Data Protection Policy
Definitions
In this Policy, where a phrase uses 'Capital Letters', it is a defined term and has the meaning set out below. We recommend you refer to this section as you read through the Policy.
Anonymous, Anonymised or Anonymising:
Amending data so that the identity of the individual it concerns is permanently removed.
Automated Decision Making (ADM):
When a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision Making (unless certain conditions are met) but not Automated Processing.
Automated Processing:
Any form of automated processing of Personal Data where an individual's Personal Data is used to evaluate them. This includes where the processing is used to analyse or predict the individual's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.
Company or Beyond Encryption:
Beyond Encryption Limited (company number 08814096) of 1 Gloster Court, Whittle Avenue, Fareham, Hampshire, England, PO15 5SH.
Company Personnel:
All employees, workers, contractors, agency workers, consultants and directors.
Consent:
Agreement which must be freely given, specific, informed and unambiguous. Consent is an indication of the Data Subject's wishes that they, by a statement or by a clear positive action, agree to the Processing of Personal Data relating to them.
Data Controller:
The person or organisation that determines when, why and how to process Personal Data. The Data Controller is responsible for establishing practices and policies which conform to the GDPR and data protection law. We are the Data Controller of all Personal Data relating to Company Personnel and Personal Data used in our business for our own commercial purposes. We are the Data Processor for our Users/Clients data.
Data Subject:
A living identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country (i.e. they do not need to be within the EU and/or UK).
Data Privacy Impact Assessment (DPIA):
A specific type of assessment used to identify and reduce the risks associated with a data processing activity. A DPIA is often carried out as part of Privacy by Design.
EEA:
The 28 countries in the EU, and Iceland, Liechtenstein and Norway.
Explicit Consent:
Consent which requires a very clear and specific statement (that is, not just an action).
- General Data Protection Regulation (GDPR):
The General Data Protection Regulation ((EU) 2016/679). The GDPR applies to England and Wales from 25 May 2018 onwards. For the avoidance of doubt, Brexit will not affect the implementation or adoption of the GDPR. - Information Commissioner's Office (ICO):
The Data Protection Regulator in the UK, whose website is https://ico.org.uk/. The ICO has useful guidance on its website which compliments this Policy.
Personal Data:
- Any information identifying a Data Subject; or
- Any information relating to a Data Subject and we can identify that Data Subject (directly or indirectly) from:
- that information alone; or
- by combining that information with other identifying information, we possess or can reasonably access.
Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes Anonymous data. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.
Personal Data Breach:
Any act or omission that compromises:
- the security, confidentiality, integrity or availability of Personal Data; or
- the physical, technical, administrative, or organisational safeguards that we or our third-party service providers put in place to protect that data.
The loss or unauthorised access, disclosure or acquisition of Personal Data is a Personal Data Breach.
Policy: This Data Protection Policy.
- Privacy by Design:
Implementing appropriate technical and organisational measures in an effective manner to ensure compliance with GDPR.
Privacy Notices:
Separate notices setting out information that may be provided to Data Subjects when the Company collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or a website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to specific purpose. Privacy Notices are also sometimes called “Privacy Policies”
Processing or Process:
Any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data or carrying out any technical operation on the data, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Pseudonymisation or Pseudonymised:
Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the Data Subject cannot be identified without the use of additional information (like a written 'key') which is meant to be kept separately and secure. Pseudonymised data is usually Personal Data because the Company has access (or can reasonably access) both the pseudonymised information and the 'key'.
Responsible Person:
An organisation can appoint a Data Protection Officer to lead data protection compliance within its business. We are not legally required to appoint a Data Protection Officer but have instead nominated the Responsible Person for Quality and Compliance to act as a central point of contact for matters of data protection within the Company. The person within the Company who acts as a central point of contact for all matters relating to data protection. For our company this is: Huw Thomas, Quality and Compliance Manager, huw.thomas@beyondencryption.com.
Sensitive Personal Data:
Information revealing an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. Sensitive Personal Data also includes Personal Data relating to criminal offences and convictions.
Introduction
This Policy sets out how Beyond Encryption Limited ("we", "our", "us", the "Company") handles the Personal Data of our customers, our suppliers and other third parties.
