PHC Digital Ltd GDPR Data Protection Policy
This public facing document outlines our data protection policy, focusing on our responsibilities as data controllers and data processors, in line with the new GDPR regulations in force from the 25th May 2018. It aims to be succinct, easy to read and easy to understand.
The policy is updated from time to time with the latest version available on this page.
Policy key definitions:
• "I", "our", "us", or "we" refer to the business PHC Digital Ltd, 36 Lavender Close, Attleborough, NR17 2PZ.
• GDPR means General Data Protection Act.
• ICO means Information Commissioner's Office.
We are registered with the ICO under the Data Protection Register number: ZA337228
We are committed and support data protection legislation and promote a positive culture of data protection compliance across PHC Digital Ltd.
This document is for customers, suppliers and staff in relation to our duties under the GDPR.
We have corresponding Policy, Process and Procedure documents available internally for staff and contractors as the GDPR regulations require.
Please note that you have a right to object to being contacted at first communication from us. Please contact us using the contact details below if this is the case.
PHC Digital Ltd are both data controllers and data processors.
PHC Digital Ltd as a data controller
A data controller determines the purposes and means of processing personal data. That is to say the “why” and the “how” of processing personal data. In relation to our customer, supplier and staff data we are both a data controller and data processor.
PHC Digital Ltd as a data processor
A data processor is required to maintain records of personal data and carry out associated processing activities. That is to say the “day to day” processing of personal data, this may be PHC customer/supplier/staff data or individual’s data on behalf of a third-party data controller.
We only process data on the documented instructions of a data controller and only where there is a contract in place.
Data Protection Lead for PHC Digital Ltd is Pete Henshall (Managing Director) and has responsibility for implementing the policy and monitoring compliance.
The Allocated Records Management Owner is Pete Henshall (Managing Director).
Individuals and data controllers have various rights under the GDPR. To enact these rights individuals/data controllers should contact PHC Digital Ltd on the details below. The rights will then be dealt with in line with the internal Policy, Process and Procedure documents.
Our standard GDPR contact details are: firstname.lastname@example.org
/ 07852 942082 and these should be used for all GDPR requests relating to all the rights given under the GDPR.
Standard Review Periods
Unless otherwise stated in this document our GDPR review date is annually on the 1st May.
Compliance to the GDPR is continually monitored by the Data Protection Lead and then signed off in line with the above review dates.
Types of Data Processing
We process data in the following ways:
• Customers: to carry out a business relationship in line with a customer contract
• Suppliers: to carry out a business relationship in line with a supplier contract
• Staff: to be able to give employment to staff members and fulfil our duties as employers
• Other Individuals: to carry out processing in line with data controller contracts, or under the ‘consent’ lawful basis for marketing reasons.
We run internal staff-only Back Office System software to manage consent, including;
• When and how we got consent from an individual
• What the individual was told at the time
We review consent in line with our standard GDPR review timescales. To withdraw consent, you may contact us using our standard GDPR contact details listed in this document.
We will act on withdrawals of consent as a priority and as soon as reasonably possible.
Under the GDPR your rights are as follows.
• the right to be informed;
• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restrict processing;
• the right to data portability;
• the right to object; and
• the right not to be subject to automated decision-making including profiling.
You also have the right to complain to the ICO via www.ico.org.uk if you feel there is a problem with the way we are handling your data.
Lawful Basis for Processing Data
We have lawful basis for processing and storing personal data for one of these reasons:
• We have a contract in place and we need to process personal data to comply with our obligations under the contract. A contract does not have to be a formal signed document it is also an exchange of goods or services for money/value.
• We haven’t yet got a contract with the individual but have been asked to do something as a first step (e.g. provide a quote) and we need to process personal data to do what has been asked of us.
• We have Legitimate Interest as defined by the GDPR and have passed the Legitimate Interests Assessment.
• We have explicit, documented consent to contact an individual and provide means to opt-out with every contact.
Failure to process and store your personal details means we are unable to fulfil the basis of the agreement between us or the contract to which the data storage/processing pertains.
Data Processors (staff and contractors)
Our staff and contractors may process individual’s data. Upon induction or shortly after appointment we conduct appropriate data-protection awareness training to comply with the GDPR.
In the event of new regulations or other changes affecting GDPR we inform all staff and contractors.
PHC Digital Ltd are proud to have long term, trusted contract relationship with a number of skilled programmers and designers and ensure that we have set written contracts in place delegating all obligations of GDPR to them as required by the GDPR.
