Data Protection Policy V.1
This document has been prepared using the following ISO27001:2013 standard controls as reference:
|1.0||28/6/2022||Rachel Goode||Alan Newman||Version Controlled document for ISMS|
|Description||Version Controlled document for ISMS|
Sensible Development Ltd (we, “Sensible”) is located at Cornelius House, 178/180 Church Road, Hove, BN3 2DJ operates primarily in the head office of Vantage Point, New England Road, Brighton, BN1 4GW.
|A18.1.4||Privacy and protection of personally identifiable information|
The purpose of this document is to demonstrate the management board’s commitment to the protection of personal data.
The Directors of Sensible Development Ltd located at Cornelius House, 178/180 Church Road, Hove, BN3 2DJ operates primarily in the head office of Vantage Point, New England Road, Brighton, BN1 4GW in the business of marketplace software services.
We are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information and information-related assets relevant to meet the purpose and goals of the organisation. This includes the handling of personal data or “Personally Identifiable Information” (PII).
Furthermore, we are committed to ensuring compliance with the European Union General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA) 1998 and any other data protection legislation or regulation relevant to our business operations.
In complying with the above-mentioned legislation and regulation, the organisation makes commitments to implement policies and processes related to that compliance and to make staff and relevant third parties aware of their responsibilities when handling personal data.
More detailed policies and processes thus support this policy, including our Information Security Policy. A GDPR compliance workspace is also maintained in line with Information Commissioner Office recommendations. These are located and managed within the ISMS.online platform.
This policy will be reviewed regularly to respond to any changes in the business, its risk assessment or risk treatment plan, and at least annually.
All employees and relevant interested parties associated to the organisation’s handling of personal data have to comply with this policy. Appropriate training and materials to support it are available.
The key definitions of terms used within or referred to by this policy are based upon those in the GDPR or other recognised documentation and are contained in Annex A.
Our Data Protection Officer has overall responsibility for the day-to-day implementation of this policy.
This policy will be reviewed regularly to respond to any changes in the business, its risk assessment or risk treatment plan, and at least annually.
|Senior Information Risk Owner (SIRO)|
|Assumes full accountability for the information controlled and processed by the organisation including PII
Is the face and figurehead of the organisation to Interested Parties. Is managing director thus giving confidence to those parties that the organisation takes data protection and information security seriously.
|Data Protection Officer|
|Keeping the board updated about data protection responsibilities, risks and issues
Reviewing all data protection procedures and policies on a regular basis
Arranging data protection training and advice for all staff members and those included in this policy
Answering questions on data protection from staff, board members and other stakeholders
Responding to individuals such as clients and employees who wish to know which data is being held on them by [company name]
Checking and approving with third parties that handle the company’s data any contracts or agreement regarding data processing
|Chief Information Security Officer (Head of Operations - Rachel Goode)||Ensure that information security risks have been identified and assessed, taking account of any special requirements for personal data.
Supporting and advising other responsible managers and individuals in regard to information security requirements, policies & controls.
|Technical Information Security Officer (Systems Administrator - Ian Morrison)||Ensure all systems, services, software and equipment meet acceptable security standards
Checking and scanning security hardware and software regularly to ensure it is functioning properly
Researching third-party services, such as cloud services the company is considering using to store or process data
(Ana Beltran Silva)
|Approving data protection statements attached to emails and other marketing copy
Addressing data protection queries from clients, target audiences or media outlets
Coordinating with the Data Protection Officer to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy
Complying with other legislation and regulation relevant to data protection in marketing activities (e.g. Privacy & Electronic Communications Act (UK))
Staff data protection training
All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.
Training is provided on a regular basis and when specific trigger events occur e.g. threats or incidents affecting all or part of the organisation, its supply chain or other Interested Parties that might impact the organisation financially or reputationally.
It will cover:
- The law relating to data protection
- Our data protection and related policies and procedures.
- Completion of this training is compulsory and where appropriate will be evidenced by task completion in the ISMS.online platform.
Privacy Notice – transparency of data protection
Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation and is required under GDPR. Whenever personal data is being collected we will document and provide a Privacy Notice in line with the requirements of Article 13 of the GDPR.
A template privacy notice is located within the ISMS.online platform.
