Data Protection and Privacy Policy

Introduction

At Ekiva, we are committed to protecting the privacy and confidentiality of personal and sensitive data that we collect, process, store, and manage. This policy outlines our approach to data protection in accordance with the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR). We recognise the importance of personal data security and are dedicated to ensuring that we comply with all applicable data protection laws and regulations.

Purpose

This policy sets out the principles and procedures that ensure we protect personal data and manage it responsibly. The purpose of this policy is to ensure:

1. Compliance with data protection laws.
2. The confidentiality, integrity, and availability of personal data.
3. The protection of individuals’ rights regarding their personal data.
4. Clear guidelines for employees on how to handle and process data securely.

Scope

This policy applies to all employees, contractors, consultants, and third parties who handle personal data on behalf of Ekiva. It covers all personal data collected, processed, and stored by the company, whether in physical or digital formats, across all departments and business activities.

1. Data Protection Principals

Ekiva is committed to ensuring that personal data is:

3. Accountability

Under the General Data Protection Regulation (GDPR), Ekiva is required to adhere to the principle of accountability. This obligates us to maintain accurate and comprehensive records of its data processing activities. These records clearly demonstrate Ekiva’s compliance with the data protection principles outlined in the GDPR.

Ekiva ensures that all relevant information regarding the collection, use, and storage of personal data is documented and readily available for review. This includes maintaining records of data processing purposes, data categories, recipients of personal data, retention periods, and security measures implemented to safeguard the data.

Ekiva is committed to upholding transparency and accountability in its data processing practices, ensuring that all activities are conducted in compliance with data protection laws

4. People, Risk & Responsibilities

This Data Protection Policy applies to the following groups within Ekiva:

• Head office
• All branches
• All employees (including, where applicable, volunteers)
• All contractors, suppliers, and any other individuals working on behalf of Ekiva

The policy encompasses all data held by us that relates to identifiable individuals, regardless of whether the information technically falls under the scope of the Data Protection Act. This includes, but is not limited to, the following types of personal data:

• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• Any other information related to individuals that may identify them

All employees, contractors, and partners are responsible for ensuring the security and proper handling of personal data within the scope of this policy. We require compliance with this policy across all levels of the organisation to mitigate risks related to data protection and privacy.

5. Data Protection Risk

This policy is designed to protect Ekiva from several critical data security risks, including but not limited to:

1. Breaches of Confidentiality: For example, personal data being disclosed or shared inappropriately.
2. Failing to Offer Choice: Ensuring that individuals have control over how their personal data is used by the company.
3. Reputational Damage: For instance, if sensitive data is compromised due to a cyberattack, the company could suffer significant harm to its reputation.

Responsibilities

Everyone working for Ekiva shares a responsibility to ensure that personal data is collected, stored, and handled appropriately. Each team that processes personal data must ensure it complies with this policy and adheres to the data protection principles.

However, certain individuals and teams within the company have specific responsibilities:

a. Board of Directors

The Board of Directors is ultimately accountable for ensuring that Ekiva meets its legal obligations related to data protection. They are also responsible for ensuring any data breach is reported within 72 hours of discovery, particularly if there is a risk that the breach may result in:

1. Identity theft
2. Fraud
3. Financial loss
4. Damage to the data subject(s)’ reputation
5. Loss of confidentiality
6. Unauthorised reversal of pseudonymisation
7. Discrimination or other significant economic or social disadvantages

A data protection breach can be reported to the Information Commissioner’s Office (ICO) by calling 0303 123 113 or online at: ICO Data Breach Report.

b. Compliance Officer

The Compliance Officer is responsible for:

1. Overseeing breach reporting, including working with the Board on significant breaches.
2. Keeping the Board informed on data protection responsibilities, risks, and issues.
3. Reviewing all data protection procedures and policies on a regular schedule.
4. Coordinating data protection training for all individuals covered by this policy.
5. Addressing data protection queries from employees and other stakeholders.
6. Managing subject access requests from individuals who wish to see the data the company holds about them.
7. Approving any contracts or agreements with third parties handling the company’s sensitive data.

