The Rivervale team improved their email marketing results by 40% with Pure360
💪 How strong is your email game? Find out how to stack up against your industry peers by taking the Pure360 Bench Test
The statements contained within this GDPR compliance document and the subsection numbering are directly related to the ICO’s self readiness checklist which can be found here.
The checklist has a ‘More Information’ tick box that will display detailed explanations of the statements should you require clarification.
The statements are grouped into the following six sections
The CCTV readiness section was not relevant to our business.
“The business” refers to PurePromoter Ltd T/A Pure360.
1.1 Information we hold
The business has conducted an information audit to map data flows.
The business has documented what personal data we hold, where it came from, who we share it with and what we do with it.
1.2 Lawful basis for processing personal data
The business has identified our lawful basis for processing and documented them.
1.3 Consent
The business has reviewed how we ask for and record consent.
The business has systems to record and manage ongoing consent.
1.4 Consent to process children’s personal data for online services
The business does not offer online services directly to children.
1.5 Vital interests
This is not relevant to the business.
1.6 Legitimate interests
The business uses legitimate interests as the lawful basis for processing. The business has applied the three part test and we can demonstrate we have fully considered and protected individual’s rights and interests.
1.7 Data Protection Fee
The business is currently registered with the Information Commissioner’s Office.
2.1 Right to be informed including privacy information
The business has provided privacy information to individuals.
2.2 Communicate the processing of children’s personal data
2.3 Right of access
The business has a process to recognise and respond to individuals’ requests to access their personal data.
2.4 Right to rectification and data quality
The business has processes to ensure that the personal data we hold remains accurate and up to date.
2.5 Right to erasure including retention and disposal
The business has a process to securely dispose of personal data that is no longer required or where an individual has asked us to erase it.
2.6 Right to restrict processing
The business has procedures to respond to an individual’s request to restrict the processing of their personal data.
2.7 Right to data portability
The business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
2.8 Right to object
The business has procedures to handle an individual’s objection to the processing of their personal data.
2.9 Rights related to automated decision making including profiling
The business has identified whether any of our processing operations constitute automated decision making and have procedures in place to deal with the requirements.
3.1 Accountability
The business has an appropriate data protection policy.
The business monitors our own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.
The business provides data protection awareness training for all staff.
3.2 Processor contracts
The business has a written contract with any processors we use.
3.3 Information risks
The business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
3.4 Data Protection by Design
The business has implemented appropriate technical and organisational measures to integrate data protection into our processing activities.
3.5 Data Protection Impact Assessments (DPIA)
The business understands when we must conduct a DPIA and has processes in place to action this.
The business has a DPIA framework which links to our existing risk management and project management processes.
3.6 Data Protection Officers (DPO)
The business has nominated a data protection lead or Data Protection Officer (DPO).
3.7 Management Responsibility
Decision makers and key people in the business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
4.1 Security policy
The business has an information security policy supported by appropriate security measures.
4.2 Breach notification
The business has effective processes to identify, report, manage and resolve any personal data breaches.
4.3 International transfers
The business ensures an adequate level of protection for any personal data processed by others on our behalf that is transferred outside the European Economic Area.
1.2 Information we hold
2.1 Accountability
2.2 Data Protection Officer (DPO)
The business has nominated a Data Protection Officer (DPO).
2.3 Management Responsibility
2.4 Information risks and data protection impact assessments
2.5 Data Protection by Design
The business has implemented appropriate technical and organisational measures to show we have considered and integrated data protection into our processing activities.
2.6 Training and awareness
2.7 Data processing contracts
The business only processes data on the documented instructions of a controller and there is a written contract setting out the respective responsibilities and liabilities of the controller and the business.
2.8 The use of sub-processors
The business has sought prior authorisation, by way of the License Agreement, from the controller before engaging the services of a sub-processor.
2.9 Operational base
The business does not operate outside the EU.
2.10 Breach notification
The business has effective processes to identify and report any personal data breaches to its controller.