Conditions for processing
We will ensure any use of personal data is justified using at least one of the conditions for processing (described further below) and this will be specifically documented in the ISMS.online platform. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.
Justification for personal data
We will process personal data in compliance with all eight data protection principles.
We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.
Sensitive personal data
In most cases where we process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to identify clearly what the relevant data is, why it is being processed and to whom it will be disclosed.
Fair and lawful processing
We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.
Under GDPR, processing of personal data is lawful only if at least one of the following apply:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps
at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official
authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,
except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The processing of all personal data must be:
- Necessary to deliver our services
- In our legitimate interests and not unduly prejudice the individual’s privacy
- In most cases this provision will apply to routine business data processing activities.
Our Terms of Business contains a Privacy Notice to clients on data protection.
- Sets out the purposes for which we hold personal data on customers and employees
- Highlights that our work may require us to give information to third parties such as expert witnesses and other professional advisers
- Provides that customers have a right of access to the personal data that we hold about them
The data that we collect is subject to active consent by the data subject. This consent can be revoked at any time.
Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate, you should record the fact that the accuracy of the information is in dispute and inform the Data Protection Officer.
Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.
A data subject may also request that their data is transferred directly to another system. This must be done for free.
Right to be forgotten
A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
Privacy by design and default
Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The Data Protection Officer will be responsible for conducting Privacy Impact Assessments (PIA) and ensuring that all IT and other relevant projects commence with a privacy plan. ISMS.online provides a PIA framework that is used for managing the process and documenting the approach.
When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
International data transfers
No data may be transferred outside of the EEA without first discussing it with the data protection officer. Specific consent from the data subject must be obtained prior to transferring their data outside the EEA.
We must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the Data Protection Officer will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
The organisation has a documented “Information Security Policy” and a set of subordinate security policies and controls relating to our management of data and information security. These are held within the ISMS.online platform.
We must not retain personal data for longer than is necessary. What is “necessary” will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines.
Data retention schedules will be maintained showing the minimum and maximum periods of retention for each data set.
Data audit and register
Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
All individual staff members are responsible for playing their part in maintaining the confidentiality, integrity and availability of personal data in compliance with the GDPR, DPA and organisational policies, standards and procedures.
You must familiarise yourself with the requirements contained in this policy and any other relevant security policy and comply with any requirements relating to the proper handling and security of personal data.
Your personal data
You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the Data Protection Officer or the HR Department so that they can update your records.
Handling others’ personal data
You must familiarise yourself with the organisational responsibilities detailed above and ensure that you comply with these whenever you are handling personal data. Special care and attention must be given when handling sensitive personal data.
Processing data in accordance with the individual’s rights
You must abide by any request from an individual not to use their personal data for direct marketing purposes. Notify the Data Protection Officer about any such request if it falls outside of the normal processes or you have any reason to be unsure about the appropriate practice.
Contact the Data Protection Officer for advice on direct marketing before starting any new direct marketing activity to ensure compliance with all relevant data protection and other legislation.
All members of staff have an obligation to report actual or potential data protection weaknesses, events and incidents where compliance may be breached. This allows us to:
Investigate the failure and take remedial steps if necessary
Maintain a register of compliance failures
Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures
The reporting of such weaknesses, events and incidents will be managed through our Information Security Incident Management processes.
Everyone must observe this policy. The Data Protection Officer has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.
Annex A – Key Definitions
|Data Subject||“Data subject” means an individual who is the subject of personal data;. [source DPA]|
|Personal Data||“Personal Data” is any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. [source GDPR]|
|Sensitive Personal Data||“Sensitive Personal Data” is any information about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of sensitive personal data should be strictly controlled in accordance with this policy.[source DPA]|
|Controller||“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. [source GDPR]|
|Processor||“Processor” means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller. [source GDPR]|
|Recipient||“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. The processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. [source GDPR]|
|Processing||“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. [source GDPR]|
|Profiling||“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. [source GDPR]|
|Pseudonymisation||“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. [source GDPR]|
|Filing System||“Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. [source GDPR]|
|Consent||“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. [source GDPR]|
|Personal Data Breach||“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. [source GDPR]|
Data Protection Policy V.1