The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.
MAG Equipment Ltd has implemented comprehensive and proportionate technical and organisational measures (policies/procedures) to ensure compliance with the following 6 data principles:
- Lawful, fair and transparent processing of data;
- The purpose for which personal data is collected must be specified, explicit and legitimate, and the data must be processed in a manner that remains compatible with the initial purpose for which it is collected;
- Data is not excessive and remains adequate and relevant data to the purpose;
- Accuracy of data is maintained;
- Data is stored for no longer than is necessary;
- Appropriate measures are taken to ensure data is processed in a secure manner.
MAG Equipment Ltd is a small to medium sized organisation which employs less than 250 employees. As a small to medium-sized organisation we will document processing activities that:
- are not occasional;
- or could result in a risk to the rights and freedoms of individuals;
- or involve the processing of special categories of data or criminal conviction and offence data.
The vast majority of our data consists of organisations who have been contacted on a business-to-business basis regarding an enquiry, interest, order or contract for our commercial products or services.
The eight rights for individuals we will keep in mind at all times are:
- The right to be informed – Individuals must know how you intend to use their personal data when it is being gathered, and they must freely give their consent to it. Their consent cannot be assumed or taken for granted. There are particular rules around what information you should supply and at what stage you need to supply the information to your customers.
- The right of access – Individuals can request access to their personal data free of charge (in most cases) and ask how you make use of it.
- The right to rectification – Individuals are entitled to have personal data rectified if it inaccurate or incomplete. If you have disclosed the data in question to third parties, you must inform them of the rectification. You should also ensure that your customers are aware of the third parties to whom you have disclosed the data, where appropriate.
- The right to erase / be forgotten – Individuals can ask you to delete or remove their personal data where there is no good reason for its continued processing.
- The right to restrict processing – This means that in some cases individuals can allow you to store their personal data but can also state that you are not allowed to process that data for any reason.
- The right to data portability – Individuals can transfer or move their personal data between service providers easily and safely, without obstacles to usability of the data.
- The right to object – Individuals have the right to object to your usage of their data Individuals must have an objection on “grounds relating to his or her particular situation”.
- Rights related to automated decision making and profiling – The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. You should identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.
Lawful Bases For Processing Data
MAG Equipment Ltd will process data in compliance with the lawful bases that are set out in Article 6 of the GDPR. We will ensure that at least one of these conditions will apply whenever we process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
To demonstrate compliance we will implement appropriate technical and organisational measures that ensure and demonstrate compliance. This may include internal data protection policies such as staff training, internal audits of processing activities, and the review of internal HR policies. We will maintain relevant documentation on processing activities and implement measures that meet the principles of data protection by design and data protection by default. Measures may include data minimisation; pseudonymisation; transparency; allowing individuals to monitor processing; and creating and improving security features on an ongoing basis. Where appropriate we will use data protection impact assessments.
We will include fair processing information in our privacy notice to comply with the transparency provisions of the GDPR. The information we will provide people with includes our intended purposes for processing the personal data and the lawful basis for the processing.
Privacy Impact Assessment
A privacy impact assessment will outline the potential risks to everyone handling data. We will ensure staff are fully aware of data risks and regulations so that external breaches are less likely to occur. The risk of issues caused by human error will reduced through a clear-desk and data retention policy. The same applies to electronic data and where appropriate in some cases we will demonstrate deletion. We will ensure that data is encrypted (strongly enough) to reduce any issues if that data is lost and we will regularly review our security infrastructure. Data controllers will carefully review contracts and other arrangements if sharing data with outside organisations and gain approval from a member of senior management.
When dealing with a data breach, under the GDPR, a data controller has 72 hours to report a breach to the regulator if required to do so. We will consult our procedures we have in place to manage incidents before deciding whether to call in the experts or to deal with the breach in-house and our data controllers will maintain an internal breach register. In the event of a data breach we will:
- Identify the breach and take steps to end it;
- Check our insurance policy and notify our insurer;
- Identify the personal data breached – type of data and number of records;
- Determine remediation measures;
- Notify the ICO without undue delay and in within 72 hours;
- Notify affected data subjects if the breach is likely to result in high risk to their rights and freedoms;
- Implement remediation measures and monitor;
- Review root causes of breach and take steps to prevent repetition;
- Provide further training to staff as required;
- Seek professional advice if required;
If we believe data remains vulnerable to damage, destruction, alteration, corruption, copying, stealing or misuse by a hacker appropriate action will be taken such as storing the data with an external and approved third party. In the aftermath we will ensure data processors and controllers learn from the incident and update their internal notification procedures and incident response strategies accordingly.
Data Protection Principles
Under the GDPR, the data protection principles set out the main responsibilities for organisations. As outlined in Article 5 of the GDPR personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
As required in article 5(2) the controller shall be responsible for and be able to demonstrate compliance with the principles.