This Policy applies to:
all Personal Data we Process;
Personal Data can be stored on any medium (e.g. on paper or electronically). Personal Data can also refer to past or present Data Subjects. This includes current or former Company Personnel, customers, client or supplier contacts, shareholders and website users of the Company.
Scope
In our business, we adhere to the data processing principles set out in the Data Protection Act (2018) and UK GDPR legislation. By treating Personal Data correctly and lawfully, we are protecting the confidence that our staff, customers and third parties have in our business, as well as protecting our reputation in the marketplace.
Safeguarding the confidentiality and integrity of Personal Data is a critical responsibility and one that we take seriously at all times.
The Quality and Compliance Manager is responsible for overseeing this Policy. The Responsible Person's role is to coordinate the Company's data protection compliance within the Company. Please contact the Quality and Compliance Manager with any questions or concerns over the operation of this Policy or if you have any concerns that this Policy is not currently being followed.
Personal Data Protection Principles
A list of the principles of UK GDPR is set out below. Beyond Encryption is responsible for upholding these principles in all day to day processing activities. Next to each principle is a reference to the section of this Policy which explains that principle in more detail.
The Principles:
- Lawfulness, Fairness and Transparency – section 4. Personal Data must be processed lawfully, fairly and in a transparent manner
- Purpose Limitation - section 5. Personal Data must be collected only for specified, explicit and legitimate purposes.
- Data Minimisation - section 6 – Personal Data must be adequate, relevant, and limited to what is necessary for the purposes for which it is Processed.
- Accuracy - section 7. Personal Data must be accurate and kept up to date.
- Storage Limitation - section 8. Personal Data will not be kept for longer than is necessary to carry out the purposes for which the data was collected.
- Security, Integrity and Confidentiality – section 9. Personal Data will be Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage.
- Transfer Limitation - section Personal Data will not be transferred to another country without appropriate safeguards being in place.
- Data Subject's Rights and Requests - section 11. Personal Data will be made available to Data Subjects. Data Subjects will be allowed to exercise certain rights in relation to their Personal Data.
- Accountability - section 12. We are responsible for and must be able to demonstrate compliance with the data protection principles listed above.
Lawfulness, Fairness, Transparency
The Company can collect, Process and share Personal Data provided it is done so lawfully and fairly. Under GDPR, Personal Data is Processed lawfully and fairly if it is carried out on one of the grounds listed in Article 6 (for non-sensitive Personal Data only) or Article 9 (for Sensitive Personal Data only).
The following sub-sections list the Company's most-used lawful and fair grounds for processing the Personal Data of customers, third parties and Company Personnel. Underlined terms reflect the wording used in the relevant sections of the GDPR.
Grounds for Processing customer, supplier, contractor and other third-party data
Under UK GDPR, the grounds we most commonly rely upon to justify our lawful and fair Processing of customer, supplier, contractor and other third-party data are as follows:
- Processing is necessary for the performance of a contract with the Data Subject or to take pre-contractual steps at the Data Subject's request. This includes, for example, where we Process a customer's Personal Data in order to provide them with a fee estimate for our services.
- Where the Data Subject contacts us on behalf of a company (e.g. where they are an employee of a business which supply services to us or purchase products from us) then our Processing of the employee's Personal Data (such as their name and email address) is justified on the ground that we have a legitimate interest in doing so,
- because we need to use those details to respond to the Data Subject's queries and to arrange the relevant agreements. To rely on the legitimate interest ground of processing, we have to ensure we do not prejudice the interests or fundamental rights and freedoms of the Data Subjects. This is a balancing act where we must weigh up our business interests against the interests of the Data Subject, such as them wanting to limit how businesses such as ours use their Personal Data. The ICO has helpful guidance on the legitimate interest found for processing which is available at the following URL: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/lawful-basis-for-processing/legitimate-interests/.
- We also rely on the legitimate interest ground for processing where, for example, we have a legitimate interest in sending marketing material to existing customers or people who have made enquiries about our products and services in the past. In this example, the Data Subject's interests, and fundamental rights and freedoms are not prejudiced because recipients can opt out of receiving marketing materials at any time (e.g. by clicking 'unsubscribe' in one of our emails).
- We have the Data Subject's Consent. This is usually only required in the context of sending marketing communications where we cannot rely on the soft opt-in/legitimate interest grounds of Processing discussed above.
- The processing is necessary to meet our legal compliance obligations. This includes, for example, keeping proper accounting records.
