Pure360 GDPR Compliance Statements

Introduction

The statements contained within this GDPR compliance document and the subsection numbering are directly related to the ICO’s self readiness checklist which can be found here.

The checklist has a ‘More Information’ tick box that will display detailed explanations of the statements should you require clarification.

The statements are grouped into the following six sections

  • Data Controller
  • Data Processor
  • Records Management
  • Information Security
  • Direct Marketing
  • Data Sharing

The CCTV readiness section was not relevant to our business.

Definition

“The business” refers to PurePromoter Ltd T/A Pure360.

Data Controller

1.1 Information we hold

The business has conducted an information audit to map data flows.

The business has documented what personal data we hold, where it came from, who we share it with and what we do with it.

1.2 Lawful basis for processing personal data

The business has identified our lawful basis for processing and documented them.

1.3 Consent

The business has reviewed how we ask for and record consent.

The business has systems to record and manage ongoing consent.

1.4 Consent to process children’s personal data for online services

The business does not offer online services directly to children.

1.5 Vital interests

This is not relevant to the business.

1.6 Legitimate interests

The business uses legitimate interests as the lawful basis for processing. The business has applied the three part test and we can demonstrate we have fully considered and protected individual’s rights and interests.

1.7 Data Protection Fee

The business is currently registered with the Information Commissioner’s Office.

2.1 Right to be informed including privacy information

The business has provided privacy information to individuals.

2.2 Communicate the processing of children’s personal data

The business does not offer online services directly to children.

2.3 Right of access

The business has a process to recognise and respond to individuals’ requests to access their personal data.

2.4 Right to rectification and data quality

The business has processes to ensure that the personal data we hold remains accurate and up to date.

2.5 Right to erasure including retention and disposal

The business has a process to securely dispose of personal data that is no longer required or where an individual has asked us to erase it.

2.6 Right to restrict processing

The business has procedures to respond to an individual’s request to restrict the processing of their personal data.

2.7 Right to data portability

The business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.

2.8 Right to object

The business has procedures to handle an individual’s objection to the processing of their personal data.

2.9 Rights related to automated decision making including profiling

The business has identified whether any of our processing operations constitute automated decision making and have procedures in place to deal with the requirements.

3.1 Accountability

The business has an appropriate data protection policy.

The business monitors our own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.

The business provides data protection awareness training for all staff.

3.2 Processor contracts

The business has a written contract with any processors we use.

3.3 Information risks

The business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

3.4 Data Protection by Design

The business has implemented appropriate technical and organisational measures to integrate data protection into our processing activities.

3.5 Data Protection Impact Assessments (DPIA)

The business understands when we must conduct a DPIA and has processes in place to action this.

The business has a DPIA framework which links to our existing risk management and project management processes.

3.6 Data Protection Officers (DPO)

The business has nominated a data protection lead or Data Protection Officer (DPO).

3.7 Management Responsibility

Decision makers and key people in the business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

4.1 Security policy

The business has an information security policy supported by appropriate security measures.

4.2 Breach notification

The business has effective processes to identify, report, manage and resolve any personal data breaches.

4.3 International transfers

The business ensures an adequate level of protection for any personal data processed by others on our behalf that is transferred outside the European Economic Area.

Data Processor

Information we hold

1.1 Information we hold

The business has conducted an information audit to map data flows.

1.2 Information we hold

The business has documented what personal data we hold, where it came from, who we share it with and what we do with it.

Accountability and governance

2.1 Accountability

The business has an appropriate data protection policy.

2.2 Data Protection Officer (DPO)

The business has nominated a Data Protection Officer (DPO).

2.3 Management Responsibility

Decision makers and key people in the business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

2.4 Information risks and data protection impact assessments

The business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

2.5 Data Protection by Design

The business has implemented appropriate technical and organisational measures to show we have considered and integrated data protection into our processing activities.

2.6 Training and awareness

The business provides data protection awareness training for all staff.

2.7 Data processing contracts

The business only processes data on the documented instructions of a controller and there is a written contract setting out the respective responsibilities and liabilities of the controller and the business.

2.8 The use of sub-processors

The business has sought prior authorisation, by way of the License Agreement, from the controller before engaging the services of a sub-processor.

2.9 Operational base

The business does not operate outside the EU.

2.10 Breach notification

The business has effective processes to identify and report any personal data breaches to its controller.