3.1 Right of access
The business has a process to respond to a controller’s request for information (following an individual’s request to access their personal data).
3.2 Right to rectification and data quality
3.3 Right to erasure including retention and disposal
The business has a process to routinely and securely dispose of personal data that is no longer required, in line with the agreed timescales as stated in your contract with the controller.
3.4 Right to restrict processing
The business has procedures to respond to a data controllers’ request to suppress the processing of specific personal data.
3.5 Right of data portability
The business can respond to a request from the controller to supply the personal data we process in an electronic format.
1.1 Records management organisation
The business has defined and allocated records management responsibilities.
1.2 Records management policy
The business has approved and published an appropriate records management policy. This is subject to a regular review process.
1.3 Records management risk
The business has identified records management risks as part of a wider information risk management process.
1.4 Records management training
The business incorporates records management within a formal training programme. This comprises mandatory induction training with regular refresher material, and specialist training for those with specific records management functions.
1.5 Monitoring and reporting
The business carries out periodic checks on records security and there is monitoring of compliance with records management procedures.
2.1 Record creation
The business has set minimum standards for the creation of paper or electronic records.
2.2 Information we hold
The business has identified where we use manual and electronic records keeping systems and actively maintains a centralised record of those systems.
2.3 Information standards
The business has processes in place to ensure that the personal data we collect is accurate, adequate, relevant and not excessive. We carry out regular reviews to remove any personal data or records that are out of date or no longer relevant.
3.1 Tracking and offsite storage of paper records
The business has tracking mechanisms to record the movement of manual records and ensure their security between office and storage areas and also in instances where records are taken offsite.
3.2 Offsite transfer of electronic records
The business has appropriate measures in place to transfer electronic records off-site and protect personal data from loss or theft.
3.3 Secure storage of records
The business stores paper and electronic records securely with appropriate environmental controls and higher levels of security around special categories of personal data.
Step 4.1 Access to records
The business restricts access to records storage areas in order to prevent unauthorised access, damage, theft or loss.
The business has a process to assign and manage user accounts to authorised individuals and to remove them when no longer appropriate.
4.2 Business continuity
The business has business continuity plans in place in the event of a disaster. This includes identifying records that are critical to the continued functioning or reconstitution of the business. We also routinely back up data that is stored electronically to help restore information if needed.
4.3 Disposal of data
The business has a retention and disposal schedule which details how long we will keep manual and electronic records.
The business has confidential waste disposal processes to ensure that records are destroyed to an appropriate standard.
The business identifies, assesses and manages information security risks.
1.2 Information security policy
The business has an approved and published information security policy which provides direction and support for information security (in accordance with business needs and relevant laws and regulations) and is regularly reviewed.
1.3 Information security responsibility
The business has defined and allocated information security responsibilities and has established a framework to coordinate and review the implementation of information security.
1.4 Outsourcing
The business has established written agreements with all third party service providers and processors that ensure the personal data that they access and process on your behalf is protected and secure.
2.1 Training and awareness
The business has regular information security awareness training for all staff, including temporary, locum or contracted employees, to ensure they are all aware of and fulfil their responsibilities.
3.1 Secure areas
The business has entry controls to restrict access to premises and equipment in order to prevent unauthorised physical access, damage and interference to personal data.
3.2 Secure storage
The business has secure storage arrangements to protect records and equipment in order to prevent loss, damage, theft or compromise of personal data.
3.3 Secure disposal
The business has a process to securely dispose of records and equipment when no longer required.
4.1 Asset management
The business has identified, documented and classified its hardware and software assets and assigned ownership of protection responsibilities.
4.2 Home and mobile working procedures
The business ensures the security of mobile working and the use of mobile computing devices.
4.3 Secure configuration
The business configures new and existing hardware to reduce vulnerabilities and provide only the functionality and services required.
4.4 Removable media
The business has established controls to manage the use of removable media in order to prevent unauthorised disclosure, modification, removal or destruction of personal data stored on it.