c. IT Manager

The IT Manager is responsible for:

1. Ensuring all systems, services, and equipment used for storing data meet acceptable security standards.
2. Performing regular security checks and scans to ensure security hardware and software are functioning properly.
3. Evaluating third-party services considered for data storage or processing, such as cloud computing services, to ensure they meet the required data protection standards.

d. Marketing Manager

The Marketing Manager is responsible for:

1. Approving any data protection statements included in communications such as emails and letters.
2. Addressing data protection-related queries from journalists or media outlets.
3. Collaborating with other teams to ensure marketing activities align with data protection principles.

Each team member has a role to play in safeguarding personal data and ensuring compliance with data protection laws. By fulfilling these responsibilities, we can reduce the risks of data breaches, reputational damage, and non-compliance.

6. General Staff Guidelines

Access to Data and Security Measures

Access to personal data covered by this policy is restricted to those employees who need it to perform their job duties. Data should not be shared informally or accessed without a legitimate work-related purpose. Employees must request access to confidential information from their line managers when necessary.

We will provide regular training to all employees to ensure they fully understand their responsibilities in handling and protecting personal data.

Data Security Guidelines

Employees are expected to follow the guidelines below to ensure the security and integrity of personal data:

1. Use of Strong Passwords: Employees must use strong passwords to access systems containing personal data. Passwords should never be shared or disclosed to anyone, even within the company.
2. Data Confidentiality: Personal data must never be disclosed to unauthorised individuals, either within the company or externally. This includes sharing data with colleagues, clients, or third parties who do not have a valid need for it.
3. Data Review and Disposal: Personal data should be regularly reviewed and updated to ensure its accuracy. If data is found to be outdated or no longer necessary for business purposes, it should be securely deleted and disposed of in accordance with the company’s data retention and disposal procedures.

Employees should seek guidance from their line manager or the Data Protection Officer if they are unsure about any aspect of data protection or need assistance in handling sensitive information.

By adhering to these principles and guidelines, employees play an essential role in safeguarding personal data and ensuring that we remain compliant with data protection regulations.

7. Data Storage and Security

Ekiva is committed to ensuring that all personal data is stored securely, whether on paper or electronically. The following rules outline the procedures for safely storing data, and any questions about data storage should be directed to the IT Manager or the Data Controller.

Paper-Based Data Storage

When personal data is stored on paper, it must be kept in a secure location where unauthorised individuals cannot access or view it. These guidelines also apply to printed copies of data that is usually stored electronically:

1. Storage: Paper records should be stored in a locked drawer or filing cabinet when not in use.
2. Visibility: Employees should ensure that printed documents are not left unattended in areas where unauthorised individuals could see them, such as on a printer or desk.
3. Shredding and Disposal: Paper records or printouts should be shredded and disposed of securely when they are no longer needed.

Electronic Data Storage

When personal data is stored electronically, it must be protected from unauthorised access, accidental deletion, and malicious attacks. The following measures must be implemented:

1. Password Protection: Data should be protected with strong passwords that are regularly updated. Passwords must never be shared between employees.
2. Removable Media: If personal data is stored on removable media, such as CDs or DVDs, these must be securely locked away when not in use.
3. Designated Storage Locations: Data should only be stored on approved servers or drives designated for data storage. It must not be saved on personal computers, laptops, or mobile devices.
4. Cloud Storage: Personal data should only be uploaded to approved cloud computing services that comply with company data protection policies.
5. Server Security: Servers containing personal data should be in secure areas, separate from general office space, to prevent unauthorised access.
6. Backups: Data should be backed up frequently as per the company’s standard backup procedures. These backups must be tested regularly to ensure their effectiveness.
7. Mobile Devices: Personal data should never be stored directly on laptops, tablets, smartphones, or other mobile devices. If data must be accessed or used on mobile devices, it should be stored securely in an approved cloud or server environment.
8. Security Software: All computers and servers containing personal data must be protected by approved security software, including antivirus programs and firewalls, to prevent unauthorised access and malicious attacks.

