Data protection policy

Policy & compliance statement

10 Degrees is committed to compliance with the GDPR legal requirements. This statement outlines the enhanced requirements that 10 Degrees must adhere to and our implemented/planned approach to ensuring compliance obligations are met.

Overview

The General Data Protection Regulations (GDPR) are new legal requirements by which the European Commission intends to strengthen and unify data protection for individuals. From 25th May 2018, this affects every organisation that processes EU residents personally identifiable information (PII), and it will be necessary to abide by a number of provisions.

The data protection principles, as set out in the Data Protection Act (DPA) remain but they have been condensed into six as opposed to eight principles. Article 5 of the GDPR states that personal data must be:

• Processed fairly, lawfully and in a transparent manner in relation to the data subject
• Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes
• Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed
• Accurate and, where necessary, kept up to date Kept in a form that permits identification of data subjects for no longer than necessary for purposes for which personal data is processed
• Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

GDPR policy statement

10 Degrees is required to collect personal information to effectively and compliantly carry out our everyday business functions and services. Such data is collected from employees, clients, suppliers and includes (but is not limited to), name, address, email, data of birth, identification numbers, bank details, and other confidential information.

In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to collecting, processing, storing and destroying all information in accordance with the General Data Protection Regulation (GDPR), UK data protection laws and specific data protection codes of conduct.

10 Degrees has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the GDPR and its principles, including staff training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and safety of personal and/or special category data belonging to the individuals with whom we deal is paramount to our company ethos.

We are proud to operate a ‘Privacy by Design’ approach and aim to be proactive not reactive; assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business.

Review

This policy is to be fully reviewed annually or following the release of further official guidance.

Compliance statement

10 Degrees process personal data on behalf of our Clients (the data controller). This personal data includes:

• Name
• Contact details (email/telephone)
• Employer and Job Title
• Usernames & passwords
• Communication / Transaction History

A full list of specific database fields is available upon request.

Lawful basis for processing

GDPR requires that there is a valid lawful basis in order to process personal data.

Processing our client’s personal data would be necessary in fulfilment of contractual requirements between the supplier and client, and as such would not require separate explicit consent.

Our standard terms and conditions of business will apply to all service provisions by 10 Degrees, unless superseded by a client specific contract.

Individual rights

Right to be Informed

Individuals have the right to be informed about the collection & use of their personal data.

We endeavour to provide such privacy information at the point of collection and additional information can be given upon request.

Right to access

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.

10 Degrees will only supply information directly to the individual the data is concerning. Direct requests received outside this will be communicated back to the Data Controller, for an authorised and verified representative to formally (in writing) request action to be taken.

Information will be processed and returned promptly, for issue within the statutory one-month timeframe.

A fee must not be charged to the individual, and to support 10 Degrees will not levy a fee for the processing within standard circumstances.

Right to rectification

GDPR gives individuals the right to have personal data rectified if it is inaccurate or incomplete.

Should 10 Degrees receive direct notification in this circumstance, the same procedure as Right to Access listed above will apply. Only changes as formally notified by an authorised and verified representative of the Data Controller are to be implemented.

Right to erasure

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Right to restrict processing

Individuals have a right to ‘block’ or suppress processing of personal data.

Should 10 Degrees receive direct notification in this circumstance, the same procedure as Right to Access listed above will apply. Only changes as formally notified by an authorised and verified representative of the Data Controller are to be implemented.

Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

Client requests to transfer data to alternate systems can be processed by individual arrangement.

Right to object

The right to object to processing of data would typically not be applicable with contractual fulfilment as the lawful basis of processing. Any directly received objections, complaints, concerns or feedback will be reviewed on an individual basis.

Rights related to automated decision making

This requirement is not applicable to 10 Degrees activities as no decision-making or profiling process is involved.

Accountability and governance

Documentation

GDPR contains explicit provisions about documenting processing activities.

10 Degrees will require written confirmation instructions for all processing activities in order to ensure documented traceability of instructions from any data controller.

Other key documented information to support compliance to the requirements includes:

• Standard Operating Procedures
• ISM Risk Register (Data Impact Assessment)
• Management System Audits
• Records of Breaches

Data protection by design and default

Under the GDPR, there is a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.

The GDPR requirements sit within the broader subject of Information Security Management (ISM), which is an area that 10 Degrees regards to be a critical part of the business operations.

Data protection impact assessments

As part of our commitment to information security management, a full risk register will be compiled to ensure we have identified and assessed any threats to the confidentiality, integrity or availability of all information held (electronic and hard copy).

Codes of conduct and certification

The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.

As general and industry specific codes are released, they will be reviewed for suitability by top management and adopted/communicated across the organisation and to our stakeholders.

Security

GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

This general requirement is incorporated within our management systems and operational processes.

International transfers

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Adequate safeguards

You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.

Data breaches

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority and, in some cases, directly to the individuals affected.

Any identified breach must be escalated immediately to a 10 Degrees Director for a full investigation. Staff are trained in this process to understand what constitutes a breach, and how to report it.

Personal data breaches can include:

• access by an unauthorised third party
• deliberate or accidental action (or inaction) by a controller or processor
• sending personal data to an incorrect recipient
• computing devices containing personal data being lost or stolen
• alteration of personal data without permission
• loss of availability of personal data

At this stage, the resulting risk to individuals will be assessed and the necessary action plan created, including notification (Client, Individuals, ICO), mitigating actions, and corrective actions to prevent recurrence.

A 10 Degrees director is to report any breach to a Client’s personal data as soon as possible (<24 hours) after an event has been confirmed.

Where a defined notifiable breach has occurred, the Client (controller) must be report this to the ICO within 72 hours of being made aware. 10 Degrees will support in gathering the necessary information, and notifying individuals where required.