Created: 04/2012
Latest Review/Update: 03/2018
Version: 4

 

1. INTRODUCTION
2. WHY THIS POLICY EXISTS
3. DATA PROTECTION LAW
4. PEOPLE, RISKS AND RESPONSIBILITIES
  4.1 POLICY SCOPE
  4.2 DATA PROTECTION RISKS
  4.3 RESPONSIBILITIES
5. GENERAL EMPLOYEES GUIDELINES
6. DATA STORAGE
7. DATA USE
8. DATA ACCURACY
9. SUBJECT ACCESS REQUESTS
10. DATA BREACH NOTIFICATIONS
  10.1 WHAT IS A PERSONAL DATA BREACH?
  10.2 WHAT BREACHES NEED TO BE NOTIFIED TO THE RELEVANT SUPERVISORY AUTHORITY?
  10.3 WHEN DO INDIVIDUALS HAVE TO BE NOTIFIED?
  10.4 NOTIFICATION OF A BREACH
  10.5 PREPARING TO REPORT A BREACH
11. DISCLOSING DATA FOR OTHER REASONS
12. PROVIDING INFORMATION
13. CONTACTING THE ICO

 

 

1. INTRODUCTION

MBA Group Ltd needs to gather and use certain information about individuals.

These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.

 

2. WHY THIS POLICY EXISTS

This Data Protection Policy ensures MBA Group Ltd:

  • Complies with the General Data Protection Regulation (GDPR) and follows good practice
  • Protects the rights of employees, customers and partners
  • Is open about how it stores and processes individuals’ data
  • Protects itself from the risks of a data breach

 

3. DATA PROTECTION LAW

The General Data Protection Regulations describes how organisations, including MBA Group Ltd, must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals;
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Data Protection Act states that: “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.

This is the eighth data protection principle, but other principles of the GDPR will also be relevant to sending personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require organisations to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place if using sub-contractors abroad.

Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

The GDPR creates some new rights for individuals and strengthens some of the rights that existed in the Data Protection Act. The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

 

4. PEOPLE, RISKS AND RESPONSIBILITIES

4.1. POLICY SCOPE


This policy applies to:

  • All MBA Group Ltd Sites
  • All employees of MBA Group Ltd
  • All contractors, suppliers and other people working on behalf of MBA Group Ltd

It applies to all data that the company holds relating to identifiable individuals, even if that information technically, falls outside of the GDPR. This can include:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • Plus any other information relating to individuals

4.2. DATA PROTECTION RISKS


This policy helps to protect MBA Group Ltd against some very real data security risks, including:

  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
  • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

4.3. RESPONSIBILITIES


Everyone who works for, or with MBA Group Ltd has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

  • The Directors are responsible for ensuring that the Company meets its legal obligations and that resource and investment are considered to ensure the security of assets.
     
  • All MBA Employees are responsible for:
     
  • Adhering to the policies and procedures put in place by MBA Group Ltd to ensure our legal obligations are met.
  • Full cooperation in completing Data Protection or Information Security Assessments to enable the business to monitor awareness.
     
  • The Chief Compliance & Data Protection Officer (CC & DPO) (Management Representative) for:
     
  • Keeping the Directors updated about data protection responsibilities, risks and issues.
  • Reviewing all data protection procedures and related policies.
  • Ensuring data protection training and advice is available for the people covered by this policy.
  • Handling data protection questions from employees and anyone else covered by this policy.
  • Dealing with requests from external individuals to see the data MBA Group Ltd holds about them (also called ‘subject access requests’).
  • Reviewing Due Diligence Questionnaires and Audits with suppliers who have access to MBA data assets.
     
  • The Human Resources Manager is responsible for:
     
  • Protecting all information held on Company employees.
  • Providing information during induction in respect of what personal information will be held on individuals and the purpose for holding the information.
  • Dealing with requests from employees to see data MBA Group holds on them (subject requests).
  • Ensuring all employees during induction, are made aware of the Company’s Data Protection Policy Agreement and consequences of non-compliance.
  • Ensuring the Company Terms and Conditions of Contract include the requirement of the DPA and the GDPR.
  • Reviewing data protection questionnaires to measure employee understanding and address knowledge gaps.
  • Obtaining and storing consents for HR activity where no legal basis is identified.
  • Knowing where personal data is stored and how it is secured.
     
  • The Contracts Officer is responsible for reviewing, drafting and advising on any contracts or agreements with clients for whom we process data and for any third parties that may have access to sensitive data on behalf of MBA prior to approval sign-off by a Director.
     
  • The Head of IT is responsible for:
     
  • Ensuring all systems, services and equipment used for storing data meet suitable and sufficient security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating any third-party services the company is considering using to store or process data, including cloud based services.
  • Initiating Due Diligence Questionnaires and Audits with suppliers who have access to MBA data assets and advise the CC & DPO.
  • Carrying out risk assessments in relation to new technology or major changes to the IT infrastructure.
     
  • Department Heads & Managers are responsible for:
     
  • Ensuring their employees receive Data Protection training and understand their responsibilities.
  • Making their employees aware of any risks within their area of responsibility
  • Ensuring their employees respond to all requests for on-going assessment through questionnaires and/or additional training.
  • Ensuring their employees knows how to escalate any concerns relating to data.
  • Initiating Due Diligence Questionnaires and Audits with suppliers who have access to MBA data assets and advise the CC & DPO.
  • Carrying out risk assessments in relation to any processes that can access personal data.
  • Knowing where personal data is stored and how it is secured.
     