By adhering to these data storage and security measures, Ekiva safeguards personal data from potential threats and ensure compliance with data protection laws.

8. Data Use

Personal data holds significant value for us when used appropriately, but it is at the greatest risk of loss, corruption, or theft when accessed or shared. The following guidelines must be followed to ensure that personal data is used securely and in compliance with data protection laws:

1. Screen Locking: Employees must ensure that their computer screens are locked whenever they are left unattended. This helps prevent unauthorised access to personal data.
2. Avoid Informal Sharing: Personal data should not be shared informally. It must never be sent via email, as email communication is not a secure method for transmitting sensitive information.
3. Encryption of Data: All personal data must be encrypted before being transferred electronically. The IT Manager can provide guidance on how to securely send data to authorised external contacts.
4. Cross-Border Transfers: Personal data should never be transferred unless specific safeguards are in place, such as appropriate contractual agreements or ensuring that the recipient complies with data protection standards equivalent to those in the EEA.
5. Central Data Storage: Employees must not save copies of personal data to their personal computers or devices. Personal data should always be accessed and updated from the central, secure copy maintained by the company.

By following these protocols, we ensure that personal data is used responsibly and is protected from the risks associated with unauthorised access, loss, or theft.

9. Data Accuracy

In accordance with data protection laws, we take reasonable steps to ensure that personal data is accurate and up to date. The accuracy of personal data is critical to the success of Ekiva’s operations and the protection of individuals’ rights. The more significant the impact of data accuracy, the greater the effort we inves in maintaining its correctness.

Responsibilities for Data Accuracy

It is the responsibility of all Ekiva employees and subcontractors, who handle data, to take reasonable steps to ensure that personal data remains accurate and current. We implement the following guidelines to ensure data accuracy:

1. Minimise Data Storage: Data is held in as few places as necessary. Employees are required to avoid creating unnecessary additional datasets or storing duplicate information.
2. Updating Data Regularly: Ekiva employees are required to actively seek opportunities to update data. For example, when interacting with clients, employees should confirm details, such as contact information, to ensure it is up to date.
3. Facilitate Easy Updates: We provide accessible methods for data subjects to update the information the company holds about them.
4. Correcting Inaccuracies: As soon as an inaccuracy is discovered, we update the relevant data promptly.
5. Marketing Database Checks: The Marketing Manager or the designated Ekiva employee is responsible for ensuring that marketing database is checked at least every six months. This process helps to prevent marketing communications from being sent to individuals, who have opted out or requested not to receive such communications.

By adhering to these practices, we ensure that personal data is kept accurate, up to date, and compliant with legal requirements.

10. Data Subject Access Requests (DSAR)

Under data protection law, all individuals, who are the subject of personal data held by us, have the right to:

1. Request details about the information we hold about them and the purposes for which it is processed.
2. Request information on how to access their data.
3. Be informed of how to update or correct their personal data.
4. Be informed about how the company is meeting its data protection obligations.

When an individual contacts us to request this information, it is referred to as a Subject Access Request (DSAR).

1. Submitting a DSAR: Subject access requests should be submitted via email, directed to the Data Controller at office@ekiva.com. While the Data Controller can provide a standard request form, individuals are not required to use it to submit a DSAR.
2. Response to DSARs: We will process a DSAR within one month of receipt. We do not charge for fulfilling a DSAR, except in cases of repeat requests. If a request is deemed to be a repeat request, we will inform the individual of any applicable fees before proceeding with the request.
3. Identity Verification: To ensure the security of personal data, the Data Controller will verify the identity of anyone making a subject access request before releasing any information.

By respecting and facilitating DSARs, we ensure compliance with data protection laws while safeguarding the privacy and rights of individuals.

