Data Protection Policy
Last updated: 21st July 2023 | Revision 3
This policy applies across the whole of the Ideagen Group and complies with the requirements of widely recognised good information security practice. It will:
- Assist staff to apply the correct levels of data protection and privacy controls to their day to day activities in line with good practice and applicable regulation and legislation.
- Assist with the development and commissioning of new processes and systems by detailing the required privacy settings and standards.
The policy will be available, as the correct up to date version, to all staff. Any departments or staff who have a requirement to store or otherwise use hard copies of this policy should ensure that they frequently check that they have the latest version of the policy and refer any queries to the information security team. They should also ensure that any old, outdated versions of this document are destroyed and replaced as necessary.
The purpose of this policy is to document the technical and organisational measures that Ideagen has in place to demonstrate compliance with the GDPR, the UK GDPR, the Data Protection Act 2018, California Consumer Privacy Act, California Privacy Rights Act, other US state privacy regulations and any other data protection and privacy regulation and legislation.
This policy applies to all information and information assets owned or operated by Ideagen and the entire Ideagen Group and all of its employees, contractors, third-party agents and anyone who is working with or on behalf of any part of the Ideagen Group. Every relevant element of privacy laws and regulations are in scope and the content of this policy shall reflect, as fully as possible, all requirements and processes that are applicable for Ideagen.
The risks of non-compliance with this policy and, more importantly, the underlying legislation and regulation, can result in investigation and potentially fines that would have a serious impact on the business. These fines are increased against previous levels which, in turn, increases the risk. There are additional risks of reputational damage and negative impact to Ideagen’s brand should there be a breach or non-compliance.
Implementing the Policy
What is the GDPR?
The General Data Protection Regulation (GDPR), which came into force on 25th May 2018, is a legal framework which regulates and protects the processing of personal information of individuals who live in the European Union (EU) and aims to strengthen and unify data protection laws for all individuals across the EU. It consists of 99 “Articles”, which outline data protection laws and principles that expand the privacy rights, granted to individuals, and gives them power over the use of their personal data and holds organisations accountable for their data collection and usage practices. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU.
Regardless of where they are located globally, GDPR affects organisations, if they:
- have businesses established in the EU;
- offer goods or services to anyone in the EU;
- collect, store, transfer or use personal information about European citizens.
If an organisation processes the personal data of EU citizens or residents, or they offer goods or services to such people, then the GDPR applies to that organisation, even if they are not in the EU.
The GDPR requires organisations to be transparent about the personal data they handle and have a legitimate purpose for using it. This requires organisations that collect personal information to better inform users about what information is being collected, and how it is being used. It also requires them to give users more control over these actions.
It can no longer be assumed that an individual opts-in by default; consent must be obvious and well informed. The GDPR also empowers individuals to withdraw, request, and even be completely erased from any, and all, data collection archives in certain instances, although erasure is not an absolute right..
The Data Protection Principles of GDPR
If you process data, you have to do so according to seven protection and accountability principles outlined in GDPR Article 5.1-2:
- Lawfulness, fairness and transparency— Processing must be lawful, fair, and transparent to the data subject;
- Purpose limitation— You must process data for the legitimate purposes specified explicitly to the data subject when you collected it;
- Data minimisation— You should collect and process only as much data as absolutely necessary for the purposes specified;
- Accuracy— You must keep personal data accurate and up to date;
- Storage limitation— You may only store personally identifying data for as long as necessary for the specified purpose;
- Integrity and confidentiality— Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption);
- Accountability— The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Data Protection by Design and by Default
Practically speaking, this means that an organisation must consider the data protection principles in the design of any new product or activity. The GDPR covers this principle in Article 25. Suppose, for example, we are launching a new app for our company. We need to think about what personal data the app could possibly collect from users, then consider ways to minimise the amount of data and how you will secure it with the latest technology.
People’s Privacy Rights
The GDPR recognises several new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organisations. Organisations must understand these rights to ensure they are GDPR compliant. These data subjects’ privacy rights are listed below:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Subject Access Request and Data Deletion Request
Where Ideagen receives any request under the GDPR, UK GDPR, Data Protection Act or any other relevant privacy legislation the data subject raising the request will be provided with all of the relevant information to ensure any such request is fulfilled as fully and properly as possible.
Where Ideagen is the data controller (different definitions may apply under different regulations ie, CCPA Controller is ‘business’) the request will be actioned in the requestor provided with the requested information or conformation that the deletion has taken place (subject to the nature of the request).
Where Ideagen is the data processor (different definitions may apply under different regulations ie, CCPA Processor is ‘service provider’) the requestor will be referred to the data controller to raise the request directly. Ideagen will inform the data controller of the request where the data controller has been identified (in line with Ideagen’s obligation under the contract).
When You are Allowed to Process Data
GDPR Article 6 lists the instances in which it’s legal to process person data.
