GDPR & Data Protection Policy
In this policy “Wildish & Co” means one or all of Wildish & Co Limited; and “worker” means a Wildish & Co temporary or permanent employee or a person who while not employed by Wildish & Co provides services to Wildish & Co as an employee of an agency or as a consultant, and “customer” means an entity that has commissioned a schedule of service with Wildish & Co Limited.
Wildish & Co holds certain information about individuals which is defined as Personal Data under the General Data Protection Regulation (“GDPR”). Wildish & Co recognises the importance of the correct and lawful treatment of Personal Data. For the purpose of the GDPR Act, the data controller for Personal Data processed by Wildish & Co can be one, several or all of Wildish & Co.
Data Protection Principles
Wildish & Co fully endorses and adheres to the principles of GDPR. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of Personal Data. Workers and any others who obtain, handle, process, transport and store Personal Data for Wildish & Co must adhere to these principles. The principles are as follows;
Lawfulness, fairness and transparency
Wildish & Co will (in plain English) inform the subject what data processing will be actioned, and the purpose of processing. The data that is processed must match up with how it has been described. The processing of data must meet the level of compliance as outlined in GDPR.
Personal data will only be obtained for specified, explicit and legitimate purposes. The data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
Integrity and confidentiality
Data should be handled in a manner that ensures appropriate security and confidentiality of the personal data including protection against unlawful processing or accidental loss, destruction or damage.
Satisfaction of Principles
In order to meet the requirements of the principles, Wildish & Co will:
- Observe fully, and review the conditions regarding the processing and control of personal data.
- Collect and process appropriate Personal Data only to the extent that it is needed to fulfil operational or any legal requirements.
- Apply regular reviews to determine the length of time Personal Data is held and for what purpose.
- Take the appropriate technical and organisational security measures to safeguard personal data.
- Ensure that Personal Data is not transferred abroad without suitable safeguards.
- Review and update our data-mapping to highlight data controllers and data processors.
- Regularly review and update the documented processes to deal with data subject rights, this includes; individuals’ requests to access, amend or delete their personal data or object to data processing within the new timeframes.
- Regularly review and update our data breach notification procedure to detect report and investigate a personal data breach.
- Ensure our Data Protection Impact Assessment process is in line with GDPR.
- Regularly review and update our compliance audits or reviews in order to identify and rectify issues.
Wildish & Co. enforces the following protocol which includes the implementation and maintenance of a comprehensive information security program that details administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Confidential Information and Data and to protect against unauthorised access, use, disclosure, alteration or destruction of Confidential Information and Data. The Information Security Program shall include, but not be limited to, the following safeguards where appropriate:
(a) Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorised persons; (ii) to ensure that all members of its workforce who require access to Confidential Information or Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorised individuals and to prevent members of its workforce from providing Confidential Information or Data unauthorised individuals; and (iv) to encrypt and decrypt Confidential Information and Data where appropriate;
(b) Security Awareness and Training – a security awareness and training program for members of Wildish & Co’s workforce providing Services hereunder, which includes training on how to implement and comply with its Information Security Program;
(c) Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Confidential Information or Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes;
(d) Contingency Planning – policies and procedures for responding to an emergency or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damages
Confidential Information or Data (or systems containing Confidential Information or Data), including a data backup plan and a disaster recovery plan;
(e) Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Confidential Information and Data and protect it from disclosure, improper alteration, or destruction;
(f) Storage and Transmission Security – technical security measures to guard against unauthorised access to Confidential Information and Data that is being transmitted over an electronic communications network, which may include a mechanism to encrypt Confidential Information and Data in electronic form while in transit over public networks or systems to which unauthorised individuals may have access;
(g) Testing – Regular testing of the key controls, systems and procedures of the Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed in accordance with its internal policies and procedures by internal auditors, independent third parties or staff independent of those that develop or maintain the security programs.
Data processing and data control
For Wildish & Co
Wildish & Co may process and control data related to any business or other activity carried out by Wildish & Co, or deciding whether to accept any person as a customer or supplier, or for retaining records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by Wildish & Co or to Wildish & Co in respect of those transactions, or for the purpose of making financial or management forecasts to assist Wildish & Co in the conduct of any such business or activity.
Wildish & Co may act as “data processor” and data controller” disclosing workers’ personal information with organisations which provide administration and management services. In this scenario, Wildish & Co will only disclose workers’ information to Wildish & Co’s service providers and agents for these purposes.
