DATA PROTECTION POLICY
Overview
Introduction: DSS Partners, in order to provide its product and services has to collect certain information about individuals and organisations. This can include customers, suppliers, contact and employees as well as other individuals with which DSS Partners has a relationship. This document outlines how data must be collected, handled and stored to meet data protection standards.
Why does this policy exist?
The data protection policy ensures:
● Compliance with data protection law
● Protects right of customers and partners
● As a document of how DSS Partners stores and processes data
● Help protect against data breach
Applicability
● The policy applies to all offices of DSS Partners
● All staff, interns and volunteers
● All contractors, suppliers and other individuals working on behalf of DSS Partners
Applies to all data DSS Partners holds relating to identifiable individuals. This can include:
● Names
● Postal addresses
● Email addresses
● Telephone numbers
● Any other information relating to individuals
Risks
This policy is designed to protect DSS Partners and its customers from security risks.
Reputational damage DSS Partners could suffer if unauthorised access is gained to sensitive data. Breaches of confidentiality. For example, information being distributed inappropriately Failure to offer choice. Individuals should have a choice in how DSS Partners uses data relating to them.
General Data Protection (GDPR)
The General Data Protection Regulation describes how organisations like DSS Partners must collect, handle and store personal information. It contains these 9 principles:
Lawfulness, fairness and transparency – Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation – Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimization – Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy – Personal data shall be accurate and, where necessary, kept up-to-date.
Storage limitation – Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality – Personal data shall be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Accountability – The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.
Responsibilities:
All DSS Partners employees have a responsibility to adhere to the policy.
The Executive Leadership Team (ELT) is ultimately responsible for ensuring DSS Partners meets its legal obligations.
The Executive is responsible for:
● Updating the Team on data protection risks and issues
● Reviewing all data protection policies
● Handling data protection questions
● Dealing with request for data DSS Partners holds about them
● Approving contracts with 3rd parties that may handle sensitive data
The CTO is responsible for:
● Ensuring all systems, services and equipment used for storing data is appropriately secured
● Evaluating any third-party services used to store or process data
The Marketing Manager is responsible for:
● Data protection statements attached to email and written communications
● Dealing with data protection queries from media outlets
● Enursing marketing initiatives adhere to data protection principles
Storage of Data
For paper storage, sensitive documents should be stored in a locked drawer or filing cabinet when not in use.
Data stored on-line or on local servers and devices (electronically) must be protected from unauthorised access, accidental deletion, and malicious attempts to access.
● Data should be protected by strong passwords, changed regularly and not shared
● Data stored on removable media, should be kept securely when not in use and all disks encrypted
● Data should only be stored on designated drives and servers and only shared on approved cloud computing services
● Servers containing personal data should be located in a secure area
● Data should be backed up frequently, those backups should be encrypted and tested regularly
● Data should not be saved on unsecured laptops or mobile devices
● Adding, modifying, and deleting user accounts and access is handled by the end user, within the KPInsite application
Data stored in the Amazon Redshift warehouse will have additional security measures;
● Inside of the AWS platform, sensitive data is encrypted at rest and in-transmission, from
the time of fetching the data, to interstitial storage, and then by the final data store
● Amazon S3 is used to store the data for long-term archival storage. Amazon Redshift isused as the warehouse data storage. KPInsite adheres to the weekly maintenance upgrade schedule set forth for Amazon Redshift. See here for security information
● Access to the source code is limited to the developers that are actively working on the project. This access is determined and periodically reviewed by the security lead and executive management
Data Usage
● When working with sensitive data, employees should ensure screens are locked when unattended
● Sensitive data should not be shared by email in unencrypted form
● Employees should not save copies of data to personal devices
● Cookies are only utilized for authentication and configurations set by each user within
analytics.kpinsite.com. All data is encrypted and minified
Accuracy of Data
It is important DSS Partners ensure the accuracy of relevant data.
● Do not create unnecessary copies of data
● Ensure data is updated promptly as required
● If inaccuracies are discovered they should be addressed immediately
Subject Access Requests
All individuals who are the subject of personal data held by DSS Partners are provided these rights:
● The right to be informed
● The right of access
● The right to rectification
● The right to be forgotten
● The right to restrict processing
● The right to data portability
● The right to object
● Rights in relation to automated decision making and profiling.
Subject Access Requests should be made by e-mail.
It is the aim of DSS Partners to process requests relating to these rights within 14 days.
The identity of requester will be verified before information is distributed.
Disclosing data
In certain circumstances, the regulations allow data to be disclosed to law enforcement agencies without consent of the data subject. DSS Partners will disclose data in these circumstances, after ensuring the request is legitimate after notifying the Board and the company’s legal advisers where necessary.