Individual rights

3.1 Right of access

The business has a process to respond to a controller’s request for information (following an individual’s request to access their personal data).

3.2 Right to rectification and data quality

The business has processes to ensure that the personal data we hold remains accurate and up to date.

3.3 Right to erasure including retention and disposal

The business has a process to routinely and securely dispose of personal data that is no longer required, in line with the agreed timescales as stated in your contract with the controller.

3.4 Right to restrict processing

The business has procedures to respond to a data controllers’ request to suppress the processing of specific personal data.

3.5 Right of data portability

The business can respond to a request from the controller to supply the personal data we process in an electronic format.

Data security

4.1 Security policy

The business has an information security policy supported by appropriate security measures.

Records Management

Management and organisational records management

1.1 Records management organisation

The business has defined and allocated records management responsibilities.

1.2 Records management policy

The business has approved and published an appropriate records management policy. This is subject to a regular review process.

1.3 Records management risk

The business has identified records management risks as part of a wider information risk management process.

1.4 Records management training

The business incorporates records management within a formal training programme. This comprises mandatory induction training with regular refresher material, and specialist training for those with specific records management functions.

1.5 Monitoring and reporting

The business carries out periodic checks on records security and there is monitoring of compliance with records management procedures.

Records creation and maintenance

2.1 Record creation

The business has set minimum standards for the creation of paper or electronic records.

2.2 Information we hold

The business has identified where we use manual and electronic records keeping systems and actively maintains a centralised record of those systems.

2.3 Information standards

The business has processes in place to ensure that the personal data we collect is accurate, adequate, relevant and not excessive. We carry out regular reviews to remove any personal data or records that are out of date or no longer relevant.

Tracking and offsite storage

3.1 Tracking and offsite storage of paper records

The business has tracking mechanisms to record the movement of manual records and ensure their security between office and storage areas and also in instances where records are taken offsite.

3.2 Offsite transfer of electronic records

The business has appropriate measures in place to transfer electronic records off-site and protect personal data from loss or theft.

3.3 Secure storage of records

The business stores paper and electronic records securely with appropriate environmental controls and higher levels of security around special categories of personal data.

Access to records

Step 4.1 Access to records

The business restricts access to records storage areas in order to prevent unauthorised access, damage, theft or loss.

The business has a process to assign and manage user accounts to authorised individuals and to remove them when no longer appropriate.

4.2 Business continuity

The business has business continuity plans in place in the event of a disaster. This includes identifying records that are critical to the continued functioning or reconstitution of the business. We also routinely back up data that is stored electronically to help restore information if needed.

4.3 Disposal of data

The business has a retention and disposal schedule which details how long we will keep manual and electronic records.

The business has confidential waste disposal processes to ensure that records are destroyed to an appropriate standard.

Information Security

Management and organisational information security

1.1 Risk management

The business identifies, assesses and manages information security risks.

1.2 Information security policy

The business has an approved and published information security policy which provides direction and support for information security (in accordance with business needs and relevant laws and regulations) and is regularly reviewed.

1.3 Information security responsibility

The business has defined and allocated information security responsibilities and has established a framework to coordinate and review the implementation of information security.

1.4 Outsourcing

The business has established written agreements with all third party service providers and processors that ensure the personal data that they access and process on your behalf is protected and secure.

 

Your staff and information security awareness


2.1 Training and awareness

The business has regular information security awareness training for all staff, including temporary, locum or contracted employees, to ensure they are all aware of and fulfil their responsibilities.

Physical security

3.1 Secure areas

The business has entry controls to restrict access to premises and equipment in order to prevent unauthorised physical access, damage and interference to personal data.

3.2 Secure storage

The business has secure storage arrangements to protect records and equipment in order to prevent loss, damage, theft or compromise of personal data.

3.3 Secure disposal

The business has a process to securely dispose of records and equipment when no longer required.

 

Computer and network security

4.1 Asset management

The business has identified, documented and classified its hardware and software assets and assigned ownership of protection responsibilities.

4.2 Home and mobile working procedures

The business ensures the security of mobile working and the use of mobile computing devices.

4.3 Secure configuration

The business configures new and existing hardware to reduce vulnerabilities and provide only the functionality and services required.

4.4 Removable media

The business has established controls to manage the use of removable media in order to prevent unauthorised disclosure, modification, removal or destruction of personal data stored on it.

