GDPR
Version 2.4
This guidance was last updated on 11 July 2024 and is copied from our compliance portal.
Introduction
The General Data Protection Regulation (GDPR) represents possibly the most significant change to data protection laws in over 20 years. The new regulations will impact every part of our organisation, and as such we accept our responsibilities and obligations of this important change.
BrandPipe Ltd regards the lawful and appropriate treatment of personal information as very important to its successful operations and essential to maintaining confidence between the company and those with whom it carries out business. The company therefore fully endorses and adheres to the Principles of the General Data Protection Regulation.
We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. The Company is exposed to potential fines of up to EUR 20 million (approximately £18 million) or 4% of total worldwide annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of the GDPR.
Our GDPR Obligations
BrandPipe Ltd understands that the focus on individual rights (as well as transparency and accountability for the collection and handling of personal data) places EU residents and their rights at the heart of GDPR. Therefore, we will ensure that our organisation makes all the necessary changes in order to support the GDPR regulations and act at all times in the spirit of the GDPR. We will at all times process data lawfully, fairly, and transparently; respecting the rights of our data subjects; and ensuring we maintain the integrity and confidentiality of any data we process. We will minimise the amount of data we collect and the amount of time we process any data we collect. As such, we will consider all aspects of our data processing activities, storage and disposal of all personal data.
In addition, we accept that the new regulations strengthen compliance requirements including new rules on consent and a clear definition of how data is to be used. We will adopt a Privacy by Design ethos and complete Impact Assessments (where necessary) to understand how best to guarantee data is kept secure.
We also accept the need for transparency, including the processing of Subject Access Requests and Breach Disclosure requirements to notify authorities; and where necessary, data subjects within 72 hours.
Key Strategy Principles
- We will use personal data in the most efficient and effective way to deliver better services
- We will collect only adequate, relevant data limited to what is necessary in relation to the purposes for which they are processed
- We will process data lawfully, fairly and in a transparent manner in relation to individuals collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research
- We will be a responsible custodian of data including customers, employees, third-parties, and any other personally identifiable data
- We will assign clear ownership for data privacy across the company starting at the highest levels, with clear responsibility and accountability for all aspects of data security throughout the organisation
- We will establish a formal inventory of data processing operations and supporting systems that collect, process and store personal data
- We will review and verify the legal basis for collecting and processing personal data; as well as the legal means for any cross-border (outside Europe) transfers and communicate this clearly with all data subjects
- We will regularly review all systems and processes, identify gaps and develop a plan to achieve compliance with the new regulations
- We will ensure data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
- We will ensure data is accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified
- We will ensure data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data
- We will review partners and vendors to establish current contract terms and agreed-upon data protection controls
- We will ensure we can support individuals exercising their rights under the GDPR
- We fully support the requirements of the GDPR and will ensure appropriate resources and funding are available to meet these obligations in preparation for implementation
- We are adopting a risk managed approach and acknowledge that there may be gaps in implementation. However, we will have completed high priority tasks, review and made significant changes in order to support the GDPR
Handling personal data
BrandPipe Ltd will, through management and use of appropriate controls, monitoring and review:
- Use personal data in the most efficient and effective way to deliver better services
- Strive to collect and process only the data or information which is needed
- Use personal data for such purposes as are described at the point of collection, or for purposes which are legally permitted
- Strive to ensure information is accurate and not keep information for longer than is necessary
- Securely destroy data which is no longer needed
- Take appropriate technical and organisational security measures to safeguard information (including unauthorised or unlawful processing and accidental loss or damage of data)
- Ensure that information is not transferred abroad without suitable safeguards
- Ensure that there is general information made available to the public of their rights to access information
- Ensure that the rights of people about whom information is held can be fully exercised under the General Data Protection Regulations
DPO Requirement
We have evaluated the requirement for a designated Data Protection Officer as in Article 37 of the GDPR and other related clauses. We recognise that we store significant amounts of data and considering the requirements we have appointed a DPO that has the appropriate experience required to perform this role. As required by the GDPR we will ensure the DPO continues to have support from the Senior Management Team and appropriate reporting arrangements in order necessary to monitor our compliance, conduct DPIAs when necessary and act as a contact point for the organisation and the ICO. We will ensure the DPO has the necessary resources available required to perform the tasks defined in the DPO role.
Processing Of Special Categories Of Data
We recognise that we process special categories of data as defined in Article 9 or Article 10 of the GDPR. We recognise that processing this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination. We accept the need to act lawfully under Articles 6 and 9 and will ensure we apply the appropriate lawful basis at all times. As such we will take appropriate steps to ensure we have consent where required and also complete further risk analysis if necessary.
Third Country Transfers Of Data
We have completed a review of our processes and data we process and have determined that we do transfer data outside the EU. As such, the restrictions on the transfer of personal data outside the European Union, to third countries or international organisations apply and we will take appropriate steps to ensure we meet these regulations and ensure the required safeguards are in place.
Processing Data About Children
We have completed a review of our processes and data we process and have determined that we do process data about children. We accept that a child’s personal data merits particular protection under the GDPR and that children need particular protection when collecting and processing their personal data because they may be less aware of the risks involved.
As such, we will take appropriate steps to ensure we meet all GDPR regulations, that the required safeguards are in place and ensure our systems and processes are maintained and monitored with this in mind.
Legitimate Interest Assessment
Due to the volumes of data stored, we have carefully considered the lawful basis under which we collect, store, and process this data. We have completed a legitimate interest balancing assessment and determine that our interests in operating our business, providing a service to our customers, offering opportunities to the data subjects, and making a profit are a legitimate basis for processing when compared to the impact on the rights of the data subjects as defined in.
We have completed a three-step assessment
- Legitimate interest – considered as above
- Necessity test – this is a fundamental part of our business, without this processing we have no product or service to offer.
- Balancing test – we have considered the rights of the data subject, their expectations, impact on them and their families and how we can protect their interests and rights under the GDPR and determine that processing is acceptable.
Downloads
Further resources and materials
All of our policy documents and templates are available to download from our secure Document Library. Please note that the online version published in the Compliance Portal is always the most up-to-date.
Privacy Notice
Please read our Data Protection and Privacy notices before continuing. Downloads may contain information concerning BrandPipe employees (such as name and contact information and details pertaining to their role at BrandPipe