Privacy and data protection at DPP

Introduction and scope

This document has been written to provide you with information about how we are handling or intend to handle personal information. It sets out the basis on which any personal data we collect, create or otherwise obtain from or about you will be processed by us. Please read it carefully to understand our views and practices regarding your personal data and how we will treat it.

This privacy notice concerns personal data we use relating to: a) visitors to our website b) our suppliers, c) people who use our social media channels, d) and to our actual and prospective customers, e) users of our personal information management system, DataWise. It does not relate to personal data we use relating to employees – privacy information about employees is contained in our employee handbook.

References to the GDPR include both the UK GDPR and EU GDPR as appropriate and applicable to our UK-based and EU-based customers.

Data Protection Compliance Management Policy

The Board of Directors and management of Data Protection People Ltd (DPP) are committed to compliance with all relevant Data Protection Legislation.  We have formally delegated appropriate powers and responsibilities to our personnel to ensure that the business is able to comply with relevant data protection legislation and its own defined standards in the field of data protection and information governance.

The organisation maintains a suite of policy documents and procedures setting its expectations and business processes to work within the 7 data protection principles and fulfil its obligations as a data controller and data processor.  These documents are reviewed periodically to a) test their adequacy in meeting the legal standards as they change over time, and b) to test the organisation’s compliance with them. DPP will ensure that all relevant personnel and/or other persons it commissions to process personal data on its behalf, either directly or indirectly, have received appropriate and sufficient training in the application of the organisation’s policies.

The organisation shall uphold the rights and freedoms of people conferred on it by data protection legislation and ensure that those rights and freedoms are appropriately taken into account in the decisions it takes which may affect people.

About our processing activities

DPP collects and uses information about its customers and prospective customers and suppliers including:

Sales prospecting and business development

When we are prospecting for business and interacting with customer we may use an individual’s name, organisation/employer, address, telephone numbers (business and, where supplied personal), email, job title, information about interests and hobbies we think might be useful to help build a commercial relationship.  We obtain this information from a number of sources including, directly from the data subject, through referrals from other people, from public sources such as LinkedIn and other networking channels, and from third-party databases including Cognism (https://www.cognism.com/).

We use this information to compile and maintain lists of people who are or we think may be interested in what we do.  We also maintain records of emails, and other correspondence and notes from meetings, conversations etc. to help us develop and continue business relationships.  We undertake all this processing pursuant to our legitimate interests as a commercial business in our attempt to develop and grow our business.

Customers General

We keep records of quotations and sales proposals, purchase orders, agreements and work instructions we issue/receive.  We may collect information about other people in a customer’s workplace (e.g. point of contact for finance and operational escalation).  We do this to assist us in our business operations and delivery under our legitimate interests of business efficiency.

We collect information when our customers raise support tickets which may include information about other people such as their colleagues, customers or third-parties.  We process this on the basis of the legitimate interests of us (to fulfil our contract to provide support and consultancy services to our customers) and them (to obtain expert advice on data protection legal-related matters).

We seek feedback and testimonials from our customers at intervals such as, when we close a support ticket, when we finish a job, or on other occasions.  Providing feedback is entirely optional and voluntary.  We use this feedback to monitor our business performance and to promote our services. We do this pursuant to our legitimate interests to develop and grow our business.

Training Services

If you take part in any of our training we will collect information about you including that listed above where relevant plus information about your attendance and participation in the training program such as times and dates of attendance, and your responses to questions, tests, and examinations.  We will make assessments of your skills and knowledge which we may share with your employer if we think this to be appropriate and relevant to the learning objectives.  We process this on the basis of our legitimate interests (to fulfil the contract to provide training), those of the learner, and/or those of the individual or organisation commissioning the training.

