Data Protection Policy
The General Data Protection Regulation (GDPR) is a comprehensive data protection law for Europe as well as any organisations doing business in or with Europe that goes in to effect on 25th May 2018.
This is to ensure that there is transparency relating to what personal data is held and how it is obtained, processed and held by organisations.
However, the Company’s Data Protection Officer alongside the Chief Executive Officer has ultimate responsibility for ensuring that the Hyman Capital Group uses data in accordance with these policies.
3. THE AIMS OF GDPR
Anyone who processes personal information must comply with the eight principles:
Information must be:
- Permission is obtained to use and hold personal data
- Fairly and lawfully processed
- Processed for specified purposes
- Adequate, relevant and not excessive
- Accurate and up-to-date
- Not kept for longer than is necessary
- Processed in line with individuals’ rights
- Not transferred outside the European Economic Area without adequate protection.
GDPR provides individuals with important rights, including the right to find out what personal information is held about them.
4. Personal Data
GDPR regulates the use of ‘’personal data’’ and “sensitive data”.
The definition of personal data means:
- Email addresses
- First/Last names
- Mailing addresses
- Financial information
- Online identifiers (IP addresses/cookie strings/etc)
The definition of sensitive data (but not limited to) means:
- health data
- sexual orientation
- religious/philosophical beliefs
- political views
- genetic data
5. THE DATA PROTECTION PRINCIPLES
- Processing personal data fairly and lawfully
- Processing personal data for specified purposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the GDPR Regulations.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
6. THE RIGHTS OF INDIVIDUALS
- Told whether any personal data is being processed;
- Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- Given a copy of the information comprising the data; and
- Given details of the source of the data (where this is available).
An individual can also request information about the reasoning behind any automated decisions, such as a computer generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret).
In most cases you must respond to a subject access request promptly and in any event within 1 month of of receiving it. This can be extended up to 2 months if agreed with the individual requesting it. However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request.
The right to object to processing likely to cause damage or distress
An individual has a right to object to processing only if it causes unwarranted and substantial damage or distress. If it does, they have the right to require an organisation to stop (or not to begin) the processing in question.
The right to prevent direct marketing
Individuals have the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give you written notice to stop (or not begin) using their personal data for direct marketing. Any individual can exercise this right, and if you receive a notice you must comply within a reasonable period.
Right relating to automated decision making
The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means. GDPR compliments this provision by including rights that relate to automated decision taking. Consequently:
- An individual can give written notice requiring you not to take any automated decisions using their personal data;
- Even if they have not given notice, an individual should be informed when such a decision has been taken; and
- An individual can ask you to reconsider a decision taken by automated means.
Rights relating to inaccurate personal data
GDPR requires personal data to be accurate. Where it is inaccurate, the individual concerned has a right to apply to the court for an order to rectify, block, erase or destroy the inaccurate information. In addition, where an individual has suffered damage in circumstances that would result in compensation being awarded and there is a substantial risk of another breach, then the court may make a similar order in respect of the personal data in question.
The right to compensation
Under Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered. The individual is entitled to bring a compensation claim in the courts.
Please be aware that claims can now be brought against the Data Controller as well as the Data Processor. This is a change under GDPR as previously claims could only be brought against the Data Controller.
Data controllers are defined as the individuals or department in the business that decide what personal data is collected and why.
Data processors are defined as those who maintain and process the data according to the instructions of the data controller.
7. WHAT WE NEED TO DO AS A COMPANY
To ensure we are compliant with the GDPR Regulations, we need to follow the procedures set out below.
- Emails, Documentation and Contacts
All business contacts and documentation that contains personal data or sensitive data within business emails needs to be added to Infusionsoft and/or OneDrive and then the email needs to be deleted.
Where sensitive data is saved onto the OneDrive this must be saved under encryption.
All Devices MUST be password protected and updated every 3 months.
No documents are to saved to your desktop and OneDrive is to be used to save all business documents. If you need a generic area to save work to, that is not specific to a company or project, then please create a folder in your name to save such documents to. This will also avoid any confusion.
- Personal Information
All personal information is saved to the OneDrive or any device provided by the company needs to be removed as do any personal contacts that have been inadvertently saved to Infusionsoft.
- Mobile Phones
This is a slightly grey area but if you use your mobile phone for both work and personal then the contacts need to be saved to the correct entity – as can be done on all smart phones. There also needs to be a password on your phone protecting your emails and anti-virus software. We can check this with you.
- Contact Referral
If you are referred to a business contact, if you choose to email the proposed contact, please can I ask that you begin the email explaining who you got their details from and if they are happy to proceed.
- Credit Checks
No credit checks are to be carried out on any business or individual without their express consent.
If consent is not given, we cannot carry out credit checks.