GDPR Data and Information Policy
We are extremely transparent about how we hold and use data. The information we hold is:
Client Information
-
Information enabling us to audit their management systems. This may include names, phone numbers, email addresses, business addresses (or home addresses if working from home)
-
Compliance software logins (where supplied)
-
Management System software logins (where supplied)
All of this information will gathered from the client at the start of an engagement. It is hosted inside various documents in Dropbox (or other client-preferred platforms), which the auditors working on the project have access to.
Elements may also be kept inside iCloud and OneDrive (our software platforms of choice), FreeAgent (our accounting software), and Google Workspace (our Office and Communications software). Their data processing terms and conditions are available on their websites.
Leads and Contacts
If you request a quotation, sign up for free materials, register for our blog and receive our marketing, or enquire about using our services, we will retain some or all of the following data:
-
Name
-
Address (if purchased)
-
Email address
-
Phone number (if provided)
-
Declared business information, including turnover and number of employees
Lead information is shared between staff members responsible for sales, marketing, and accounting.
Data Consent
We will always make clear on email capture forms that the data we collect will be used for follow up marketing (e.g. “sign up to our blog”). On other forms, we specify how the data submitted will be used.
Our Privacy Policy makes it clear that consent can be withdrawn at any time by contacting us.
The basis for processing client data is Contract. The basis for processing lead/contact data is Consent and/or Legitimate Interest.
Data and Privacy Notice
We store the data you submit to us in our email marketing software so that we can send you relevant information and training to help you with your marketing.
You can remove your consent to receive this information at any time by clicking the link at the bottom of the email. If you would like to be ‘forgotten’ and have your data erased, simply reply to any email from us requesting this and we will handle this for you within 1 month.
Data Policy
The Ideas Distillery only collects and stores information from clients necessary for us to carry out the marketing work that we are required to carry out. This information is available to the team working on the campaign and other staff in the company who might need it for the purposes of accounting, administration or helping with the marketing work.
We also collect and store information from contacts and leads in order to provide relevant marketing training, advice, and sales recommendations. This information is available to staff across the company.
The information we store about each client or contact is available to that client or contact on request, and we will delete any data when requested by them.
All client or contact information is held only in the designated cloud software applications (OneDrive, iCloud) or stored locally on staff computers which automatically lock after 30 seconds of inactivity.
Risks and Impact Assessment
-
Risk: Staff computer or account hacked, and contact information accessed
-
Impact: client data leaked and shared online. Potentially websites hacked and personal data leaked.
-
Mitigation: where possible, data is stored in cloud services like Google Drive which have login protection and two-step verification when accessed from new locations or IP addresses. Staff required to change all passwords every 3 months.
-
Risk: Staff member leaves and takes personal data with them
-
Impact: client data leaked and shared online. Potentially websites hacked and personal data sold
-
Mitigation: offboarding process which quickly removes access once staff member is terminated.
Training
All staff are trained on the following:
-
Password and account security
-
Data handling (including data storage methods and types of data to never store)
-
Device security
Breach Notification
A data breach can be something which leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
If any staff members notice that this has happened they are required to immediately notify their manager. Following notification of a breach, we will:
-
Assess the impact of the breach
-
Notify the relevant parties immediately
-
Investigate the cause of the breach
-
Rectify any security vulnerabilities or processes to minimise the chance of this happening again
Right of Access
If an individual requests access to their personal data, this request is to be immediately passed to the Data Protection Officer who will:
-
Confirm the data being processed
-
Provide full access to their data stored in our various softwares, via email.
We will respond to all such requests within 1 month.
Data Disposal
Individuals have the right to be forgotten and can request that their data is erased. We will erase all records held for that individual/company including:
-
CRM records
-
Documents and files
Data Processor Contracts
We have written contracts with our data processors governing the processing of personal data.
Data Protection Impact Assessments: We conduct DPIAs whenever we add a new piece of software to our workflow which will store or process personal data. These have a description of the processing operations and the purposes, and assessment of the necessity, risks, and details of the controls put in place to reduce these risks.
Information Security Policy
Every staff member is required to adhere to this policy and to abide by our data guidelines:
-
Passwords must be changed on the three-monthly cycle and at any other time when management requests
-
No data should be collected and retained other than what is necessary to carry out the work that has been requested of us
-
Any requests for access to data, requests to be forgotten, reports of a breach, or any other matter relating to management of or access to personal data should be immediately passed to Darren Price at info@aaa-cert.co.uk