SAR Services

When we undertake work on our customers’ subject access requests through our SAR Services, we may be acting as a data processor and/or a data controller.  For example, if you engage us to deduplicate a data set for you, we will undertake that as a data processor.  Where you engage us to perform redaction on documents, we may undertake that work as a processor or controller depending on factors such as the scope of work and instructions you provide.  As our SAR Case Workers exercise a degree of skill and discretion when reviewing and redacting documentation, it may be that we act as a data controller.  In those cases the lawful basis for our processing is pursuant to the legitimate interests of our customer in fulfilling their obligations in relation to the right of access of data subjects.  Where the data set provided contains special categories of personal data, our processing is undertaken pursuant to the substantial public interest of enabling our customer to fulfil its statutory obligations set out in the GDPR. The processing is necessary where our customer has determined that it is more effective and efficient to engage with us to undertake the processing.

Audits

When we undertake any form of audit or compliance assessment we will review a range of data including personal data which might include information about an organisation’s employees, suppliers and customers.  The purpose of the processing is to determine the extent to which the entity being assessed is able to demonstrate compliance with the standard or legislation we are assessing them against.

Exemption from providing privacy information

Where such processing falls under the scope of the GDPR, it is likely that we undertake processing as a data controller and consider that as it would involve a disproportionate effort to inform all of the data subjects whose personal data we process for the purpose of a compliance assessment (Article 14(5)(b)), we are not required to provide privacy information.  We consider that the disproportionality of the effort being for example that we might review a subject access request to determine if exemptions have been applied appropriately and do not consider it proportionate to required us to inform every data subject whose personal data we review for this purpose because ethe impact of our processing has no measurable impact on the data subjects.  We would further expect our customers to provide that personal data may be used for governance purposes it their privacy notices.  The lawful basis for processing during an audit is pursuant to the legitimate interests of our customer which are to test their compliance with a particular standard or law as well as pursuant to our own legitimate interests of providing audit services.

DPO

When we act as a data protection officer (DPO) or undertake a data protection project we are most likely to be processing as a data controller.  In the case of acting as a DPO, we must act as a data controller to ensure that we have sufficient independence as required by Article 38(3) of the GDPR.  In many cases we will rely on the exemption from providing privacy information referred to above.  In other cases we will rely on our customer to provide for our processing of personal data within their privacy notices.  Where necessary we shall provide privacy information to data subjects in our capacity as an independent data controller acting as a DPO or when undertaking a compliance project.  The lawful bases for our undertaking DPO contracts and compliance projects are the legitimate interests of our customer to contract in expert data protection services and ourselves to provide such services.

DataWise

DataWise is our commercially available personal information management system (PIMS).  DataWise customers are data controllers of the data they record in DataWise: DPP is a data processor providing DataWise through a software as a service (SaaS) platform.  Our master services agreement contains Article 28 compliant data protection clauses.  Contact us for further information about DataWise.

Recordings and podcasts

We might collect audio and video recordings of you: a) if you attend any training or seminars via video conferencing with us; b) if you leave us voice mail messages on our equipment, c) if you participate in our podcast; d) when we conduct an audit.  We will not undertake recordings without first making you aware.  The lawful bases for making recordings is pursuant to our legitimate interests which include: the promotion of our business and services (e.g. podcasts) and the maintaining of records of conversations and meetings (e.g. audit evidence).  Recordings may also be made pursuant to the legitimate interests of third parties (e.g. learning and development derived from our podcasts).

Social media and marketing

We consider any comments left on our social media presence such as our blogs and other content to be information made publicly available by the data subject.  The lawful basis for processing is pursuant to our legitimate interests of promoting our business.  We reserve the right to re-publish information created on our social media platforms pursuant to our legitimate interests of marketing and promotion and content aggregation and business efficiency.

Digital marketing

When we undertake digital marketing activities such as outbound telephone marketing, or email marketing it is our objective to engage with people in their professional lives/capacity.  As such, we shall use reasonable endeavours to ensure that we do not use personal, non-business contact information.  As such we intend to rely on our legitimate interests to undertake business to business marketing activities.  We check telephone numbers against the TPS and CTPS prior to making calls.  On occasion it may be that we are given or obtain a personal (subscriber) phone number or email address which we may use not knowing that it is a personal contact number/email.  If we use such a personal contact method without consent, firstly we apologies in advance of this occurs, and secondly, we will undertake appropriate remedial action to add the contact details to our “do not contact” suppression list where the matter is raised with us.