11. Disclosing Data for Other Reasons

In certain circumstances, the Data Protection Act permits personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under such circumstances, we will comply with a legitimate request for personal data from law enforcement authorities. However, the Data Controller will ensure that the request is valid and lawful before disclosing any data. This may involve consulting with the Board of Directors and, where necessary, seeking advice from the company’s legal advisors to ensure compliance with relevant legal requirements.

We are committed to balancing its obligations under data protection law with the need to support law enforcement agencies, ensuring that personal data is only disclosed when legally required and appropriately justified.

12. Providing Information & Data Subject Rights

At Ekiva, we are committed to ensuring that individuals are aware of how their personal data is being processed, and that they understand their rights in relation to that data. The following outlines the key rights available to data subjects and our responsibilities in relation to those rights.

Access to Personal Data

Data subjects have the right to know what personal data we hold about them, how it is being used, and how they can access it. We maintain an Individual Rights Register to monitor the timescales for responding to Data Subject Access Requests (DSARs). DSARs will be acted upon within one month of receipt. No charge will be made for a DSAR unless it is a repeat request, in which case we will notify the data subject of the costs before processing the request.

Rectification of Personal Data

If a data subject identifies that their personal data held by us is incorrect or incomplete, they have the right to request rectification. If we share or make personal data public, reasonable steps will be taken to inform any third parties processing the data that rectification has been requested. We will process rectification requests within one month of receipt.

Right to Erasure (Right to be Forgotten)

The right to erasure applies in the following circumstances:

1. The data is no longer necessary for the purposes for which it was collected or processed.
2. The data subject withdraws consent and there is no other legal basis for processing.
3. The data subject objects to the processing and there are no overriding legitimate grounds for the processing.
4. The data has been processed unlawfully.
5. The data needs to be erased to comply with a legal obligation.

However, the right to erasure does not apply where processing is necessary for:

1. Exercising the right of freedom of expression and information.
2. Compliance with a legal obligation.
3. The performance of a task carried out in the public interest or in the exercise of official authority.
4. Public health reasons.
5. Archiving purposes in the public interest, scientific, or historical research.
6. The establishment, exercise, or defence of legal claims.

If personal data has been made public or shared with third parties, we will take reasonable steps to inform those third parties of the data subject’s request to erase links, copies, or replications of that data. Erasure requests will be actioned within one month of receipt.

Right to Restriction of Processing

A data subject can request restriction or suppression of their personal data in the following situations:

1. If the accuracy of the data is contested, the data subject can request restriction to allow us to verify the accuracy.
2. If we no longer need the data, but the data subject requires it for legal claims.
3. If the data subject has objected to the processing and we are investigating whether there are legitimate grounds that override their rights.

Personal data will be stored in a restricted form during the period of restriction, and we will inform the data subject before lifting the restriction. We will also inform any third parties of the restriction, where applicable. Restriction requests will be actioned within one month of receipt.

Data Portability

Data subjects have the right to request a copy of their personal data in a machine-readable format (e.g., Excel, CSV file) where the processing is based on consent and carried out by automated means. We will process this request within one month of receipt. If the data subject requests that their data be transmitted to another organisation, the company will comply with this request within one month.

Right to Object

Data subjects have the right to object to the processing of their personal data:

1. If the processing is based on our legitimate interests or public tasks.
2. For direct marketing purposes.

In these cases, we will stop processing the personal data unless it can demonstrate compelling legitimate grounds for the processing, or if the processing is necessary for the establishment, exercise, or defence of legal claims.

Automated Decision Making and Profiling

Data subjects have the right to object to decisions based solely on automated processing, including profiling, unless the decision is:

1. Necessary for entering into or performing a contract.
2. Based on the data subject’s consent.
3. Authorised by law.

If the processing is based on a contract or consent, we will give the data subject the opportunity to contest the decision, express their point of view, and request human intervention.

Privacy Statement

By providing individuals with clear and accessible information about how their data is used, we ensure that data subjects can fully exercise their rights under data protection laws. To ensure transparency, we maintain a privacy statement that sets out how personal data is used. This statement is available on request, and a version of it can also be accessed on the company’s website.