The introduction of the EU General Data Protection Regulation (2016) is an evolution rather than a revolution for SGSA Limited because we are already fully compliant with the UK Data Protection Act 1988. The most significant change for us is to be more transparent on how SGSA:
- Collects, uses and shares your personal data (‘data records’).
- Adheres to your (‘data subject’) rights under the regulation.
- Protects your data and manages data breaches.
According to the European Commission, ‘personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address’.
The personal data records at SGSA are limited to your name, contact details, job title, current and previous employers, SGSA classes and/or events that you have attended, feedback from your attendance at our classes and events, examination results, the person that you report to and a history of the interactions and correspondence that we have had with you. We sometimes take photographs of students and delegates attending SGSA classes and events. We might, if you have voluntarily provided them to us, store your home address and telephone number and other non-sensitive personal details. Your IP address is captured whenever you submit a form from the SGSA website. Your employer may provide us with your name, job title and contact details so that we can enrol you on a SGSA class or event.
Data Subjects and Data Records
For simplicity, we group the people that we interact with into the following two categories of data subjects:
- Students, delegates and employees of our business and prospective business customers, suppliers and partners.
- SGSA employees and subcontractors.
All our processing of personal data is covered by the GDPR lawful bases of either: freely given consent (Article 7), performance of a contract, legitimate business interest (Article 6 (1)) or compliance with a legal obligation. The data that we process in an employment context is subject to individual country regulations (Articles 2(2)(a) of the GDPR). The nature of SGSA business means that the lawful bases of processing personal data to protect vital interests, perform tasks in the public interest or related to criminal offences do not apply.
The data records that we have for each category of data subject, why we keep these records, how we use them and which of the eight lawful bases applies to us keeping that data record, as required by Article 15(1)(b) of the GDPR, will be provided on request. The nature of SGSA business means that we do not encounter personal data that is sensitive, as defined in Article 6, or that is considered as a special category, as defined in Article 9.
Freely Given Consent
SGSA may contact you by post, e-mail, telephone and/or social media. The methods in which we use to contact you, are governed by you. You may opt in, opt out or modify your preferences by completing and submitting the form on our website or by emailing our Data Protection Officer.
Performance of a Contract
Students and delegates attending classes and events delivered by SGSA do so subject to our standard terms and conditions. These terms and conditions state that SGSA may take photographs of students and delegates during the classes and events for marketing purposes and that these images may be published on our website and via social media without seeking your consent.
However, if you appear in a published photograph and do not wish to do so, then please submit your request to our Data Protection Officer. We will either remove the photograph or edit the image to blur your face beyond recognition at our discretion.
SGSA emails students and delegates before and after the classes and events that they are enrolled in. These emails need to be sent to all students and delegates even if they have unsubscribed from marketing emails so that they can be informed of the dates, locations and other pertinent information for their class or event.
Legitimate Business Interest
Within GDPR there is a distinct difference between B2C and B2B marketing for the lawful basis of legitimate business interest. Recital 47 of the GDPR States that ‘The processing must relate to the legitimate interests of your business or a specified third party, providing that the interests or fundamental rights of the data subject do not override the business’ legitimate interest’ and ‘the processing must be necessary to achieve the legitimate interests of the organisation’.
SGSA does not engage in B2C marketing.
Compliance with a Legal Obligation
Certain SGSA employee data records are collected and used to ensure compliance with legal obligations, for example, dates of employment and tax deductions.
Data Protection Officer
The SGSA Data Protection Officer is Steve Brand. Given the myriad governance and human factor issues that need to be addressed to ensure compliance with the GDPR regulation, our Data Protection Officer is supported by Forum Business Media Limited. This company provide us with expert assistance and effectively acts as our ‘mini-regulator’.
Our Data Protection Officer can be contacted by telephone on +44 (845) 330-6457 or by email at firstname.lastname@example.org. Alternatively, you can write to the Data Protection Officer at:
5 Roundwood lane
Hertfordshire AL5 3BW
Fundamental Rights of the Data Subject
GDPR provides data subjects with eight fundamental rights. These rights and how SGSA meets the requirements of these rights are as follows:
- The Right to be Informed (Articles 13 and 14) gives individuals the right to be informed about the collection and use of their personal data; how we process your personal data, our retention periods for your personal data, and who we share your personal data with. The data records that SGSA has for each category of data subject, why we keep these records, how we use them and which of the eight lawful bases applies to us keeping that data record, as required by Article 15(1)(b) of the GDPR, will be provided on request.
- The Right of Access (Article 15) gives individuals the right to access their personal data and information about how this personal data is being processed. A list of the data records that we have for people can be downloaded here and this list includes how we obtain the information, how we process the information and whom we share the information with. On request, SGSA will provide you with a copy of all data records related to you.
- The Right to Data Portability is provided by Article 20 of the GDPR and gives individuals the right to copies of their personal data in a structured and commonly used standard electronic format. This includes data being ‘provided’ by the data subject and data being ‘observed’, for example, a test result. On request, SGSA will provide you with your data records as Microsoft Word, Microsoft Excel or Adobe PDF formatted files, depending on which format is most appropriate for the data record.