We send out a monthly newsletter by email to inform those who express an interest in our business or who we think may be interested in our work about our activities about our business and news such as developments in the regulatory framework related to our services such as PCI DSS, cyber security, and information rights law and practice.

Cookies, pixels etc.

We may use cookies and pixels and similar technologies on our website and in emails.  The purpose of these cookies is set out in our cookies policy.  We recognise that cookies and similar technologies may only be used with prior consent and endeavour to meet this obligation.  We anticipate that most of our email communication will be in the context of offering services to business for the purposes of their compliance with standards and legislation.

Business and regulatory purposes

We will process personal data for the purposes of managing our own business and regulatory activities.  These purposes include, financial and accounting record-keeping and credit control, company secretarial, audit, governance and risk management, health and safety, information security and similar purposes.  The lawful basis for this processing is pursuant to our legitimate interests of operating a business.  Our processing of some information is mandatory under UK laws (e.g. for financial, taxation, health and safety or information governance purposes).

Sharing/Disclosing Personal Data

Data processors we have appointed to provide SaaS services include Salesforce.com (our principle database system), Xero.com (financial record-keeping) , Microsoft (our principle supplier of data storage (SharePoint), collaboration (Teams/Outlook) and office software (O365)) Google, MailChimp, InfoSec People.com (information security and VoIP services), Adobe (document storage).

We disclose personal data to other data controllers such as those who provide professional services or legal advice (e.g. in relation to litigation and contracts, employment, health and safety, and other regulatory functions), or financial, audit accountancy (Azets) and debt collection services (Daniels Silverman), marketing services (e.g. Trio and Fairburn Concepts).

Our DataWise platform is built on Salesforce.com.

Our SAR Support services utilise SaaS services to enable document storage and data manipulation functionality with include Adobe, Nuix, and Otter.AI.

We may disclose personal data to other organisations who assist us to deliver our products and services such as sub-contractors and associate consultants.

We may disclose personal data where we receive a lawful request for disclosure (e.g. from the police).  We may also disclose personal data pursuant to fulfilling our role as a data protection officer or privacy officer for a customer (e.g. to the ICO, other controllers and processors).

Note that this is an indicative list.  Please contact us if you would like further information about disclosures we may make.

International Transfers

We may transfer personal data out of the UK either directly or through our use of certain data processors.  Whenever we arrange for restricted (international) transfers of personal data overseas we will ensure that arrangements are in place to provide suitable safeguards for the people whose information we transfer. For example, when we appoint data processors we check that suitable arrangements are in place such as Adequacy Regulations, binding corporate rules, international data transfer agreements, standard contractual clauses, or other permitted mechanism.  The restricted transfers we make include transferring personal data to the EU (Germany and Ireland), New Zealand, and the US under the UK extension of the EU:US Data Privacy Framework and/or standard contractual clauses. Further information about the safeguards related to the restricted transfers we make can be provided on request.

Data Retention

We hold personal data for the length of time that we need it for the purposes set out above.  Most information is retained for at least seven years to support our financial record-keeping obligations and to enable the business to defend itself in the event of legal action.  Information used for sales and marketing and cultivating business relationships may be retained for as long as we deem it to be relevant to fulfilling the purpose.

Where we act as a data processor, or when fulling SAR services we retain personal data related to those services for as long as our customer’s instructions permit/require.

We retain audit evidence for a minimum of three years.

Your Rights

You have certain rights set out in the data protection law including the right to request access to and rectification or erasure of personal data that we hold about you; a right to object to and to a restriction of our processing of your personal data; and the right to data portability. Where we process your personal data on based on consent you have the right to withdraw your consent at any time. You can exercise these rights at any time by contacting us at [email protected]. You also have a right to lodge a complaint with the Supervisory Authority (Information Commissioners Office (ICO) in the UK) about us via www.ico.org.uk, [email protected] or 0303 123 1113

How to Contact Us

For further information regarding your personal data or about DPP’s approach to data protection in general please contact our Privacy Officer (PO) at:

Data Protection People Ltd, The Tannery, 91 Kirkstall Rd, Leeds, LS3 1HS

(e) [email protected]

(t) 0113 869 1250

Version Control

Version 3.0 Issued 30^th October 2024