Introduction
At Boxxstep we take our responsibilities under the General Data Protection Regulation (GDPR) and the UK`s Data Protection Act (DPA) very serious. This policy sets out how personal data is managed and dealt with in order to ensure that the obligation to fulfil individuals’ reasonable expectations of privacy is applied and followed and that the responsibilities established under the GDPR and DPA are complied with.
Rationale
Boxxstep acquires, uses, stores and otherwise processes personal data relating to potential and current clients and customers, current and potential and former employees and contractors, website users and contacts, and collectively refers to those individuals in this policy as data subjects. Likewise, no distinction is made between the rights of data subjects, and all are treated equally under this policy.
Our Role
During the course of you using our services we are processing and only insofar as this is necessary for our services the following categories of personal data: First Name, Last Name, Contact Data, Payment Data, and Contract Data.
Boxxstep will process personal data to the extent permitted by law, for example, in the course of providing our services or to comply with our legal obligations. We may also use personal data for the following purposes: Managing and planning operational processes and Contractual Data Processing for Payment and Administrative Purposes. The personal data you provide is collected and processed for the purpose of fulfilling a contract, our legal obligations, protecting vital interests. The legal basis for the processing of your data is, in addition to Art. 6 Para. 1 lit. b), c), d) and e), and Article 9 Para. 2 lit. c), h) GDPR, if necessary.
Purpose of the policy
This policy seeks to ensure that Boxxstep is:
· clear about how personal data must be processed;
· complying with the General Data Protection Regulation (GDPR) and with good practice;
· protecting the personal data entrusted to us and that it is processed in accordance with data subjects’ rights;
· protecting itself from risks of personal data breaches and breaches of data protection laws;
Scope
The policy covers both personal and special category personal data held by Boxxstep in relation to data subjects. The policy applies equally to personal data held in print and digital form. All employees and others processing personal data on behalf of Boxxstep must read it and a failure to comply may result in disciplinary action. All managerial and executive staff is responsible for ensuring that their subordinated staff is complying with this policy and should implement appropriate practices, processes, controls and training accordingly.
Data Protection Manager
Boxxstep`s Data Protection Manager (DPM) is Kevin Dixon and can be reached at [email protected]
Data protection principles
Boxxstep is responsible for, and must be able to demonstrate compliance with the data protection principles set out in the GDPR and DPA and all personal data must be:
· processed lawfully, fairly and in a transparent manner in relation to the data subject;
· collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject.
· adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
· accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed is erased or rectified without delay;
· kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;
· processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
Data Subjects’ Rights
the GDPR and DPA grant several rights to data subjects and how their data is handled. These include the following:
· the right to be informed;
· the right of access;
· the right of rectification;
· the right to erasure (the “right to be forgotten”);
· the right to restrict processing;
· the right to data portability;
· the right to object;
· rights with respect to automated decision-making and profiling;
· the right to withdraw consent;
· to be notified of a data breach which is likely to result in high risk to their rights and freedoms; and
· to make a complaint to the The Information Commissioner`s Office.
Boxxstep requires the verification of the identity of an individual requesting data under any of the rights listed. Requests made must be complied within one month of receipt and immediately forwarded to the DPM and are processed free of charge.
Accountability
Boxxstep must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles.
Boxxstep is responsible for and must be able to demonstrate compliance with the data protection principles. Consequently, adequate resources and controls to ensure and document GDPR and DPA compliance are put into place. Those are
· the appointment of a DPM;
· security and privacy measures when processing and handling data are implemented;
· a Data Protection Impact Assessment (DPIA) is carried out;
· policies and procedures for processing and handling data are implemented;
· Boxxstep staff is trained in accordance with the GDPR and DPA;
· security and privacy measures and processing and handling policies and procedures are reviewed and updated; and
· Audits and reviews are carried out regularly.
Responsibility
As the Data Controller, Boxxstep is responsible for establishing policies and procedures in order to comply with data protection law.
The DPM is responsible for:
· advising Boxxstep and its staff of its obligations under GDPR and DPA;
· monitoring that the GDPR and DPA and other relevant data protection laws are followed and applied;
· monitoring training and audit activities related to GDPR and DPA compliance;
· advice when requested and conduct data protection impact assessments;
· act as the contact point for the The Information Commissioner`s Office and data subjects; and
· oversee Boxxstep`s performance regarding risk deriving from processing operations, considering the nature, scope, context and purpose.
Staff members are responsible for:
Boxxstep`s staff members who processing personal data of employees, clients and or customers etc. Staff members must ensure that:
· all personal data is kept securely;
· no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
· personal Data is kept in accordance with Boxxstep`s retention schedule;
· queries concerning data protection, complaints and access requests are forwarded to the DPM immediately;
· data protection breaches are swiftly made known to the DPM and that support in resolving breaches is prioritised;
· any uncertainty about data protection is addressed to the DPM and without delay; and
· they are aware of the Data Protection principles and have read this Policy.