4.5 User access controls

The business assigns user accounts to authorised individuals, and manages user accounts effectively to provide the minimum access to information.

4.6 System password security

The business has appropriate password security procedures and ‘rules’ for information systems and has a process in place to detect any unauthorised access or anomalous use.

4.7 Malware protection

The business has established effective anti-malware defences to protect computers from malware infection.

4.8 Backup and restoration

The business routinely backs-up electronic information to help restore information in the event of disaster.

4.9 Monitoring

The business logs and monitors user and system activity to identify and help prevent data breaches.

4.10 Patch management

The business keeps software up-to-date and applies the latest security patches in order to prevent the exploitation of technical vulnerabilities.

4.11 Boundary firewalls

The business has boundary firewalls to protect computers from external attack and exploitation and help prevent data breaches.


Personal data breach management

5.1 Incident management

The business has effective processes to identify, report, manage and resolve any personal data breaches.

The business has appropriate training in place to ensure staff know how to recognise and what to do if they detect a personal data breach.

The business has a procedure in place to report a breach to the ICO and to affected individuals, where necessary.

The business has procedures in place to effectively investigate the cause(s) of a breach and implement measures to mitigate future risks.

Direct Marketing

1.1 Direct marketing governance

The business has defined and allocated responsibility for compliance with data protection legislation and PECR when carrying out direct marketing activities or roles.

The business has approved and published direct marketing policies and procedures, which contain data protection and PECR guidance and are routinely reviewed to ensure they remain fit-for-purpose.

1.2 Direct marketing training

The business ensures that we provide data protection training to all staff with direct marketing responsibilities (including temporary staff and contractors).

1.3 Lawful basis for direct marketing

The business has obtained the necessary consent from individuals for marketing in compliance with data protection legislation and PECR (Privacy and Electronic Communications Regulations).

The business relies on ‘legitimate interests’ as the lawful basis for some of our marketing activities.

The business has applied the three part test and complies with other marketing laws.

1.4 Bought-in lists

The business does not operate with bought-in lists.

1.5 Marketing lists

The business does not sell marketing lists.

1.6 Telephone marketing

The business identifies itself when making live marketing calls and only makes them in compliance with PECR.

The business does not make automated marketing calls.

1.7 Electronic mail

The business identifies itself when sending electronic marketing messages and ensures we have the initial and ongoing permission of recipients in compliance with current legislation.

1.8 Postal marketing

The business only sends marketing mail to named individuals who have not objected to receiving mailings in line with current legislation.

1.9 Marketing by fax

The business does not use fax as a marketing medium.

1.10 Opt-out

The business has mechanisms in place to ensure that individuals can opt out of marketing easily.

1.11 Retention of personal data

The business has a retention policy and procedures in place for the personal data we hold for direct marketing.

Data Sharing

Data sharing governance

1.1 Data sharing policy

The business has communicated policies, procedures and guidance to all staff that clearly set out when it is appropriate for them to share or disclose data.

1.2 Accountability

The business has assigned responsibility to an appropriate member of staff for ensuring effective data sharing.

1.3 Staff training

The business provides adequate training on an ongoing basis for staff that regularly make decisions about whether to share personal data with third parties.

Data sharing records

2.1 Decision log

The business maintains a log of all our decisions to share personal data and we review this regularly.

2.2 Data sharing agreements

The business has a data sharing agreement (DSA) with any party we routinely share personal data with or transfer large quantities of data to. We review these agreements regularly.

Notification

3.1 Privacy information

The business informs individuals about the sharing of their personal data.

Security

4.1 Security measures

The business has appropriate security measures in place to protect data that is in transit, received by the business or transferred to another business.

Right of access

5.1 Requests for personal data

The business has a documented process for dealing with requests for personal data that all our staff are aware of and we have effectively implemented.

5.2 Accountability and training

The business has appropriately trained all personnel who have responsibility for processing requests for personal data and has made them aware of how to identify and channel requests to the appropriate team or person.

5.3 Compliance monitoring

The business monitors and reviews all requests for personal data and, where necessary, implements additional measures to improve compliance.

Become an email marketing expert.
Join 30,000 marketers who receive our newsletter.
You may unsubscribe at any time. Check out our Privacy Policy for more information on how we store and protect your data.