Organisations should not consider touching somebody’s personal data (don’t collect it, don’t store it, don’t sell it to advertisers) unless they can justify it with one of the following:
- The data subject gave you specific,unambiguous consent to process the data. (e.g. they’ve opted-in to your marketing email list);
- Processing is necessary to execute, or to prepareto enter into, a contract to which the data subject is a party. (e.g. you need to do a background check before leasing property to a prospective tenant);
- You need to process itto comply with a legal obligation of yours. (e.g. you receive an order from the court in your jurisdiction);
- You need to process the datato save somebody’s life. (e.g. you’ll probably know when this one applies);
- Processing is necessaryto perform a task in the public interest or to carry out some official function. (e.g. you’re a private refuse collection company);
- You have alegitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.
The UK Information Commissioner’s Office (ICO) provides helpful guidance here;
Once an organisation has determined the lawful basis for your data processing, they need to document this basis and notify the data subject (transparency!). And if they decide later to change their justification, they need to have a good reason, document this reason, and notify the data subject.
There are strict rules about what constitutes consent from a data subject to process their information. These rules are as follows:
- Consent must be “freely given, specific, informed and unambiguous”;
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language”;
- Data subjects can withdraw previously given consent whenever they want, and organisations need to honour their decision. The organisation can’t simply change the legal basis of the processing to one of the other justifications;
- Children under 13 can only give consent with permission from their parent;
- Organisations need to keep documentary evidence of consent.
GDPR Enforcement & Fines
The fines for violating the GDPR are very high. Based on the seriousness of the breach, organisations can face penalties of up to:
- €20 million or 4% of annual global turnover, whichever is greater
- In addition to these fines, issued in the UK by the Information Commissioner’s Office (ICO), data subjects also have the right to seek compensation for damages. Ultimately the damage to an organisation’s reputation, brand and share price will likely be the most motivating consequence.
Records of Processing Activities
GDPR Article 30 requires data controllers and processors to maintain a record of processing activities under its responsibility. Ideagen’s approach to demonstrating compliance with Article 30 is with reference to the contract or Master Software and Services Agreement (MSSA) under which software and services are supplied ot the customer. This is managed by the Ideagen Legal team and held within the Customer Relationship Management system (CRM) and Contract Management System (CMS).
Under the GDPR, organisations are required to report data breaches to the appropriate authorities if it will “result in a risk for the rights and freedoms of individuals”. The breach notice must be submitted within 72 hours of first having become aware of the problem. If there is a high risk of harm, organisations must notify any affected data subject as soon as possible.
Everyone within Ideagen has a responsibility to report an actual/potential data breach. It is important that if you identify or suspect a breach that you report it without delay. Contact our DPO and Inform your line manager and then complete a Data Security Breach, Incident and “Near Miss” form in Coruson.
Ideagen’s Data Protection Registrations and Licences
Organisations processing data are legally required to hold relevant data protection/ data privacy licences Information Commissioner’s Office (ICO), which are reviewed annually.
We hold licences for the various Ideagen legal identities, including those for the various subsidiaries and recently acquired organisations. These licences can be viewed within the following document:
GDPR Training & Awareness
There are two mandatory GDPR e-learning training courses which are assigned to everyone on the following online platforms:
- KnowBe4 – Initial basic GDPR course
- WorkRite – Additional detailed GDPR course (including a basic test to assess awareness and understanding).
Everyone will receive automated notifications (both platforms are accessed via Single Sign On (SSO)) and must be completed in a timely manner. Courses will also be assigned on an annual basis as part of GDPR refresher training activities. For incomplete courses, automated escalation emails are in place and Line Managers are required to ensure that their team members complete all mandatory courses assigned to them (in WorkRite and KnowBe4).
In addition to the above the Privacy and Compliance team provide additional ad hoc training to the business to increase the variety of training available as required.
Data Protection Officer (DPO)
Organisations that are involved in regular and systematic monitoring of data on a large scale, or process sensitive personal data, are obliged to employ a Data Protection Officer (DPO).
The basic tasks of the DPO involve understanding the GDPR and how it applies to the organisation, advising people in the organisation about their responsibilities, conducting data protection training, conducting audits and monitoring GDPR compliance, and serving as a liaison with regulators, including the reporting of any data breaches to the relevant authorities.
If anyone has any GDPR related questions, please contact Ideagen’s nominated data Protection Officer (DPO) as follows:
Name: Jolyon Canlin
Title: Head of Compliance and Group DPO
Department: Legal, Risk and Compliance
Compliance with this policy is mandatory for all Ideagen employees, contractors, and agents. Suspected actual non-compliance with this policy must be reported immediately. Non-compliance with the policies may lead to disciplinary action. Where such non-compliance may constitute criminal activities Ideagen reserves the right, at its discretion, to report the matter to the relevant authority.
Review and Revision
This policy shall be reviewed and updated regularly by the policy owner at least once a year. Any revisions which includes material changes will need to be signed off by the Risk & Security Working Group prior to being published. It may be subject to review by an auditor external to Ideagen if required to ensure that it remains appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.