Third-Party Data Processors
Where Boxxstep is outsourcing or using external companies for the processing of personal data, the responsibility for the data remains with Boxxstep.
A third-party data processor must:
· provide sufficient guarantees about its data protection and security measures;
· agree to a written contract covering what personal data is processed and for what purpose; and
· agree to a written data processing agreement.
Data Security
We have a clear and specific objective to ensure that personal data is kept secure and up to date. In particular we have agreed to:
• comply with the legal requirements in the provision of services;
• process and use your data only to the extent strictly necessary to perform our obligations or as otherwise provided;
• only disclose your data to our employees and personnel that have a need to access your data;
• ensure that all such employees and personnel are bound by a confidentiality agreement;
• take all reasonable steps to ensure the reliability of all its employees and personnel who have access to your data;
• ensure that appropriate controls are in place to prevent access to special categories of Data, where relevant, except in circumstances expressly authorised; and
• implement, maintain and at all times operate adequate and appropriate technical and organisational measures to;
o protect the security, confidentiality, integrity, and availability of your data, and
o protect against unauthorised or unlawful processing of your data and against
o accidental loss, destruction or the making vulnerable of, or damage to, your data;
o such measures shall, at a minimum, meet
the requirements of Data Protection Law;
the standards required by all applicable accepted industry practices.
Data subject Access Requests
Data subjects have the right to receive a copy of their personal data which is held by Boxxstep. Likewise, an individual is entitled to receive further information about processing their personal data and in particular on:
· the purpose of processing;
· the categories of personal data being processed;
· the recipients of personal data;
· the retention periods;
· information about their rights;
· the relevant safeguards when personal data is transferred outside the EEA; and
· any third-party source of the personal data.
Do not share any personal data without proper authorisation. Do not alter, conceal block or destroy personal data after such request has been made. Contact the DPM before making any changes or replying to a Data subject Access Requests.
Reporting a personal data breach
The GDPR and DPA requires that Boxxstep reports any personal data breach to the The Information Commissioner`s Office if there is a risk or high risk to the rights and freedoms of the data subject. If you know or suspect a personal data breach inform the DPM immediately and follow the instructions set out in the data breach procedure.
Limitations on the transfer of personal data
At this stage, Boxxstep does not transfer personal data to countries outside the the UK or the EEA. However, if Boxxstep transfers personal data to countries outside the Economic European Area (EEA) then the following will apply. The transfer of personal data to a country outside the EEA, will only take place if one or more of the following applies:
· the European Commission confirmed that the particular country ensures an adequate level of protection for the data subjects’ rights and freedoms;
· the particular country provides appropriate safeguards such as binding corporate rules, standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism;
· the data subject has explicitly agreed to the transfer;
· the transfer is necessary for the performance of a contract between the data subject and Boxxstep; and
· the transfer is necessary for one of the other reasons set out in the GDPR and DPA including:
o the public interest;
o establish, exercise or defend legal claims;
o to protect the vital interests of the data subjects;
o if the data subject is physically or legally unable to give their consent;
Record Keeping
The GDPR and DPA requires Boxxstep to keep full and accurate records of all data processing activities. Keep and maintain accurate corporate records reflecting personal data processing, including Consent Form. Records should include, at a minimum, the name and contact details of the DPM, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place.
Similar, records of personal data breaches must also be kept and cover the following:
· the facts surrounding the breach;
· its effects; and
· the remedial action taken;
Secure Deletion and Archiving of Personal Data
Personal Data must be deleted and stored using one of the following secure methods:
· Documents in electronic format must be deleted with a secure deletion utility and standard deletion utilities should not be used;
· Personal Data on hard drives, removable drives, storage devices or any similar item must be securely erased before any disposal or reassignment of the equipment;
· Personal Data that is Archived on hard drives, removable drives, storage devices or any similar item must be organised in an orderly and organised manner and encrypted using at least AES-256;
· Paper copies must be destroyed using cross-cut shredders; and
· The DPO must approve and record the destruction or deletion of personal data in the following manner [File Name- Date-Time]
Sensitive and Special Category data
Boxxstep is not routinely collecting Sensitive and Special Category data. If the processing of Sensitive and Special Category data during the course of the provision of services or employment becomes necessary, we will be subject to specific consents and processed under the required obligations deriving from DPA and GDPR.
Training and Audit
Boxxstep is required to ensure that all staff members are adequately trained and compliance with the GDPR and DPA is possible. We also regularly test our policies, systems, and processes to assess and ensure compliance.
