parties involvement to identify and mitigate risks. Audits will include information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
- Overseeing the processes and procedures of any data protection breaches
- The Digital Director Karl Izzard, is responsible for:
- Ensuring that all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly and that affinity could identify a potential or successful breach.
- Ensure sufficient checks and audits are carried out on a regular basis (monthly) to enable affinity to identify a potential or successful breach
- Evaluating any third party services the company is considering using to store or process data. For example cloud computing services
Responsibilities of a data processor
As a data processor affinity must maintain our appropriate registration with the Information Commissioners Office in order to continue lawfully processing of data.
Affinity must comply with our contractual obligations and act only on the documented instructions of the data controller. If affinity at any point determine the purpose and means of processing out without the instructions of the controller, affinity shall be considered a data controller and therefore breach our contract with the controller and have the same liability as the controller. As a data processor, we must:
- Not process data without written authorisation of the data controller
- Ensure wherever possible data is kept up to date
- Co-operate fully with the ICO or other supervisory authority
- Ensure the security of the processing
- Keep accurate records of processing activities
- Notify the controller of any personal data breaches
- Prevent data from being lost or open to misuse
- Retain data for no longer than is necessary
- Not transfer personal data outside of the EU
- Establish a lawful basis for processing data from the controller. For example, consent for processing data is recent, clear, explicit, and defined for a specific purpose.
- Have the ability to stop the processing at any time on request, and have suitable and robust processes in place to achieve this.
Affinity must ensure that individuals whose data is being processed are aware of Affinity’s involvement in the process. This should occur via a privacy notice. This applies whether we have collected the data directly from the individual, or from another source.
Staff Guidelines and responsibilities
- Any electronic files that contain personal data:
- Must be protected by strong passwords that are changed regularly (every 6 months)
- Passwords are only shared to contacts within affinity and externally that are considered necessary and communicated securely.
- Passwords are logged in secure location ‘Keystore’ and shared securely. The password to Keystore must not be shared externally
- Must be transferred internally and externally by SFTP and password should never be transferred by email
- Must only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing service
- Sensitive data should be encrypted before being transferred
- Any transfer of data should be approved by line manager
- If hard copies or removable storage mediums (like CD’s) of data are used:
- Must be kept in a secure place when not being used.
- Data stored on CD’s and memory sticks must be encrypted
- Limited people have access and a log kept of who has had access
- Destroyed securely i.e. by shredding paper copies
- Servers containing personal data should be sited in a secure location away from general office space.
- Data should be backed up frequently and should be tested regularly (every 3 months) to ensure that potential or successful breaches are identified.
- Data should never be saved directly onto computers or mobile devices.
- All servers and computers containing data should be protected by approved security software and a firewall.
- When working with personal data employees should ensure that screens of their computers are always locked when unattended.
- Data will be held in as few places as possible. No unnecessary replication of data will be made.
- Only necessary employees will have access to data
Affinity will ensure that they maintain accurate and up to date records or data in line with legal requirements:
- Staff should take every opportunity to check data for accuracy and updated when inaccuracies are discovered. For example, when a client calls check contact details and in the event that they are no longer correct ensure that they are updated within 24 hours
- Affinity will make it easy for staff to update client and personal records.
- In the event that affinity is using or processing data on a client’s behalf employee’s processing client data will check against suppression files every 30 days.
Rights of individuals
Individuals have rights to their data which we must respect and comply with to the best of our ability. We must ensure individuals can exercise their rights in the following ways:
- Right to be informed
- Providing privacy notices which are concise, transparent, intelligible and easily accessible, free of charge, that are written in clear and plain language, particularly if aimed at children.
- Keeping a record of how we use personal data to demonstrate compliance with the need for accountability and transparency.
- Right of access
- Enabling individuals to access their personal data and supplementary information
- Allowing individuals to be aware of and verify the lawfulness of the processing activities
- Right to rectification
- We must rectify or amend the personal data of the individual if requested because it is inaccurate or incomplete.
- This must be done without delay, and no later than one month. This can be extended to two months with permission from the DPO.
- Right to be forgotten
- We must delete or remove an individual’s data if requested and there is no compelling reason for its continued processing.
- Right to restrict processing
- We must comply with any request to restrict, block, or otherwise suppress the processing of personal data.
- We are permitted to store personal data if it has been restricted, but not process it further. We must retain enough data to ensure the right to restriction is respected in the future.
- Right to data portability
- We must provide individuals with their data so that they can reuse it for their own purposes or across different services.
- We must provide it in a commonly used, machine-readable format, and send it directly to another controller if requested.
- Right to object
- We must respect the right of an individual to object to data processing based on legitimate interest or the performance of a public interest task.
- We must respect the right of an individual to object to direct marketing, including profiling.
- We must respect the right of an individual to object to processing their data for scientific and historical research and statistics.
- Rights in relation to automated decision making and profiling
- We must respect the rights of individuals in relation to automated decision making and profiling.
- Individuals retain their right to object to such automated processing, have the rationale explained to them, and request human intervention.
Subject Access Request
An individual has the right to receive confirmation how their data is being processed, access to their personal data and supplementary information. Affinity must provide an individual with a copy of the information upon request, free of charge.
- This must occur without delay, and within one month of receipt. affinity endeavour to provide data subjects access to their information in commonly used electronic formats, and where possible, provide direct access to the information through a remote accessed secure system.
- If complying with the request is complex or numerous, the deadline can be extended by two months, but the individual must be informed within one month.