Classification of Data
For this policy, data is going to be classified into different categories in line with the Data Protection Act and UK GDPR legislation.
Non-sensitive data
Data whose inappropriate use would not adversely affect an individual for example
- Management information reports which do not identify individuals.
- Any data which has been made a matter of public record.
Sensitive Data
Sensitive data includes
- Any data identified by the Data Protection Act (2018) and any subsequent legislation, as personal sensitive data, specifically data relating to ethnic origin, political opinions, religious beliefs, membership of trade union organisations, physical or mental health, sexual list offences or alleged offences
- Data that if lost or stolen would be likely to cause damage or distress to one or more individuals. This includes but it is not limited to human resources data or any information that is not a matter of public record.
- Any data, which may reasonably be expected to be considered sensitive, personal confidential or commercially confidential. For example, data or materials pertaining to existing or planned developments which may be of interest to a competing organisation
Highly Sensitive Data
Data, which if used inappropriately, may have a significant impact on Beyond Encryption or an individual employee or Beyond Encryption user. In particular employee or user banking details or any other data that is believed could be used for illegal purpose e.g. Identity fraud.
Specifying the legal ground for Processing
For each Processing activity we carry out, we will always identify the legal ground we are relying on. If the legal ground is not already set out in the relevant Privacy Notice, then we will make a written record of our ground for processing.
Consent
As stated in the previous section, a Data Controller must only process Personal Data on the basis of one or more of the lawful grounds set out in the GDPR. One of these grounds is Consent. There are rules in the GDPR about the form Consent has to take for it be a valid justification for the Processing.
A Data Subject consents to Processing of their Personal Data if they indicate their agreement clearly. This can be done by giving a statement (e.g. saying "I agree" over the telephone) or by another positive action (e.g. ticking a box on a web page). Because Consent requires an affirmative action, silence, pre-ticked boxes, or inactivity are not used as they are not considered acceptable. If a document requests Consent to Data Processing, then the way the Data Subject gives their Consent will be kept separate from other matters in the document. Often this will involve inserting a separate data protection section into our documents or webpages to ensure the Consent is 'specific' to the Processing and 'unambiguous'.
Data Subjects have the right to withdraw their consent at any time. If a Data Subject tells us they are withdrawing their consent, then we will process that request promptly. Processing which was justified based on that (now withdrawn) Consent should be stopped unless another lawful basis for Processing can be identified.
We confirm that if consent is withdrawn, we will NOT send marketing communications on the legitimate interest basis by relying on the soft opt-in. Instead, all marketing communications to that person will be stopped unless they instruct us otherwise. Communications which concern their agreement/account with us, Service Announcements will still be sent in the usual way as it is our legal responsibility to issue these notices to our customers.
If we receive a Data Subject's Consent to Process their Personal Data for one purpose then additional consent may be required to Process that Personal Data for another purpose, unless the Data Subject has also agreed to that other purpose.
'Refreshing' Consent is necessary because Consent under GDPR is specific to the types of Processing which the Data Subject was told about when they gave the Consent. Data Subjects cannot Consent to types of Processing that they are not aware of.
Consent to Processing Sensitive Personal Data
Unless we can rely on another legal ground for Processing, Explicit Consent is usually required for Processing Sensitive Personal Data, for Automated Decision Making and for data transfers outside of the EEA. Usually, we will be relying on another legal basis (so do not require Explicit Consent) to Process most types of Sensitive Data but where Explicit Consent is required, we will send a Privacy Notice to the Data Subject to capture Explicit Consent.
We will keep a formal request record for when consent is obtained. The Company has a legal obligation to demonstrate compliance with the Consent requirements and these records are one way of ensuring we do this.
Transparency
The GDPR requires Data Controllers to provide detailed, specific information to Data Subjects. The information must be concise, transparent, intelligible, easily accessible, and in clear and plain language. This is to ensure that the Data Subject can easily understand the information. The types of information the Company must provide to Data Subjects depends on whether the Personal Data was received directly from the Data Subjects or from elsewhere (e.g. from a third party).
Whenever we collect Personal Data directly from Data Subjects, including for human resources or employment purposes we provide the Data Subject with all the information required by GDPR. This information includes identifying the Data Controller, Data Processor, the Responsible Person and stating how and why we will use, process, disclose, protect and retain their Personal Data. We do this by providing the Data Subject with a Privacy Notice when they first provide us with their Personal Data.