4.5 User access controls
The business assigns user accounts to authorised individuals, and manages user accounts effectively to provide the minimum access to information.
4.6 System password security
The business has appropriate password security procedures and ‘rules’ for information systems and has a process in place to detect any unauthorised access or anomalous use.
4.7 Malware protection
The business has established effective anti-malware defences to protect computers from malware infection.
4.8 Backup and restoration
The business routinely backs-up electronic information to help restore information in the event of disaster.
4.9 Monitoring
The business logs and monitors user and system activity to identify and help prevent data breaches.
4.10 Patch management
The business keeps software up-to-date and applies the latest security patches in order to prevent the exploitation of technical vulnerabilities.
4.11 Boundary firewalls
The business has boundary firewalls to protect computers from external attack and exploitation and help prevent data breaches.
5.1 Incident management
The business has appropriate training in place to ensure staff know how to recognise and what to do if they detect a personal data breach.
The business has a procedure in place to report a breach to the ICO and to affected individuals, where necessary.
The business has procedures in place to effectively investigate the cause(s) of a breach and implement measures to mitigate future risks.
1.1 Direct marketing governance
The business has defined and allocated responsibility for compliance with data protection legislation and PECR when carrying out direct marketing activities or roles.
The business has approved and published direct marketing policies and procedures, which contain data protection and PECR guidance and are routinely reviewed to ensure they remain fit-for-purpose.
1.2 Direct marketing training
The business ensures that we provide data protection training to all staff with direct marketing responsibilities (including temporary staff and contractors).
1.3 Lawful basis for direct marketing
The business has obtained the necessary consent from individuals for marketing in compliance with data protection legislation and PECR (Privacy and Electronic Communications Regulations).
The business relies on ‘legitimate interests’ as the lawful basis for some of our marketing activities.
The business has applied the three part test and complies with other marketing laws.
1.4 Bought-in lists
The business does not operate with bought-in lists.
1.5 Marketing lists
The business does not sell marketing lists.
1.6 Telephone marketing
The business identifies itself when making live marketing calls and only makes them in compliance with PECR.
The business does not make automated marketing calls.
1.7 Electronic mail
The business identifies itself when sending electronic marketing messages and ensures we have the initial and ongoing permission of recipients in compliance with current legislation.
1.8 Postal marketing
The business only sends marketing mail to named individuals who have not objected to receiving mailings in line with current legislation.
1.9 Marketing by fax
The business does not use fax as a marketing medium.
1.10 Opt-out
The business has mechanisms in place to ensure that individuals can opt out of marketing easily.
1.11 Retention of personal data
The business has a retention policy and procedures in place for the personal data we hold for direct marketing.
The business has communicated policies, procedures and guidance to all staff that clearly set out when it is appropriate for them to share or disclose data.
1.2 Accountability
The business has assigned responsibility to an appropriate member of staff for ensuring effective data sharing.
1.3 Staff training
The business provides adequate training on an ongoing basis for staff that regularly make decisions about whether to share personal data with third parties.
2.1 Decision log
The business maintains a log of all our decisions to share personal data and we review this regularly.
2.2 Data sharing agreements
The business has a data sharing agreement (DSA) with any party we routinely share personal data with or transfer large quantities of data to. We review these agreements regularly.
3.1 Privacy information
The business informs individuals about the sharing of their personal data.
4.1 Security measures
The business has appropriate security measures in place to protect data that is in transit, received by the business or transferred to another business.
5.1 Requests for personal data
The business has a documented process for dealing with requests for personal data that all our staff are aware of and we have effectively implemented.
5.2 Accountability and training
The business has appropriately trained all personnel who have responsibility for processing requests for personal data and has made them aware of how to identify and channel requests to the appropriate team or person.
5.3 Compliance monitoring
The business monitors and reviews all requests for personal data and, where necessary, implements additional measures to improve compliance.
Become a better marketer
With our free learning resource! Sign up now for access to the UK's best strategy advice, industry innovations, best practice and tons of actionable insights. #betterstartshere