From 25 May 2018, the EU General Data Protection Regulation (GDPR -2016/679) replaces the Data Protection Act 1998. The aim of the regulation is to standardise data protection laws across the EU, affording individuals stronger, more consistent rights of access and control of their personal information. This statement provides a summary of how Bishops Printers Ltd T/A The Mailing People will comply with the new data protection regulation.
The Mailing People are committed to protecting and respecting the privacy of its staff, customers and suppliers. We will ensure that any processing of personal data is secure, only used for the stated purpose and handled in accordance with the GDPR.
The high priority we place on protecting and managing customer data is further evidenced by our ISO 27001 Information Management Systems certification, which is integral to our service offering. It demonstrates that, whether sending, receiving, processing or storing data, our systematic procedures, processes and staff training have been rigorously and independently
Legal basis for processing
We have conducted an information audit (to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed), and identified the following:
- That we are a data controller, collecting and processing data from our employees. Our legal justification for doing so is necessity for the performance of contract and compliance with our legal obligations.
- That we are a data controller for our customers and potential customers. Our legal justification for doing so is legitimate interest. This has been tested and documented in a Legitimate Interest Assessment (LIA).
- That we are a data processor for those customers for whom we are required to process personal data of third parties for the performance of contract. We will only act on the documented instructions of the Data Controller.
- That we must obtain and document the consent of the data subject to email sales and marketing information that isn’t required in order to fulfil our contracted provision of goods and services.
Policies and procedures
We have reviewed policies and procedures (internal and external) and where necessary made changes to meet the requirements and standards of the GDPR, including:
- Data protection; accountability and governance measures are in place to ensure that we understand, and adequately disseminate and evidence, our obligations and responsibilities, the focus of which is on privacy by design and the rights of individuals.
- Privacy notice/policy; we have taken steps to ensure that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
- Data retention and erasure; we have reviewed our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles, and that personal information is stored, archived and destroyed compliantly. We have introduced a dedicated procedure governing the right to be forgotten. When acting as a Data Processor under instruction from the Data Controller, mailing list data is archived for 3 months after the use for which it was contracted. This is to enable analytical use by the Data Controller, should it be requested. Data is then deleted or returned at the end of the agreed contract, or when the need for processing ceases, as directed by the Data Controller.
- Data breaches; we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures have been disseminated to all relevant employees making them aware of the reporting lines and steps to follow. We will assist Data Controllers in dealing with data breaches and Access Requests from data subjects for whom we have processed data on the Data Controller’s behalf.
- Subject access request (SAR); we have established a procedure to accommodate the 30-day timeframe for providing the requested information, and for making this provision free of charge. This includes how to verify the data subject, what exemptions apply and a suite of response templates to ensure that communications with data subjects are compliant, consistent and adequate.
- Obtaining consent; we have revised our consent mechanisms ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have processes in place for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time.
- Processor Agreements; where we use any third-party to process personal information on our behalf (such as hosting, payroll, recruitment etc.), we have drafted compliant Processor Agreements and due diligence procedures for ensuring that they (as well as we), meet and understand their/our GDPR obligations.
Data subject rights
We provide easy to access information (via our website, during induction training, through our Finance office and Marketing department) of an individual’s right to access any personal information that The Mailing People processes about them, and to request information about:
- What personal data we hold about them.
- The purposes of the processing.
- The recipients to whom the personal data has/will be disclosed.
- How long we intend to store their personal data for.
- If we did not collect the data directly from them, information about the source,
- The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this.
- The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use.
- The right to lodge a complaint or seek judicial remedy and who to contact in such instances.
Technical and organisational measures
- All The Mailing People staff responsible for processing personal data have received training in their responsibilities to protect data from theft, loss or any kind of use outside the purpose for which it was collected.
- The provision of a secure file upload portal (SFTP) for transferring personal data.
- Computer files containing personal data to be password protected.
- All computer servers used by The Mailing People to store personal data, either directly or indirectly, to be located within the UK.
- Access to personal data to be restricted to essential personnel through the use of password protected files and computer/programme access
The Mailing People