Trusted by more
than 300 companies
Trusted by more than 300 companies
This document sets out our commitment to complying with applicable data protection legislation in force in the UK (including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018) where we process your data whilst providing our services to you.
The aim is for this document to provide you with the assurances you need that we comply with the GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European regulation which came into force in 2018. When the UK left Europe (“Brexit”) in 2021 the UK adopted the EU GDPR into UK law via the Data Protection Act 2018.
Collectively, from the UK, we now refer to UK GDPR which is the UK’s implementation of EU GDPR and the Data Protection Act 2018.
GDPR sets out the rules about how we can process personal data (data that allows us to identify an individual) whether we are processing this data ourselves or on behalf of our clients.
Quick introduction to GDPR
The data protection “principles” set out the rules by which personal data can be processed. It means that we must be open and transparent about our processing; only process data for a particular purpose; maintain the minimal amount of data and keep it accurate; only keep the data for as long as we have a lawful reason to do so; we must ensure that personal data is kept secure; and, we have to be able to demonstrate that we are compliant (the “accountability principle”)
For processing to be lawful we have to identify a “lawful basis for processing”. You’ve probably heard of consent which is where we get an individual’s permission to process their data, but there are other (and sometimes more relevant) lawful basis for processing, such as for the performance of a contract; because the law tells us we must process data in a particular way; or because we are able to demonstrate a legitimate interest, which means that we may want to process an individual’s data in a different way, but we have to make sure it doesn’t infringe an individual’s rights and freedoms.
We also have to be careful where in the world we process personal data. Generally, as long as we process the data in the UK or the EU, this is fine, but if we need to process the data outside this area, we have to make sure an “appropriate safeguard” is in place, which usually means making sure the country has adequate data protection laws (as determined by the UK government) or we put a processing contract in place (usually call Standard Contractual Clauses or “SCC”). It’s important to understand here, that “processing” includes everything we do with personal data, including storing, sharing, manipulating, editing, deleting, so when we think about where in the world an individual’s data is processed this is includes storing data in the cloud, or using a third-party to process the data.
What about marketing data?
GDPR applies to personal data that identifies an individual, whether that individual is a private person or an employee of a business.
When it comes to marketing to individuals, as well as considering the GDPR obligations over the processing of personal data, we also have to consider the Privacy and Electronic Communications Regulations (“PECR”) which set out the rules for electronic marketing such as by email, SMS/text or online messaging.
What is and isn’t allowed according to data protection and privacy regulations differs according to the source of the information, our relationship with the individual whose personal data it is, and whether the data relates to an individual or a business:
• Where the data relates to a private individual (e.g. a member of the public) we can only market to the individual if they have opted-in to receive marketing. Opting into marketing requires us to follow the GDPR’s consent rules as well as providing an option to opt-out of future marketing at any time
• Where the data relates to a private individual who is a customer (or is about to be), provided the individual has been given a chance to opt-out at the point the data was collected initially, the marketing relates to the services we provide and we provide an opt-out in every subsequent marketing communication, we can market without seeking consent. This is the so-called “soft opt-in” and doesn’t require GDPR compliant consent
• Data relating to sole traders (and certain kinds of partnerships (not LLP)) should not be treated as business data but as individual’s data. So, the rules applicable to private individuals (above) applies
•Data relating to an individual (e.g. an employee) within a business can be used for marketing purposes provided they can opt-out of future communications and the marketing is relevant to their role (and they’re not a sole trader). Consent is not required to market business to business
•Generic business data (that doesn’t identify an individual employee within the business) can be used for marketing as it’s not classed as personal data. It is best practice though, to also provide opt-outs from future communications.
How are GDPR and PECR enforced?
In the UK the Information Commissioner’s Office (“ICO”) is responsible for ensuring the GDPR and PECR rules are upheld by any business or organisation that is processing personal data.
You can find more about the role of the ICO on their website, as long as lots of other resources relating to UK GDPR and PECR: https://ico.org.uk/
As a UK company, we are committed to ensuring our business, services and processes are GDPR compliant, that we continue to maintain our compliance and ensure it meets the full requirements of the law.
We are also committed to safeguarding your data when we process it on your behalf and apply the same standards of compliance to your data, as we do our own.
Our services are compliant because:
• We have an external data protection specialist who advises us and acts as our Data Protection Officer (DPO)
• All our staff are trained and aware of their ongoing compliance obligations
• We have internal policies which set out the data protection responsibilities across the whole of our business
• We check all our systems and processes to ensure they meet the requirements of GDPR, particularly in terms of ensuring appropriate technical and organisational measures are in place to ensure the security of your data at all times. This includes making sure only specific employees have access to your data
• We ensure we maintain our compliance at all times
• We are open and transparent about how and where in the world we process your data and the appropriate protections we have in place to ensure, as a Data Processor, we are processing your data, for you, in line with the data protection requirements
• We only process data if it is lawful to do so, and will let you know if we think your instructions are in breach of the GDPR
• We have processes in place to assist you if your own Data Subjects exercise their rights
• We have implemented the appropriate contractual obligations required by Article 28 of the GDPR (in our terms of service and accompanying documentation)
• We have carried out due diligence against any third-party processors (sub-processors) we may use in delivering our service, including implementing the standard contract clauses required when processing data outside the UK.
When you ask us to process data on your behalf (either because you have supplied the data or we have collated it for you), you are the Data Controller, and we are the Data Processor. This means, at all times, we will only process your data on your instructions and do not use your data for our own purposes.