  • The Marketing Manager is responsible for:
     
  • Addressing any data protection queries from journalists or media outlets like newspapers.
  • Ensuring any marketing activities are in accordance with the requirements of the DPA and GDPR.
  • Obtaining and storing consents where no legal basis or legitimate interest is identified.
  • Maintaining the Privacy and Cookie Policies
  • Knowing where personal data is stored and how it is secured.

 

5. GENERAL EMPLOYEE GUIDELINES

  • The only people able to access data covered by this policy should be those who need it for their work.
  • Data must not be shared informally. When access to confidential information is required, employees can request it from their line managers.
  • MBA Group Ltd will provide training to all employees to help them understand their responsibilities when handling data.
  • Employees must keep all data secure, by taking sensible precautions and following the guidelines below.
  • In particular, strong passwords must be used and they should never be shared.
  • Personal data must not be disclosed to unauthorised people, either within the company or externally.
  • Employees must request help from their line manager or the Chief Compliance Officer if they are unsure about any aspect of data protection.

 

6. DATA STORAGE

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the Group IT Manager or Chief Technical Officer.

When data is stored on paper, it must be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

  • When not required, the paper or files must be kept in a locked drawer or filing cabinet.
  • Employees must make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
  • Data printouts must be shredded and disposed of securely when no longer required.
  • When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
  • Data must be protected by strong passwords that are changed regularly and never shared between employees.
  • MBA do not allow data to be stored on removable media (like a CD or DVD). Requests from clients must be made in writing and secure transit agreed between MBA Group Ltd and the client.
  • Data must only be stored on designated drives and servers.
  • Servers containing personal data must be sited in a secure location, away from general office space.
  • Systems must be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
  • Data must never be saved directly to laptops or other mobile devices like tablets or smart phones.
  • All servers and computers containing data must be protected by approved security software and a firewall.

 

7. DATA USE

Personal data is of no value to MBA Group Ltd unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

  • When working with personal data, employees must ensure the screens of their computers are always locked when left unattended.
  • Personal data must not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
  • Data must be encrypted before being transferred electronically. The Group IT Manager can explain how to send data to authorised external contacts.
  • Personal data must never be transferred outside of the European Economic Area.
  • Employees must not save copies of personal data to their own computers. Always access and update the central copy of any data.

 

8. DATA ACCURACY

The law requires MBA Group Ltd to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort MBA Group Ltd should put into ensuring its accuracy.

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

  • Data will be held in as few places as necessary. Employees must not create any unnecessary additional data sets.
  • Employees must take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
  • MBA Group Ltd will make it easy for data subjects to update the information MBA Group Ltd holds about them. For instance, via the company website.
  • Data must be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
  • It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months.

 

9. SUBJECT ACCESS REQUESTS

All individuals who are the subject of personal data held by MBA Group Ltd are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a Subject Access Request.

External Subject Access Requests from individuals should be made in writing to:

Elaine Harris
Chief Compliance & Data Protection Officer
MBA House
Garman Road
London N17 0HW

Once approved, The Chief Compliance & Data Protection Officer will provide the relevant data within 30 days.

Employee Subject Access Requests should be made by e-mail to tcastiglione@mba-group.com   

Once approved, the HR Manager will provide the relevant data within 30 days.

The data controller will investigate with relevant parties for verification of the identity of anyone making a subject access request before providing any information.

 

10. DATA BREACH NOTIFICATIONS

10.1. WHAT IS A PERSONAL DATA BREACH?


A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

10.2. WHAT BREACHES NEED TO BE NOTIFIED TO THE RELEVANT SUPERVISORY AUTHORITY?


A breach that is likely to result in a risk to the rights and freedoms of individuals needs to be notified. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

This has to be assessed on a case by case basis. For example, notification to the relevant supervisory authority for a loss of customer details, where the breach leaves individuals subject to identity theft. On the other hand, the loss or inappropriate alteration of a employees telephone list, for example, would not normally meet this threshold.

10.3. WHEN DO INDIVIDUALS HAVE TO BE NOTIFIED?


Where a breach is likely to result in a high risk to the rights and freedoms of individuals, MBA’s HR Manager will notify employees concerned directly or in the instance the breach relating to MBA’s clients’ data, the agreed escalation process will be followed.

A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.

10.4. NOTIFICATION OF A BREACH


A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

A breach relating to client data being processed by MBA will be reported in accordance with Data Protection Agreements between the two parties.

Failing to notify a breach when required to do so, could result in a significant fine.

10.5. PREPARING TO REPORT A BREACH


MBA Group Ltd provides training to ensure employees understand what constitutes a data breach, and that this is more than a loss of personal data.

MBA has a system and procedure in place to accommodate the reporting of a breach. This facilitates decision-making about whether MBA needs to notify the relevant supervisory authority or the public

In light of the tight timescales for reporting a breach – MBA Group Ltd has robust breach detection, investigation and internal reporting procedures in place, in addition to Data Protection Agreements with its clients.

 

11. DISCLOSING DATA FOR OTHER REASONS

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, MBA Group Ltd will disclose requested data. However, the Chief Compliance Officer will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.

 

12. PROVIDING INFORMATION

MBA Group Ltd aims to ensure that individuals are aware that their data is being processed, and that they understand:

  • How the data is being used
  • How to exercise their rights

To these ends, the company has a Privacy Policy setting out how data relating to individuals is used by the company.

 

13. CONTACTING THE ICO

Data Subjects wishing to report a data protection breach can do so by using the following link for the Information Commissioner’s Office (ICO):

https://ico.org.uk/