Controllers And Processors
Contract between controllers and processors include the following terms requiring the processor to:
- Only act on the written instructions of the controller;
- Ensure that people processing the data are subject to a duty of confidence;
- Take appropriate measures to ensure the security of processing;
- Only engage sub-processors with the prior consent of the controller and under a written contract;
- Assist the controller in providing subject access and allowing data subjects to exercise their GDPR rights;
- Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments; delete or return all personal data to the controller as requested at the end of the contract; and
- Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
A processor must only act on the documented instructions of a controller. If a processor determines the purpose and means of processing (rather than acting only on the instructions of the controller) then it will be considered to be a controller and will have the same liability as a controller. In addition to its contractual obligations to the controller, under the GDPR a processor also has the following direct responsibilities:
- Not to use a sub-processor without the prior written authorisation of the data controller;
- To co-operate with supervisory authorities (such as the ICO);
- To ensure the security of its processing;
- To keep records of processing activities;
- To notify any personal data breaches to the data controller;
If a processor fails to meet any of these obligations, or acts outside or against the instructions of the controller, then it may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.
Data Protection Impact Assessment (DPIAs)
Data protection impact assessments (DPIAs) help organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. We will carry out a DPIA when using new technologies and the processing is likely to result in a high risk to the rights and freedoms of individuals. Processing that is likely to result in a high risk includes (but is not limited to):
- Systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
- Large scale processing of special categories of data or personal data relation to criminal convictions or offences. This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms eg based on the sensitivity of the processing activity.
- Large scale, systematic monitoring of public areas (CCTV).
Our DPIA will include a description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller. An assessment of the necessity and proportionality of the processing in relation to the purpose. An assessment of the risks to individuals. The measures in place to address risk, including security and to demonstrate compliance. A DPIA may address more than one project.
All computers are password protected and installed with a reputable, market leading anti-virus and firewall software to reduce the risk of a breach. A firewall will be the first line of defence against an intrusion from the internet and can stop breaches happening before they penetrate our network. Any unused software and services are regularly removed from our devices to reduce the number of potential vulnerabilities. Anti-virus scans are scheduled to run weekly and appropriate action will be taken if any alerts are issued by the protection software.
Each user has a unique password and default passwords are changed to avoid the risk from attackers. Users are given restricted access to our system and specific permissions are allocated appropriate to the job they are carrying out at the time.
The strong Wi-Fi password is only shared with specific users and is not shared with untrusted sources. Passwords and access will be cancelled immediately if a staff member leaves the organisation or is absent for long periods.
Staff are trained to recognise threats such as phishing emails and other malware, and alerted to the risks involved in posting information relating to your business activities on social networks. We encourage general security awareness within our organisation and operate a security aware culture to help identify security risks. We keep our knowledge of threats up-to-date by reading security bulletins and newsletters from relevant organisations.
As outlined in recital 47 of the GDPR direct marketing is a legitimate use of personal information. Direct marketing will be undertaken with this in mind and with consideration to other rules such as the Privacy and Electronic Communication Regulations 2003 (PECR). We will comply with GDPR, PECR and any other relevant legislation and regulations for all marketing campaigns including e-mails, telephone, fax and post. Electronic marketing will only be used if the person we are targeting has given us their permission with the exception of ‘soft opt-in’ which applies if the following conditions are met:
- Where you’ve obtained a person’s details in the course of a sale or negotiations for a sale of a product or service;
- Where the messages are only marketing similar products or services; and
- Where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.
When sending an electronic marketing message we will tell the recipient who we are and provide a valid contact address. As outlined by the ICO (Information Commission’s Office) the rules on emails don’t apply to emails sent to organisations, though we will still identify our company and provide an address.
Where possible our marketing campaigns will be permission-based and we will explain clearly what a person’s details will be used for. We will provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints. We will not market individuals or organisations who have registered their numbers with the TPS or FPS and if the person or organisation we are targeting asks to be taken off your mailing list we must comply with their request.
Requests For Personal Information
We understand that employees and customers have the right to see their personal information. They can make a subject access request to see the personal information we hold about them. Requests for such information will be handled as per GDPR guidelines. We will provide a copy of the information free of charge. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information and information will be provided without delay and at the latest within one month of receipt. Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we may charge a reasonable fee taking into account the administrative costs of providing the information or refuse to respond.
MAG Equipment Ltd is committed to the GDPR provisions intended to enhance the protection of children’s personal data. In the unlikely event that services are offered directly to a child we will ensure that your privacy notice is written in a clear, plain way that a child will understand and endeavour to gain consent from a person holding parental responsibility.
Data Protection Officers (DPO)
Having considered the requirements the decision has been made not to assign a specific designated Data Protection Officer however regardless of this all responsibilities and requirements will be met by our organisation. This will be overseen by our company’s Operations Manager.
Lead Data Protection Supervisory Authority
Our company processes the data of individuals and organisations within the UK, EU and worldwide. As such it has been determined the lead data protection supervisory authority will be the main establishment within the UK (or EU) as this is where our organisation makes its most significant decisions about its processing activities.
Updates / Amendments
This policy may be updated or amended to meet any required legislation, regulations and the business interests of MAG Equipment Ltd.