The relevant sections of our terms and conditions set out our obligations as a Data Processor, including that those required by Article 28 of the GDPR:
• We will only process your data according to your instructions
• We make it clear if your data will be processed outside the UK so that you can agree that is acceptable for us to do so
• We ensure that any employees processing the data are up to date with data protection law and their obligations and duties of confidentiality
• We ensure that all processing is done with technical and organisational measures in place to ensure the security of processing
• We make it clear what sub-processors we use (including our own businesses operating outside the UK) so that by signing up to our services you are agreeing for us to use these sub-processors
• We will assist you with your obligations as the Data Controller, including in dealing with individuals’ rights (e.g. subject access requests) as well as your obligations relating to security, data breaches and data protection impact assessments (DPIA)
• We will either delete or return (securely) your data at the end of the processing activities
If required, we can provide you with details of our compliance to demonstrate our compliance (if you require more than this GDPR statement).
When we deliver our services to you, we make use of our offices outside the UK to carry out the processing activities. Our non-UK offices are separate legal entities. This means that your data will be processed outside the UK (e.g. in Bangladesh, South Africa) which in GDPR terms constitutes a “restricted transfer”.
However, we have put in place controls to ensure that appropriate safeguards, as required by GDPR are implemented:
• Our processing activities (where processing takes place outside the UK) are covered by separate agreements which include the Standard Contract Clauses for international data transfers, which are implemented between our business in the UK and the non-UK parts of our business. We implement these contractual terms on your behalf and this arrangement is covered in our terms and contracts with you. This is the most appropriate way of enforcing data protection compliance in our non-UK businesses, but we also ensure compliance in our non-UK businesses through other means
• All our non-UK employees go through a rigorous vetting exercise which includes background checks, interviews, reference checks and on-site testing. Our employees generally come from the top five universities with either a Bachelors and in some cases a Masters degree. Our employees sign employment contracts and NDAs on government stamped paper and are regularly made aware of the legal consequences they will face in case of any breaches. The process has proven to work as our unplanned attrition levels are consistently below 10%; way below industry averages
• Our expectations are set out in the contracts of employment
• On joining all our employees receive data protection specific training which covers all the relevant aspects of GDPR compliance including the basics of data protection (principles, lawful basis for processing); what they can and can’t do with data including protocols around how they handle personal data (e.g. local copies, retention, deletion, etc.); the security of processing as well as an understanding of the key elements such as individuals’ rights, how to deal (internally) with a data or security breach and who to contact. We also make it clear to them, of the ramifications of not sticking to this compliance regime
• We supply copies of our data protection policies to all our employees
• We ensure our policies and training are kept up to date and ensure that refresher training/reminders are delivered to our employees at appropriate frequency
We will always be open and transparent with you about where we will be processing your data and can set out further, if required, why our approach is lawful and will protect your data.
Use of technology
Generally, we limit what services we use when we process personal data. This means that we limit the security risks and maintenance overheads of using multiple services. This means your data will be processed either within your own systems (if you provide us with access details) or via our trusted suppliers (details of which are available on request).
Access to data
Only those employees who need access to your data will have access to it.
Where we need to store your data on our systems or store data on your behalf, we will always do this using our trusted suppliers.
Backups are carried out in accordance with our suppliers’ data recovery terms.
Should our approach to any aspect covered by this statement change we will make sure, where your data is impacted, we will notify you within a reasonable timeframe.
In the unlikely event of a breach occurring (as defined in the GDPR) we will notify you within 24 hours of the breach coming to our attention. This will be enough time for you to consider your requirements, under GDPR, for reporting the breach to the ICO and Data Subjects.
WE HELP YOU TO COMPLY WITH GDPR
Our approach to our own compliance also helps you comply with your own GDPR compliance requirements. This statement should go some way to explain our approach to GDPR compliance. By using our services, you can be assured that your use of our service is GDPR compliant.
Furthermore, if required we will assist you or the Information Commissioner’s Office with any query relating to the GDPR compliance of our services.
We hope this section of our statement answers some of the questions or concerns you may have about the way we process your data. If you still have questions, please contact our Data Protection Office via [email protected]
Is it safe for you to process our data outside the UK and Europe?
The GDPR allows personal data to be processed outside the UK or EEA provided appropriate safeguards are in place. As set out above, we have opted to implement the Standard Contract Clauses (SCC or sometimes called “model clauses”) between our UK business and non-UK businesses. These contractual terms bind our employees and these non-UK businesses to the UK (and therefore EU) standards of data protection and provide a mechanism for Data Subjects to seek redress. You can find out more about “restricted transfers” on the ICO’s website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
We are worried that our data will be processed outside the EU, what assurances can you give us our data will be safe?
We are confident having sought legal advice and the advice of our Data Protection Officer that the way we have implemented the Standard Contract Clauses and the way we recruit and train our non-UK employees provides the necessary security to ensure we and you, as our client, are compliant according to UK and EU data protection requirements. We’ve provided more information about these protections in the Data Location section above.
What countries are your processing personal data in?
We currently process personal data relating to our clients in Bangladesh and South Africa.
Is your marketing activity compliant?
The focus of our business is to deliver business-to-business (“B2B”) marketing. As we have set out above (in the section about the PECR rules) you do not need consent to market to employees of a business (provided they’re not a sole trader).
In considering the legality of our prospecting and marketing activities, including those that we may carry out for you, we are relying on the GDPR lawful basis of “legitimate interest” (again set out above) to process the data for marketing purposes.
Is our marketing activity compliant if you’re collected contact details for us?
As per the previous question, you will be relying on legitimate interest to process B2B marketing data. Provided you are not marketing to anyone considered to be a private individual (where you would need consent to market), your marketing activity is lawful.