Our Approach to the GDPR
We believe greatly in the principles of the General Data Protection Regulation (GDPR), under which the law requires us to process data fairly; for specified purposes; limited to what is necessary and for as long as necessary; and to ensure data is accurate and secure. But GDP Armour tries to go further than just adhering to the law, and puts data protection at the centre of our relationship with stakeholders. We think good data protection is crucial to building customer relationships, so the standard we set ourselves, and promote to our clients, is to focus on TRUST. To this end we have a useful acronym to help illustrate what that means to us, and ensure that we always process Personal Data in a manner which is:
Transparent, Responsible, Unobtrusive, Secure and Temporary.
Under this standard, we never collect data or process any data in a manner which we think would surprise people, and hope to exceed expectations in being forth-coming about our data processing. We always carefully consider our legal bases for processing under the GDPR for every single field of data we collect, and we make every effort to only process data when we absolutely must to comply with our legal and contractual obligations, and when we feel there is a significant justification that the Processing is necessary for our business to function. We take measures to keep data secure and protect against unauthorised access, and we take particular care before collecting and holding any data that people would generally be concerned to know is floating across the internet indefinitely, and outside their control.
General Web Users
We only collect the bare minimum amount of data about your web users, limited to what they fill out in our forms so that we can contact them with data protection news and internal updates. We use Fasthosts.co.uk to operate our website which may process IP addresses to produce anonymised web analytics to assess the effectiveness of our website. We do not otherwise collect or use any information about our web users to develop comprehensive profiles of customers. Most internet users would be shocked by how much of their information is collected by visiting a website. We think this is wrong, and goes against our principles of being transparent and unobtrusive.
Our website uses the following cookies to enable online login and site settings only:
For more information about our cookies please check your browser’s cookie settings.
When users sign up to our mailing list we only record the information that they input into the form and do not collect any other online metadata, IP address or other information to produce comprehensive profiles of individuals who read our website. Information recorded in our mailing list contact form is processed by Mailchimp for the purpose of marketing, which qualifies as a legitimate interest under the GDPR. As such we do not ask for consent to market to our contacts and have a policy of emailing people as little as possible because we understand that the public can be fatigued by an over-abundance of marketing emails. We store this information for a period of five years, whereupon we will ask all the contacts in our mailing list if they are happy that we continue to send them marketing information. We will never share the personal data of our contacts with any marketing organisation or any other third party. If this ever changes we will seek the express consent of the individuals.
When our clients and their employees subscribe to receive our training updates we use their contact information only to send them regular information emails and this processing is on the basis that is is necessary for our Legitimate Interest in fulfilling a service for our clients. Users have the ability to opt out of these emails at any time
As part of GDP Armour’s compliance assessment process we ask our Clients to fill in surveys and questionnaires to give us detailed information about how their business operates and highlight areas where GDPR compliance issues may arise. As part of this process we will collect some personal information including the respondent’s name and contact information, and potentially other information they include in their answers. This information will be used only for the process of forming consultancy and advice based on the responses given and will be deleted once this process is complete. In some instances we may provide copies of the information we receive to the Client, who for this purpose is acting as a joint controller. We encourage our clients to destroy this information as soon as it is no longer relevant to the consultancy process.
Where our b2b marketing leads are named individuals we follow the advice of the ICO that the email address belongs to the corporate subscriber, and therefore “rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages’, so we protect the individual’s data and ensure to provide individual employees with an opt-out. We do not buy in compiled lead lists from third parties. Our marketing policy may be subject to change with the introduction of new ePrivacy Regulations.
We also make use of some targeted online marketing using Google Adwords and Facebook Ads and sponsored posts. We do not ourselves process any of your personal data for the distribution of these ads, and both Google and Facebook are responsible for ensuring their own Data Protection compliance when running their targeted advertising platforms. We stay up to date with issues around their GDPR compliance and our use of their platforms may be subject to change in the future. If you respond to our ad or post a message to us on Facebook we may come to receive some of your Personal Data which will be processed under Facebook’s terms of service. We may use this information to make contact with you and add your details to one of our marketing lists, and be processed under the terms specified above.
All personal information collected and processed in the course of emailing us is also protected by the GDPR, and we take appropriate measures to ensure our email servers are secure and access is limited to the person who controls the email and our IT administrators. Any personal information which we unwittingly come to control in the content of an email shall be assumed to be with the authorisation of the Data Subject as we are unable to predict what this information may be. Email correspondents should refrain from sharing the personal details of others without the individual’s permission, and any such information shall be processed under Article 14.5 of the GDPR, absolving our obligation to contact every Data Subject mentioned to us due to the disproportionate effort. The contents of our email servers will be purged so no content is older than six years, to fulfil our legitimate interest in keeping adequate records of our contact with clients and other stakeholders, and to provide evidence in any potential legal claims that may arise within the Limitations Act 1980.
How we secure your data
The Personal Data we obtain is stored with our third-party web service providers (Processors) for cloud storage, web and email hosting and email marketing. All our Data Processors store data on secure servers in Europe and the US under appropriate safeguards which are deemed adequate by the European Council. We may also engage freelancers and contractors to work for us, and we only engage Processors who agree to binding terms in compliance with Article 28 of the GDPR. We also store information on our Company IT systems, which are password protected, encrypted and usually stored within locked premises with no public access. When using our IT systems away from our premises we adhere to the highest standards of practical security by avoiding publicly available Wifi, which is vulnerable to attack. We have appropriate security measures in place to ensure that any breach of our systems resulting in the theft of our data can be resolved by remote wiping of our hard drives, and in the event of loss or destruction we can re-build our systems from back-up within 24 hours.
We retain Personal Data only for as long as we require to fulfil the purpose it was originally obtained for, and where we must also retain data to comply with our legal and contractual obligations, and where applicable, to keep records which may be used as evidence in legal claims. For example, we retain all he data we hold about our clients for the duration of our engagement with them, plus a period of seven years to allow for the statutory maximum timeframe under the Limitations Act. We retain marketing information for no longer than five years after the last contact was made.
Your Rights under the GDPR
As a ‘Data Subject’ of GDP Armour, you retain all statutory rights, including:
- to access the information we hold about you;
- order us to erase or amend the data, restrict or cease processing;
- and transfer your data to another service provider within reasonable limits.
We always intend to uphold the rights of our Data Subjects unless there is a legal exemption which prevents us from doing so, such as if we have collected your data to perform a contract with you and need to continue processing that data to perform the contract. Any such request should be made to our Director and Chief Data Officer, David Charity, at firstname.lastname@example.org. You also have the right to make a complaint to the Information Commissioner’s Office about all matters relating to your data protection rights. Visit www.ico.org for more information.