APM Data Protection Policy
Alison Page Marketing (APM) only processes and stores personal data to carry out prescribed marketing activities on behalf of its clients, to carry out its own marketing to further the success of the business, to meet its legal obligations, and for the effective running of the business.
The above statement also incorporates Tring and Berkhamsted Living Magazines which is a trading name of APM.
As a result of our activities, APM will hold the dual roles of Data Controller and Data Processor as appropriate.
In the event of a breach, we will notify the ICO and relevant client by telephone or email – dependent on the severity – complete a form with all necessary information and compile a log, in line with the ICO’s requirements.
A full audit of data commenced 31 January 2018 and any appropriate data cleansing took place in line with this policy prior to May 2018.
The following is in line with the Six Principles:
(a) Lawfulness, fairness and transparency:
- We confirm that Alison Page Marketing is committed to adhering to the current data protection legislation.
- It is our intention to work only with clients, associates and suppliers who are also aligned with the current data protection legislation.
- Occasionally, we may send our existing clients, associates and suppliers – where we have a contract in place, or if you have subscribed to receive email newsletters from APM – relevant marketing information or information on third parties which we think they may find interesting. Individuals may opt-out at any time by sending an email to: email@example.com.
- Where we use an email service provider (ESP) such as Mailchimp or Campaign Monitor for newsletters, a recipient can unsubscribe at any time via the link on every email newsletter. The email disclaimer identifies why the individual has received the newsletter and is specific to each client and list. We will update the system manually when required to do so.
- Personal information held on an individual and requested by a client or an individual will be supplied in accordance with the current legislative requirements.
(b) Purpose limitation:
- APM does not advocate the purchase of personal databases for marketing purposes. Any such requirements by a client would need to be discussed individually.
- The client will ensure that any personal data provided about, or on, an individual for marketing purposes, has been collected legitimately.
- The client will avoid supplying any high risk personal data such as those identified within the Special Category, including children. If required, special measures will be put in place and expert advice gained as to the handling of the data.
(c) Data minimisation:
- APM does not routinely hold any Special Category data. Should a project or campaign require such level of detail, separate discussions will need to be held to ensure compliancy.
- All data spreadsheets transferred online will be password protected (File/Protect workbook/Encrypt with Password). Passwords should be communicated separately with no identifier.
- The data required for a given campaign, ie, mailing or telemarketing, will be discussed and agreed at a client meeting and confirmed in the meeting notes or, if by telephone, subsequently confirmed by email. Should data be provided that is not required for the purposes of the campaign, these fields will be deleted immediately, and the client notified. The data will be held for the duration of the campaign. Once all activities in relation to the campaign are completed, all data files will be deleted or shredded accordingly.
- The client will provide an update to its business and personnel records as appropriate.
- The client will ensure that any personal data provided about, or on, an individual for marketing purposes, is factually correct.
- The client will ensure that any amendments or revisions to an individual’s data are identified in order to update any additional systems, such as Mailchimp or Campaign Monitor.
- Any change in data identified directly to APM will be notified to the appropriate client as required.
(e) Storage Limitation
- Ongoing client project files will be stored in the office for up to 12 months. After this time, they will be placed in storage in archive storage boxes and retained for a period of 7 years in line with HMRC. Project files contain only meeting notes, marketing campaign information and client contact details and do not contain any Special Category data.
- Any personal or Special Category data will be deleted and/or shredded as necessary upon completion of a given campaign.
- After a period of 7 years, historical client project files will be supplied to and destroyed by The Archive Centre Ltd in Aylesbury, Buckinghamshire. Certificates can be supplied if required.
(f) Integrity & Confidentiality
- We operate a clear desk policy.
- APM uses only proprietary services to manage its own data including Microsoft 365 – MicrosoftOnlineServicesTerms(English)(May2018) Attachment 4 – Xero, Hubspot and Mailchimp. Each of these links sets out the supplier’s approach to the current data protection legislation.
- The office desktop is encrypted with BitLocker and password protected.
- The tablet is encrypted with facial recognition software and password protected.
- All files are stored on OneDrive (a product of Microsoft 365) which is also password protected.
- The mobile phone is encrypted with iPhone two-factor authentication, requiring an 8-digit passcode and all data will be deleted if the passcode is entered incorrectly 10 times.
- In the event of a breach, we will notify both the Client’s Data Protection Officer or Data Controller and the ICO in line with the ICO’s requirements. Furthermore, we will compile a log of such breaches.
Your rights are as follows (noting that these rights don’t apply in all circumstances and that data portability is only relevant from 25 May 2018).
- The right to be informed about our processing of your personal data;
- The right to have your personal data corrected if its inaccurate and to have incomplete personal data completed;
- The right to object to processing of your personal data;
- The right to restrict processing of your personal data;
- The right to have your personal data erased (the ‘right to be forgotten’);
- The right to request access to your personal data and information about how we process it;
- The right to move, copy or transfer your personal data (‘data portability); and
- Rights in relation to automated decision making including profiling.
Right to complain
If you believe your data has been wrongfully processed, stored or handled, you have the right to raise a concern with the Information Commissioner’s Office (ICO). Details on how to do this can be found here: https://ico.org.uk/for-the-public/raising-concerns/.
Any queries or requests for further information relating to our Data Protection Policy and GDPR compliancy should be emailed to: firstname.lastname@example.org.