CME Data Protection Policy
This document sets out the Construction Marketing Experts policy on the protection of the personal data of all business contacts – primarily customers (actual and potential) and service/product providers (actual and potential).
Data Subject – The individual who the data in question relates to, and who may be identified by the data.
GDPR – The European Unions General Data Protection Regulation.
HMRC – The UK’s tax regulator.
The Company – Construction Marketing Experts Limited (CME), registered office, 20 Queens Road, Hoylake, Wirral, CH47 2AH.
Organisation – This includes both commercial businesses and not-for-profit organisations.
The Company Dropbox – A secure cloud drive accessible by CME team members.
3. GDPR ROLES
Sarah Reay, managing director, is both the Data Controller and the Data Processor for CME.
CME is a small B2B marketing consultancy. There is no requirement for a Data Protection Officer to be appointed for a business of this type and size.
4. TYPES OF DATA
As part of the running of CME, the company obtains contact details of individuals (clients, prospects, service providers etc., as stated in Section 1). These individuals may be acting alone or as part of an organisation.
These details are primarily email addresses, telephone numbers and postal addresses, but could also include Skype ID’s and other contact details. My understanding is that these details may be considered to be within the scope of GDPR if, and only if they can be used to identify named individuals.
For the purpose of this policy, contact details that can be identified only with organisations, or with groups etc. within organisations (for example, a company office address or group email address), are assumed to be outside the GDPR’s scope.
CME does not actively collect or store ‘sensitive personal data’ as defined in the GDPR, such as ethnic origin or religious or political beliefs. If such data is contained within a document that the company is asked to work on:
· CME will not use or share data in any way, other than sharing the document, as necessary, with other parties involved in the project.
· CME will delete the document if requested to do so by the client or Data Subject, after the work is completed.
5. COLLECTING DATA
5.1 POSTAL ADDRESSES
To comply with HMRC’s requirements, the company needs to obtain a postal address for each client that CME works for, to be included in invoices that are issued.
For future reference, the company may store this postal address in a list of client details on The Company Dropbox if it relates to an organisation, or group etc. Within an organisation, but not if it is an individuals address. In either case, the company may include it in the contacts list in an email account, if the company thinks it may need it for potential future invoices.
5.2 EMAIL ADDRESSES
As part of normal email correspondence, email addresses are automatically recorded in the email accounts that are used by CME employees.
However, the company does not store these addresses in a separate file, unless they are group email addresses that the company may need to refer to – for example, the addresses of an accounts team that the company should send invoices to. In these cases, the company may store them in a list of client’s details on The Company Dropbox.
When researching potential clients, service providers etc., the company may store individuals ‘company – based’ email addresses in spreadsheets if, and only if, the company has obtained them from publicly available sources (such as a company website). The company will not do this for email addresses associated with individuals outside organisations.
The company website does not have a login system for visitors. The company does not collect email addresses via the website, other than those that are automatically added to a list when visitors contact The company and specify their email addresses – The company does not process this data or store it elsewhere.
The company uses mailing lists to inform all parties stated in section one of information relevant to these parties. The mailing lists are held in a secure location on The Company Dropbox and also on a secure mailing system called Mail Chimp.
5.3 OTHER PERSONAL DATA
As part of normal business communication, individuals’ telephone numbers may be stored (automatically or manually) in the contacts list on the company’s mobile phones or landline phones.
A number that is stored on the company mobile telephones might be automatically synchronised into the contacts list in an email account associated with that phone. The company might also add it to one of these contacts lists manually, if the company thinks this will help to contact the person.
When the company makes contact with people via Skype, their Skype ID’s are automatically visible to the company within Skype itself, as normal. The company does not normally store them elsewhere but might do so with the data subjects consent.
6. USE OF DATA
The company believes that CME’s use of the above data is compliant with GDPR, as The company uses it for contacting people within organisations or groups about work and related matters, and (as per section 5.1) to include postal addresses in invoices. In GDPR terms, The Company believes these to be a ‘lawful basis’ for use of the data.
7. SECURITY OF DATA
The data referred to in the above sections is stored on the company computers that are used by CME staff members, within The Company Dropbox. The company computers require a password on start up. If work is undertaken off site, the company staff members will require a password to access The Company Dropbox.
The company email accounts are password protected, and The company mobile telephones requires a PIN upon start-up and wake-up.
8. RETENTION OF DATA
As required by HMRC, the company retains each postal address (at least in invoices, and sometimes also in the company’s spreadsheet of client details, as per section 5.1) for at least six years from the date when it was last used. After that, it will be deleted on request from the client, or it may be deleted as part of a ‘housekeeping’ exercise.
9. WEB ANALYTICS
The company sometimes uses Google Analytics to assess how web users have generally been finding and navigating the company website; however, the company does not use it to identify individual visitors.
10. SHARING OF DATA WITH THIRD PARTIES
The company will not share personal data with any other parties without the Data Subject’s consent, unless it needs to be shared with HMRC for tax audit purposes.
11. CONSENT AND AWARENESS
As from 25th May 2018, as part of the process of agreeing work, the company will ask the client to state that they accept the terms of this policy unless they have already done so. The work will not proceed unless this acceptance is explicitly stated.
Before May 25th 2018, in order to expedite this process, the company will ask some existing clients (those who are consider to be active clients) to state their acceptance of the terms of this policy.
The company will no ask past, inactive clients for retrospective acceptance of this policy; the company will only ask them about it if they offer the company further work.
The company does not believe that, in normal circumstances, there is a requirement for other types of contacts (prospects, service providers etc.) to state their acceptance of this policy.
If someone sends the company an electronic document containing contact details (for example, the joining instructions for a training course), the company will not be obliged to delete the document or redact those details, as they will have been supplied to the company voluntarily. However, the company will delete the document or redact the details on request from the document provider or Data Subject, unless this would prevent the company satisfying any legal requirements.
For organisational clients, consent may be given by either (a) a primary contact in the organisation, (b) another person in a suitable position of authority, or (c) the Data Subject.
The company will record all instances given or withdrawing consent in a log on The Company Dropbox.
12. RIGHTS OF THE DATA SUBJECTS
The company acknowledges and respects the rights afforded to Data Subjects under the GDPR, including the rights:
· To be told, on request, what data the company can hold about them.
· To ask for data to be updated, deleted, restricted or moved to another party without hinderance, subject to legal requirements.
· To complain to the Information Commissioner’s Office about any alleged misuse of data.
Following any request to update, delete, restrict, or move data, the company will give an initial response within 15 days if at all possible, and (if it goes ahead) carry out the requested action within 30 days. If necessary, the company will delete relevant emails as well as deleting data from files.
13. RESPONDING TO DATA BREACHES
If the company becomes aware of a possible breach of data protection within the company, it will be investigated as soon as possible. If the company finds that a breach has occurred and could result in a risk to anyone’s privacy rights or freedoms, The company will report it to the Information Commissioner’s Office within 72 hours of determining this.