- The Right to Rectification (Article 16) gives individuals the right to request modification of their personal data. Keeping data records accurate is a challenge for any organisation and SGSA welcomes your help in keeping your personal data records up to date. Please contact us if your details change and we will update your records.
- The Right to Erasure (Article 17) gives individuals the right to request erasure of personal data related to them on several grounds including noncompliance with Article 6(1) (lawfulness) if the legitimate interests of the business are overridden by the fundamental rights of the data subject, which requires protection of personal data. SGSA will permanently delete all or some of your data records on request. Employee data records that are required for our compliance with legal obligations cannot be erased
- The Right to Restrict Processing (Article 18) gives individuals the right to limit the way that an organisation uses their data. SGSA may process your personal data for marketing purposes, for example, publishing your course evaluation feedback on our website or in social media. Note, that since 2013, SGSA has notified students and delegates of our intention to publish their comments before publication and asked to be informed if this was unacceptable. Please contact us if you wish us to restrict SGSA from processing your data.
- The Right to Object (Article 21) gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. SGSA provides our customers the ability to opt-out of receiving marketing emails, telephone calls and letters. Your preferences can be changed on request or via the SGSA website at https://www.sgsa.com/marketing. All marketing emails sent to you contain a hyperlink to this page.
- The rights related to automated decision making including profiling (Article 22) do not apply to SGSA because human intervention is required for all processing of personal data.
Data Protection by Design and by Default
Data protection by design and by default (Article 25) requires data protection to be designed into the development of business processes for products and services.
SGSA has implemented technical and procedural measures to ensure that the processing of data records, throughout the whole processing lifecycle, complies with the regulation. Our Data Protection Officer has also implemented mechanisms to ensure that personal data is not processed unless necessary for each specific purpose. For example, we may select you for an email marketing campaign if you have attended a specific SGSA class or if your job title contains the word ‘manager’. This allows us to reduce the number of emails that we send you by only including you in marketing campaigns where we believe the content is relevant based on our data records of you.
Data privacy assessments are conducted by our Data Protection Officer for new internal projects, marketing campaigns and uses of technology.
In addition to meeting the GDPR requirements, SGSA respects your privacy by:
- Not sending you more than two marketing emails per calendar month.
- Not recording telephone conversations or using CCTV.
- Not using cookies on our website.
- Not writing down or storing any debit/credit card information.
- Not purchasing data records from third party companies.
- Not selling data records to third party companies.
We may share selected data records with our suppliers that require those data records for a legitimate business interest and where those data records have been collected in the performance of a contract. This would include, for example, examination results and course evaluation forms completed by you that relate to the classes owned by that supplier. These suppliers may reside outside of the EU.
Records of Processing Activity
The processes and technology in use at SGSA ensure that all processing activity of personal data is automatically recorded at the time of processing.
SGSA has comprehensive records of the dates and times for all emails sent and received (and all significant inbound and outbound telephone calls) since 2008. On request, we can provide you with a list of every marketing campaign email that you have been included on and the content of that email. We never record telephone conversations, but we do keep brief notes on what was discussed.
Under the GDPR, we have a legal obligation to notify the Information Commissioner’s Office without undue delay if a data breach is likely to result in a risk to the rights and freedoms of the individuals. There is a maximum of 72 hours after becoming aware of the data breach to make the report (Article 33). Individuals must be notified if adverse impact is determined (Article 34).
The SGSA data breach procedure contains the following documentation:
- Risk Register.
- Incident Management Policy.
- Incident Management Process.
- Incident Severity Assessment.
- Incident Report Template (Internal).
- Incident Report Template (External).
- Data Breach Log.
The internal Incident Report Template is used when a data breach is unlikely to result in a risk to the rights and freedoms of the individuals. The external Incident Report Template is used to report a data breach to the supervisory authority.
Data Retention Policy
SGSA will erase data records that are obsolete. We define obsolescence as data that has not been processed in thirty years.
Your personal data may be stored in a European instance of salesforce.com or on our dedicated network server hosted in a secure data centre in Gravelines, France. Our network server can only be accessed from SGSA owned devices and via our virtual private network (VPN). SGSA employees may have copies of salesforce.com data records on the personal computers and smartphones that are provided to them by SGSA. Data records on these devices are automatically synchronised with salesforce.com to ensure that all additions, modifications and deletions to data records are replicated across the business in near-to-real time.
SGSA does not permit employees to connect their own devices to our network or to access salesforce.com from non-SGSA owned devices. Access to salesforce.com requires two-factor verification and a secured communication link.
SGSA employees are responsible for ensuring that the automatic updates to Microsoft Windows, Microsoft Office 365, Norton Internet Security, Apple iOS and other software programs and applications on their SGSA devices are applied.
SGSA Employees and Subcontractors
Our compliance with GDPR depends on our people. Our Data Protection Officer is responsible for verifying the identity of everyone who conducts business on behalf of SGSA and for deciding which employees and subcontractors should have access to personal data.
All employees and subcontractors with access to personal data receive training in GDPR awareness, the rights of data subjects and how to identify and report data breaches, for example, a stolen smartphone or marketing emails mistakenly sent to an incorrect group of individuals. People with access to personal data are empowered to exercise your fundamental rights under GDPR as requested by you. Additions, modifications and deletion to all data records in salesforce.com are automatically recorded for audit purposes.