- Affinity can refuse to respond to certain requests, and can, in circumstances of the request being manifestly unfounded or excessive, charge a fee. This would come into effect if the request is for a large quantity of data. Instead affinity will request the individual specify the information they are requesting.
- Once a subject access request has been made, Affinity staff must not change or amend any of the data that has been requested. Doing so is a criminal offence and would be subject to instant dismissal.
- Affinity will provide data requested in a structured, commonly used and machine-readable format. We must provide this data either to the individual who has requested it, or to the data controller they have requested it be sent to.
- In line with ‘the right to be forgotten’ as long as this is deemed reasonable we will remove any records of individuals upon request
- Request must be made via email and affinity will run checks to ensure that individuals making access requests are reasonably verified i.e. confirm Name, address and DOB as a minimum.
This right to be forgotten
Individuals have a right to have their data deleted and for processing to cease in the following circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected and / or processed
- Where consent is withdrawn
- Where the individual objects to processing and there is no overriding legitimate interest for continuing the processing
- The personal data was unlawfully processed or otherwise breached data protection laws
- The processing relates to a child
If personal data that needs to be deleted has been passed onto other parties, they must be contacted and informed of their obligation to delete the data. If the individual asks, we must inform them of those who those third parties are.
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be shared law enforcement agencies without consent from the data subject. Under these circumstance’s, affinity will disclose requested data. However, the data controller will ensure the is legitimate, seeking assistance from the Board of Directors and from the company’s legal advisers where considered necessary.
Using third party controllers and processors
As a processor, we must have written contracts in place with any third parties that we use and work with. The contract must contain specific clauses which set out our and their liabilities, obligations and responsibilities.
As a data processor, we must only act on the documented instructions of a controller. We acknowledge our responsibilities as a data processor under GDPR and we will protect and respect the rights of data subjects.
Our contracts must comply with the standards set out by the ICO and, where possible, follow the standard contractual clauses which are available. Our contracts with data controllers must set out the subject matter and duration of the processing, the nature and stated purpose of the processing activities, the types of personal data and categories of data subject, and the obligations and rights of the controller.
At a minimum, our contracts must include terms that specify:
- Acting only on written instructions
- Those involved in processing the data are subject to a duty of confidence
- Appropriate measures will be taken to ensure the security of the processing
- Sub-processors will only be engaged with the prior consent of the controller and under a written contract
- The controller will assist the processor in dealing with subject access requests and allowing data subjects to exercise their rights under GDPR
- The processor will assist the controller in meeting its GDPR obligations in relation to the security of processing, notification of data breaches and implementation of Data Protection Impact Assessments
- Delete or return all personal data at the end of the contract
- Submit to regular audits and inspections, and provide whatever information necessary for the controller and processor to meet their legal obligations.
- Nothing will be done by either the controller or processor to infringe on GDPR.
Any breach of this policy or of data protection laws must be reported as soon as they are identified. Affinity has a legal obligation to report any data breaches to the ICO within 72 hours working hours of being identified.
All members of staff have an obligation to report actual or potential data protection compliance failures to their line manager and DPO within 24 of identifying breach or risk. Notification should be made by email. This allows affinity to:
- Investigate the failure and take remedial steps if necessary
- Maintain a register of compliance failures
- Notify the ICO of any compliance failures that are material either in their own right or as part of a pattern of failures
Affinity takes compliance with this policy very seriously. Failure to comply puts client, data subjects and affinity at risk.
The emphasis of this policy means that employees failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.
If individuals have any questions or concerns about anything in this policy, do not hesitate to contact the DPO.
Any member of staff who fails to notify of a breach, or is found to have known or suspected a breach has occurred but has not followed the correct reporting procedures will be liable to disciplinary action.
What is a data breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. Some examples of what is considered a data breach:
- Access by an unauthorised third party
- Deliberate or accidental action by a controller or processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data
Data breach process
Upon identification of a data breach the individual must notify the DPO and line manager by email. Email needs to include accurately recorded details of breaches including:
- the date and time the breach occurred;
- the date and time it was discovered;
- who/what reported the breach;
- description of the breach;
- details of any ICT systems involved;
- and any other substantiating material.
Containment and recovery – DPO will review breach to establish if there is anything that can be done to recoup loss/limit damage breach causes
Risk assessment – DPO will assess the breach to identify adverse consequence for individuals. The following should be considered:
- Data involved and how sensitive it is
- Security mechanisms in place i.e. password protection
- How many individuals are impacted
Notification of breach - DPO to complete an incident report and update affinity internal breach log. The incident report needs to detail:
- Detail of the breach confirmed when initially raised
- Any potential risk to further breaches in the future
- Any weak spots in controls and processes
- What lessons can be taken
- What can be done to prevent reoccurrence of breach in the future
In the event that the data breach raised highlights that there is a risk that any future breaches could occur, all processing of data under the same or similar circumstances must be paused with immediate affect. Only when approved by the DPO and Board of Directors following the implementation of more robust processors or controls can the processing of data reconvene
DPO will inform Board of Directors within 24 hours of breach being raised
DPO will inform ICO, confirmed/potential data subjects involved, data controller and any third parties within 72 hours unless data is encrypted.
All clients of affinity [Heroes Advertising & Public Relation Ltd] post 25th May 2018 when GDPR becomes enforceable you are confirming that your organisation is GDPR compliant. Any regulatory fines that affinity incurs as a result of a client not acting as a GDPR compliant data controller will be made the liability of the client.