Data privacy by design and default
Boxxstep has to ensure that by default only personal data which is necessary for each specific purpose is processed. The obligation applies:
· to the volume of personal data collected;
· the extent of the processing; and
· the period of storage and the accessibility of the personal data.
In particular, personal data should not be available to an indefinite number of persons, and you must ensure that you adhere to those measures.
Data Protection Impact Assessments (DPIAs)
Boxxstep must also conduct DPIAs in respect of high-risk processing before that processing is undertaken. Boxxstep`s DPM will conduct a DPIA when:
· new or changing technologies such as programs, systems or processes are introduced;
· automated processing including profiling takes place;
· sensitive and special category data is processed on a large scale; and
· systematic monitoring of a publicly accessible area on a large scale takes place.
A DPIA must include:
· a description of the processing, its purposes and the Data Controller’s legitimate interests if appropriate;
· an assessment of the necessity and proportionality of the processing in relation to its purpose;
· an assessment of the risk to individuals; and
· the risk-mitigation measures in place and demonstration of compliance.
Marketing
Boxxstep is subject to certain rules and privacy laws when marketing to our clients and customers. A data subject’s prior Consent is required for electronic direct marketing (for example, by email, text or automated calls). The right to object to direct marketing must be explicitly offered to the data subject in an intelligible manner so that it is clearly distinguishable from other information. A data subject’s request to object to direct marketing must be respected. If a data subject opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
Access Control
Access to all information will be controlled and will be driven by business requirements. Access will be granted, or arrangements made for users according to their role and the classification of information, only to a level that will allow them to carry out their duties.
A formal user registration and de-registration procedure will be maintained for access to all information systems and services. This will include mandatory authentication methods based on the sensitivity of the information being accessed and will include consideration of multiple factors as appropriate.
Specific controls will be implemented for users with elevated privileges and leavers, to reduce the risk of negligent or deliberate system misuse. Segregation of duties will be implemented, where practical.
Antivirus/Anti-malware Protection
All workstation and server-based assets used, whether connected to the Boxxstep network or as stand-alone units, must use Boxxstep approved antivirus/anti-malware protection software and configuration provided by the Boxxstep. The following procedures shall be followed:
· Virus protection software must not be disabled or bypassed;
· Settings for the virus protection software must not be altered in a manner that will reduce the software effectiveness;
· Automatic update frequency cannot be altered to reduce the frequency of updates;
· All servers attached to the Boxxstep network must utilise Boxxstep approved/standard virus protection software and setup to detect and clean viruses;
· All electronic mail gateways, devices, and servers must use Boxxstep approved e-mail virus/malware/spam protection software and must adhere to Boxxstep rules for the set-up and use of this software;
· Any threat that is not automatically cleaned, quarantined, and subsequently deleted by malware protection software constitutes a security incident and must be reported; and
· Antivirus/anti-malware signature updates shall occur on a frequency defined by Boxxstep but shall occur minimally once each calendar day.
Glossary of Terms
Automated Decision-Making (ADM)
When a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. the GDPR and DPA prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.
Profiling
Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.
Consent
An agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.
Data Controller
The person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the the GDPR and DPA. Boxxstep is the Data Controller of all personal data relating to it and used delivering education and training and all other purposes connected with it including business purposes.
Data Subject
A living identified or identifiable individual about whom we hold personal data.
Data Protection impact assessment (DPIA)
An assessment tool used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of personal data.
Data Protection Manager (DPM)
The person appointed as such under the GDPR and DPA and in accordance with its requirements. A DPM is responsible for advising Boxxstep on their obligations under Data Protection Law, for monitoring compliance with data protection law, as well as with polices, cooperating with the The Information Commissioner`s Office and acting as a point of contact.
Personal Data
Any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Special category data
Special category data is personal data that needs more protection because it is sensitive. This may include personal data revealing racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, or data concerning health. In order to process special category data, we first need to obtain consent.
Consent
Consent means any freely given indication of the data subject’s wishes for the specific case in an informed and unambiguous manner, in the form of a declaration or any other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.
Personal Data Breach
Any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the data subject. It can be an act or omission.
Privacy by Design and Default
Means implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR and DPA.
Privacy Notices
A separate notice setting out information that may be provided to data subjects when Boxxstep collects information. These notices may take the form of general privacy statements applicable to a specific group of individuals) or they may be stand-alone, one-time privacy statements covering processing related to a specific purpose.
Processing or Process
Any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. Basically, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.
Pseudonymisation or Pseudonymised
Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
Review
Boxxstep will continue to review the effectiveness of this Data Protection Policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required taking into account changes in the law and organisational or security changes.