For Company Personnel, full information is contained in the Company's contracts of employment and in the Company's Employee Handbook. For customers, suppliers, contractors and third parties, we provide the relevant information in the form of a Privacy Notice or Privacy Policy.
When Personal Data is collected indirectly (for example, from a third party or publicly available source), we will provide the Data Subject with all the information required by GDPR as soon as possible after collecting/receiving the data. In practice, this means sending them a copy or link to our relevant Privacy Policy. We will check that the Personal Data was collected by the third party in accordance with GDPR. Part of this is ensuring that the Personal Data was collected in contemplation of our proposed Processing of the Personal Data, i.e. it cannot have been collected for another reason and re-purposed without the approval of the Data Subjects.
Purpose Limitation
Personal Data will be collected only for specified, explicit and legitimate purposes. These purposes are typically set out in our Privacy Policy (for customers and third parties) and in the Company's employment contracts and Employee Handbook (for Company Personnel). If Processing needs to be carried out for a purpose not identified in (as applicable) our Privacy Policy, Company contracts or Employee Handbook then we will send a separate notice to the Data Subject.
As a rule, Personal Data will not be Processed in any way which is incompatible with the purpose or purposes which we have told the Data Subject about. If we want to use somebody's Personal Data for a purpose which is new, different or incompatible with the purposes we previously stated to the Data Subject then we will inform the Data Subject before we carry out that Processing. Additionally, if we are processing the Personal Data based on Consent then we will refresh that Consent.
Data Minimisation
Personal Data must be adequate, relevant and limited to only what is necessary to carry out the Processing activities for which it was collected. Personal Data will only be processed by Beyond Encryption employees for whom the processing of such data is a legitimate reason as part of their professional duties. The information collected will not exceed the minimum required to carry out the required Processing activities. Employees will ensure that all collected Personal Data is adequate and relevant for its intended purpose or purposes.
We will also ensure that when Personal Data is no longer needed for specified purposes, it is deleted. This will be done in accordance with the data retention policy published by the Company.
Accuracy
We will make every effort to ensure that the Personal Data we collect, hold and Process is accurate and kept up to date. We will take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data (subject to the Company's retention policy, for example where out-of-date Personal Data may need to be kept longer for legal reasons).
Storage Limitation
Personal Data will not be kept for longer than is necessary for the purposes for which the data is processed. The exception to this is where the data is properly anonymised so that the Data Subject is no longer identifiable.
We will not keep Personal Data in a form which permits the identification of the Data Subject for longer than is needed for the legitimate business purpose or purposes for which we originally collected it (including for satisfying any legal, accounting or reporting requirements).
The Company maintains data retention policies and procedures to ensure that Personal Data is deleted after a reasonable time has elapsed, depending on the purpose for which it was being held. These retention periods are subject to any lawful requirement that the Company keep the data for a longer period.
We will take all reasonable steps to destroy or erase from the Company's systems all Personal Data that we no longer require, when the retention period has been reached and there is no justifiable reason (such as a legal obligation) to keep the information for a longer period. This includes requiring third parties (such as external hosting providers) to delete such data where applicable.
We will ensure Data Subjects are informed of the period for which data is stored and how that period is determined. This is set out in our Privacy Policy (for customers and third parties).
Security, Integrity and Confidentiality
Protecting Personal Data
All Personal Data will be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.
We will develop, implement and maintain safeguards appropriate to our size and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and the risks we have identified. These include the use of encryption and Pseudonymisation where applicable. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.
All Company Personnel are responsible for protecting the Personal Data we hold. They are required to implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. They are required to exercise care in protecting Sensitive Personal Data from loss and unauthorised access, use or disclosure.
It is a requirement that all Beyond Encryption employees follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal Data will only be transferred to a third-party service provider who has agreed to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.
Reporting a Personal Data Breach
As part of our compliance to GDPR we will keep an internal record of all Personal Data Breaches and where a Personal Data Breach results in a high risk to the rights and freedoms of Data Subjects, to notify the Information Commissioner's Office and the Data Subject within the required timescales.
We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.