Wildish & Co may disclose workers’ personal information to third parties in the event that Wildish & Co sells or buys any business or assets, in which case Wildish & Co may disclose workers’ Personal Data to the prospective seller or buyer of such business or assets. Or, if Wildish & Co is under a duty to disclose or share workers’ Personal Data in order to comply with any legal obligation.
Wildish & Co may act as “data processor” only on instructions from the customer as “data controller” in relation to the processing of “personal data” carried out on behalf of the customer and shall take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction.
Depending on the services that have been provided, Wildish & Co may process data such as name, email address, postal address, telephone number and financial details, where they received the data from when they received the data, and who they share the data with.
Wildish & Co may disclose customer data to third parties if the data is required to provide a service that has been requested and authorised by a customer for the provision of services. Or, if Wildish & Co is under a duty to disclose or share customer data in order to comply with any legal obligation.
The data we collect allows our business, our workers, and customers’ services to operate. Both custom and 3rd party components may be used as part of the services provided. These services may include communication, document sharing, support, payments, marketing, and analytics. In order to operate and provide a service to our customers we may use the following 3rd party software:
To provide a service
- Amazon Web Services or BlueHost, for hosting and storage of data.
- ActiveCampaign, MailChimp to send emails.
- Google Analytics and Hotjar, to track user behaviour.
- Dropbox For Business for file storage.
- Sage Accounting, for accounting and billing.
- PipeDrive, for Customer Relationship Management.
- Google, for email, and contractual or planning information.
- Skype, for internal communications.
- Trello and Monday.com for project management.
We do not provide data to advertising agencies, or to other parties for similar, unconnected purposes.
GDPR gives all subjects including workers and customers the right to access information held about each of them. We have created a support line for all customers should they wish to access their personal data, requests can be made by contacting Wildish & Co on firstname.lastname@example.org. Requests will be subject to our vetting service to ensure that the request is legitimate. Once approved data will be supplied within 28 days of a request and supplied in a common format such as a CSV to allow for transit and accessibility. Any access request may be subject to a fee to meet Wildish & Co’s costs in providing a data subject/worker/customer with details of the information Wildish & Co holds about that data subject/worker/customer.
We use Amazon Web Services (AWS) and a number of component services and providers in order for some of our customer’s services to operate. The majority of our processing is carried out on servers that are located in the European Economic Area (EEA). At the request of a customer, we may use other carefully chosen suppliers and providers to perform other discrete tasks which may result in data being transferred outside of the EEA.
In handling data, we follow best practices which include:
- Using encryption to communicate between users and ourselves.
- Restricting and logging those who have access to the data we hold.
- Not moving data from production to test environments.
Data security and monitoring
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage and that both access and disclosure must be restricted. All workers are responsible for ensuring that any Personal Data which they hold is kept securely; Personal data is not disclosed either orally or in writing or otherwise to any unauthorised third party.
Customers shall only access the Data in any way such that they cannot and do not see any other data hosted or managed by Wildish & Co to maintain the confidentiality of the data hosted or managed. Wildish & Co shall as soon as practicable inform the Customer of any notice or communication concerning data protection legal obligations received from any person (including any data subject or caller) or any regulatory authority (including the UK’s Information Commissioner) concerning the provision of the
Service to the Customer and co-operate fully (at the Customer’s cost) with the Customer in relation to all relevant matters concerning data protection requirements in connection with the Service.
Both workers and customers must regularly check that any Personal Data that they provide to Wildish & Co is accurate and up to date, and inform Wildish & Co of any changes to information which they have provided, e.g. changes of address; If, as part of their responsibilities, Wildish & Co workers collect information about other people, they must comply with this Policy.
Retaining personal data
The data we process and control on behalf of our customers’ are retained for as long as it is required for a service to be provided, as the data allows our customers’ services to operate.
The data we collect on behalf of Wildish & Co is held to up to a maximum of six years from the date it was submitted. The data is reviewed on an annual basis and action taken should it be required. In order to operate and provide a service to our customers we may use the following 3rd party software:
For marketing purposes:
- Pipedrive, for Customer Relationship Management.
- ActiveCampaign and MailChimp, for newsletter services.
- Google Analytics, for campaign tracking.
Last updated 28th May 2019