We may share your details with the third-party companies for the reasons of conducting business as usual. As a customer, supplier or staff member we need to use third party accounts systems for invoicing and payroll, and/or need to use third party accountancy and legal services. Currently our suppliers are Xero (accounts software), Leathes Prior Solicitors for legal services and M+A Partners LPP for accountancy related services. We use UK based Cloud Backup Provider LiveDrive for storing copies of all our backup data. Data transfer to and from these third parties will be carried out in compliance with the GDPR.
We will not pass on nor sell your details to any third parties for marketing reasons.
Subject Access Requests
You have the right to request a copy of all personal data that we hold on you in an easy to use format. You can request this using our standard GDPR contact details listed in this document. We will document any Subject Access Requests and their method (email or verbal) on our internal Back Office System.
You will receive the information free of charge and within one month of the Subject Access Request.
Keeping personal data accurate and up to date
We will contact you in line with our regular GDPR reviews to check all personal information we hold about you is accurate and up to date. This will be completed either verbally over the telephone or via excel spreadsheet and you will be able to challenge accuracy on all data at that point. Any data that is not correct we will then correct for you in our internal Back Office System and all relevant third-party systems (as per listed in Privacy Information).
In line with our GDPR review frequency we will review all records:
• to ensure that the information we hold continues to be adequate for the purposes of processing (ie the purpose for which it was collected).
• To identify when we need to correct inaccurate records
• To identify when we need to more irrelevant records
• To identify when we need to update out-of-date records.
Erasing Personal Data
If there is no compelling reason (see the section Lawful Basis for Processing Data) not to be erased then you may contact us using our standard GDPR contact details at the top of the first page of this document and request deletion/erasure of all personal data we hold on you.
We will document any Erasure/Deletion Requests and their method (email or verbal) on our internal Back Office System.
The Data Protection Lead will remove this data from any third-party systems (as per Privacy Information), including the Cloud Backup systems and other backup systems upon receiving the request.
Data retention and disposal will be the responsibility or the Data Protection Lead and data will be destroyed completely and irreversibly at the time in a way suitable for the data. This could be cross-shredding/incineration in the case of physical or hard deletion in the case of data.
Data retention and Disposal
We only retain data if it is needed, usually in line with our HMRC tax and VAT responsibilities as a Ltd company, which are currently 7 years. After this time, we will hard delete all personal and project data.
We dispose of any paper-based records by using appropriate shredding and ensure any disks or other media is fully destroyed by incineration.
Restricting the use of personal data
You have the right to restrict the use of personal data that we hold on you. You can request this using our standard GDPR contact details at the top of the first page of this document. We will document any Personal Data Restrictions and their request method (email or verbal) on our internal Back Office System. We will then update any 3rd party systems (as per Privacy Information).
Should we have good reason to lift the restriction on processing we will inform you at the time and record this decision in our back-office systems.
You have the right of data portability for the personal data that we hold on you as a data controller. This allows you to obtain and reuse your personal data for your own purposes across different services or request this data is sent directly to another data-controller.
If you request this data we will export it in a commonly used format (normally CSV) and transfer it securely.
Objection to the handling of personal data
You have the right to object to us handling/processing your personal data at the point of first communication with you through whichever method (verbal/email/etc). You may contact us using the standard GDPR contact details in the first paragraph or by letting us know during first communication.
If you object, then we will register this request and its method (email or verbal) inside our Back Office System. If there are compelling legitimate grounds to continue with the data processing then we will inform you and record these inside our Back Office System and inform you of the outcome to your objection.
Automated decision making under Article 22 of the GDPR
We do not currently carry out any automated decision making on individuals under Article 22 of the GDPR.
Data Protection Awareness Training
Data protection is intrinsic to everything we do at PHC Digital Ltd and regular training and revision is constantly carried out for all staff members so that they are aware of their responsibilities when handling personal data.
We maintain an internal Risk Register outlining any risks associated with running the company including GDPR related risks. The GDPR related risks will be reviewed inline with our regular review schedule as per page one.
Integrated Data Protection
Data protection is built into our Back Office System and we continually look to minimise the amount of data we collect on our customers, suppliers and staff members.
We review the public facing documents, such as this one, as well as review and improve data security features and controls in line with our regular review schedule.
Data Protection Impact Assessments
When creating new software for internal use we will carry out a Data Protection Impact Assessment to ensure that data protection and the impact on the rights of individuals has been properly assessed. We recommend that our customers carry out DPIA for their products we develop on their behalf.
Information Security Policy
Our Information Security Policy is available alongside this document. See the stand-alone file called “PHC Digital Ltd - Information Security Policy”.
In line with the regular review as outlined in this document we will regularly review information security.
Breaches or Personal Data
In the event of a personal data breach ever happening we have processes and procedures in place to assess risk to individuals, and where necessary, notify the breach to the data controller/ICO and inform affected individuals.
-- End of document