Transfer Limitation
The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined by other countries' tax laws. Personal Data originating in one country is considered to be transferred across borders (and therefore potentially outside of the EEA if the receiving country is not in the EEA also) when you transmit, send, view or access that data in or to a different country.
In exceptional circumstances we will only transfer Personal Data outside the EEA if one of the following conditions applies:
- the European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects' rights and freedoms.
- appropriate safeguards are in place such as binding corporate rules, standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism.
- the Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or
the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or, in some limited cases, for our legitimate interest.
Data Subjects’ Rights and Requests
Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
- withdraw Consent to Processing at any time (see section 4 for more information);
- receive certain information about the Data Controller's Processing activities;
- request access to their Personal Data that we hold (known as a 'Subject Access Request');
- prevent our use of their Personal Data for direct marketing purposes;
- ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
- restrict Processing in specific circumstances;
- challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
- request a copy of an agreement under which Personal Data is transferred outside of the EEA;
- object to decisions based solely on Automated Processing, including profiling;
- prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
- be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
- make a complaint to the supervisory authority;
- in limited circumstances, receive or ask for their Personal Data to be transferred to a third party on a structured, commonly used and machine-readable format.
We will request all necessary information to enable us to verify the identity of any individual requesting data under the rights listed above. Personal Data will not be disclosed to any third party without appropriate authorisation.
Any Data Subject Access Request (“SAR”) should be directed to the Responsible Person. Any request will be processed without delay.
Accountability
The Company implements appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. The Company is responsible for, and is able to demonstrate, compliance with the data protection principles.
The Company has adequate resources and controls in place to ensure and to document GDPR compliance including:
- identifying a suitably qualified Responsible Person (where necessary) as an executive accountable for data privacy;
- implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to rights and freedoms of Data Subjects;
- integrating data protection into internal documents including this Policy and Privacy and Cookie Policies;
- regularly training Company Personnel on the GDPR, this Policy and data protection matters including, for example, Data Subject's rights, Consent, legal bases, DPIA and Personal Data Breaches. The Company maintain a record of training attendance by Company Personnel;
- regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
Record Keeping
To meet the requirements of GDPR, Beyond Encryption will keep full and accurate records of all of our data Processing activities.
The Company's records include, at a minimum, the name and contact details of the Data Controller and the Responsible Person, clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data's retention period and a description of the security measures in place. To create such records, data maps have been created which should include the detail set out above together with appropriate data flows. The Responsible Person shall coordinate the maintenance of these records.
Privacy by Design and Data Protection Impact Assessment (DPIA)
We implement Privacy by Design measures when Processing Personal Data. This involves implementing appropriate technical and organisational measures (like Pseudonymisation) to ensure compliance with data privacy principles.
Data Protection Impact Assessments (DPIA) when implementing new systems
We will conduct a DPIA when implementing any changes to programs or business processes which involve the Processing of Personal Data. These can include:
- use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
- automated Processing including profiling and ADM;
- large scale Processing of Sensitive Data.
Direct Marketing
As previously indicated in the Consent section of this document, a Data Subject's prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers known as "soft opt in" allows organisations to send marketing texts or emails if we have obtained contact details in the course of a sale to that person, they are marketing similar products or services, and we gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.
For Data Subjects who sign up for or buy any of our products or Services from Us, we will send you information about our products and services. This will include communications relevant to the registration or account management process, use of the service and information about service updates, faults or changes to our Terms and Conditions. This is a legal obligation and opting out of such emails is not possible.
All Data Subjects will be explicitly offered the right to object to direct marketing in an intelligible manner so that it is clearly distinguishable from other information.
A Data Subject's objection to direct marketing will be promptly processed and followed. If a customer opts out at any time, their details will be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future (e.g. that person's email address or telephone number is kept on a 'do not call' list which is checked against the Company's marketing database).
Sharing Personal Data
Generally, we will not share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
You may only share the Personal Data we hold with third parties, such as our service providers if:
- they have a need to know the information for the purposes of providing the contracted services;
- sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject's Consent has been obtained;
- the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
- the transfer complies with any applicable cross border transfer restrictions;
- a fully executed written contract that contains GDPR approved third party clauses has been obtained.
We reserve the right to change this Policy at any time without notice to you so please check back regularly to obtain the latest copy of this Policy.
This Policy does not override any applicable national data privacy laws and regulations in England and Wales.