Privacy and compliance statement
(last amended May 24th, 2018)
The EU General Data Protection Regulation (“GDPR”) comes into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.
As the data privacy laws have changed, we’ve taken the opportunity to review our privacy and data usage policies. We have done this both in terms of how we use data for the purposes of conducting our assignments and how we tell people about ourselves in our marketing activity.
Data protection when conducting our assignments
The Orange Partnership (TOP) are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation.
These principles require that personal information must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with the data subject’s rights under the DPA and GDPR
- Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage and
- Not be transferred to a country outside the EEC, unless that country has equivalent levels of protection for personal data
- If we are handling payroll data; timesheet records; swipe records or any other data which relates to a living individual it is classed as personal data.
Processing of data
Data must be obtained for one or more specified and lawful purposes, and not processed in any manner incompatible with those purposes.
Once a data subject’s information has been collected for a specified purpose, it cannot be used for additional purposes.
When asking for data which is covered by the DPA/GDPR ensure:
- We make clear the purpose for which it is required and do this in writing
We use a chain of custody document to ensure Personal data is properly handled
- Data obtained is not used for any other purpose
- Where possible all audit work will be done on site and no hard or electronic copies will be removed regarding payroll.
Data must be adequate, relevant and not excessive, for the purpose for which it has been collected/is being processed
When asking for data which is covered by the GDPR we ensure:
- We only ask for information which is necessary to perform the work you are undertaking. Specify this in your request for data.
Data held on file
Data must not be kept for longer than is necessary.
Only hold on file:
- Personal Data which supports our findings
- Delete any Personal Data which is not necessary to support your findings. This would include any populations of payroll data which you have sampled from.
- Is anonymised as far as is possible
Data must be kept secure.
Any personal Data must be held securely.
As a rule we:
- Only hold Personal Data within TeamMate (where it is encrypted) and where possible that it is anonymised.
- Never hold Persona Data on a memory stick or other media outside of TeamMate. It is okay to transfer data using an encrypted memory stick, but delete it form the stick immediately
- Never hold Personal Data on a local hard disk (C drive)
- Never hold Personal Data in hard copy – we scan any documents required into TeamMate and securely shred any hardcopy that is not original
- Never share legitimate personal data by email unless the document is password protected and in an encrypted format
We have reviewed and updated our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. Please ask us if you would like to see this.
Data protection for our marketing activity
In summary, like most businesses, we use some analytics tools to learn more about our website. None of these tools identify you personally. They include Google Analytics.
If we do have your personal information on our database where did it come from?
Our database contains only business email addresses and is made up of people in their professional capacity only. The list has grown organically over the years. We’ve never bought mailing lists from any third parties. If you are on our mailing list it’s because someone in your organisation got talking with someone in ours or we have previously completed a piece of work for you or your organisation. We only ever hold business email addresses because our service is only of interest to people in their professional capacity.
As a Chartered Accountancy practice specialising in construction programmes and major contracts our work is only of particular interest to a relatively small number of people within a small number of organisations. If you are on our database it is very likely you are from one of these organisations.
The only information we will hold is your job title, name and business email address. That’s it. And we never share our information with third parties.
If we do have your personal information on our database what will we do with it?
If you are on our database already (before May 25th 2018) and have not opted to unsubscribe in the past then we expect that is because you’ve found our information legitimately interesting. We’ll continue to mail you about business issues occasionally on the basis that we’re delivering information that is of legitimate interest to you within your business role.
On average we email our insights once every four months. We will never directly market our services to you. We just aim to share our insights regarding subjects about which we are qualified and expert and about which we believe you have a significant professional interest.
We’ll only do this if we have your business email address and you can opt-out at any time. Just use the one click unsubscribe to opt-out to any mail we send you.
If you have any questions about our preparation for the GDPR, please contact Kate Walker firstname.lastname@example.org or call us on 01926 358339.