1. Upskill Coach’s GDPR Policies
Six Core Principles
The Company shall at all times comply with its data protection obligations under the GDPR, in keeping with the six core principles of GDPR that personal data shall be:
1.1 Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency)
1.2 Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Purpose Limitation)
1.3 Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data Minimisation)
1.4 Accurate and where necessary kept up to date (Accuracy)
1.5 Kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (Storage Limitation)
1.6 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (Integrity and Confidentiality)
Based on these principles, for each piece or type of personal data we hold, the Company is able to demonstrate on-demand (i.e. accountability):
- Why we are holding it;
- How we obtained it;
- The purpose/s we use it for;
- How long we will retain it;
- How secure it is in terms of its accessibility and data security; and
- On what basis we share it with any third parties.
Further points: In addition to the 6 core principles, the Company shall ensure that:
Training & Education
There are sufficient levels of awareness of data protection in our organisation; Our staff are aware of their data protection responsibilities – including the need for confidentiality, and Data protection is included as part of the training programme for our staff and this training is regularly refreshed.
Coordination and Compliance
It has been determined that a DPO is not required, and we have appointed CEO Rose Kervick as Head of Privacy
- All staff are aware of their role in data protection compliance.
- Mechanisms are in place for formal review by Head of Privacy within our organisation.
- We have an overall framework in place that demonstrates how we comply with GDPR.
- There is regular monitoring and auditing of our data protection framework for GDPR compliance.
2. Responsibilities and Reporting Lines
The Company has appointed Rose Kervick as Head of Privacy. Rose is responsible for compliance with GDPR and all personal data processing and data security within the Company. Rose reports to the Board of Directors who exercises oversight in this regard.
Consideration of whether the Company needs to appoint a Data Protection Officer (DPO): The GDPR specifies that a Data Protection Officer (DPO) must be appointed when:
2.1 the core activities of the Company consist of regular and systematic monitoring of data subjects on a ‘large’ scale; or
2.2 the Company processes special category data or criminal offences, again if on a ‘large’ scale.
In view of these criteria and the Company’s activities, the Company has considered whether it is required to appoint a DPO and has decided not to appoint a DPO.
3. Data Processing
Handling of User Data
Based on our Data Map, the following are the main types of data, data subjects, types of data processing, and our status as Controller or Processor.
Personal data processed by this Company:
The Company processes Personal Data from Users who have created an account (i.e. Client or Coach) or subscribed to the newsletter.
Categories of Data Subjects
The Company holds personal data for the following categories of Data Subjects:
- Business Partners/Directors in the Company who are living natural persons
- Current Coaches and Clients who are living natural persons
- Former Coaches and Clients
- Newsletter subscribers
- Subcontractors of the Company
- Existing staff & former staff of the Company
- Job applicants to the Company
- Other ‘Contacts’ not already included in the above lists including complainants, enquirers etc.
Personal Data processing carried out by the Company
Data Obtained in the Provision of Services:
Creation of Client and Coach accounts- the Company obtains and processes Personal Data that has been provided by the User during the creation of an account on the Website.
Newsletter subscribers- the Company obtains and processes Personal Data that has been provided by Users interested in receiving a newsletter.
The GDPR stipulates that the Company must establish that it has a lawful basis for processing data. With your consent, the Company collects your Personal Data in order to efficiently operate and provide you with the Services we offer.
The Company considers that it has a legal obligation to hold Personal Data of employees and that the processing of employee’s Personal Data is necessary to fulfil the Company’s obligations under the employment contract of each employee. The Company holds only that Personal Data that is necessary to hold, and for the retention periods set out in its data retention policy. This is specified in the privacy statement in the Company’s employee handbook.
It is the policy of the Company to not process the Personal Data of children under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.
The Company’s status as a Data Controller
The Company acknowledges that in accordance with GDPR and the guidance of the EU Article 29 Working Party, the Company is a Data Controller where the Company determines the purposes and means by which it processes Personal Data. The Company considers that it generally acts as a Data Controller.
The Company’s responsibilities when it acts as Data Controller
Where the Company acts as a Data Controller, it acknowledges that it is subject to the full scope of data protection obligations imposed by the GDPR. This includes (but is not limited to) the Company’s obligations to:
- provide privacy notices to all data subjects;
- respond to subject access requests from data subjects; and
- report data breaches to the [DPC / ICO].
As a Data Controller, it is the Company’s policy to ensure the information below is supplied to data subjects (including to our employees and job candidates) before their Personal Data is collected and processed by the Company:
- The Company’s name and contact details, and the name and contact details of the Data Protection Officer (where one has been appointed);
- The purpose(s) of the processing as well as the legal bases for processing;
- Where the legal basis for processing is based on the Company’s legitimate interests, those legitimate interests should be identified;
- The recipients or categories of recipients of Personal Data;
- Whether the Company intends to transfer Personal Data to any non-EEA country and the legal basis for the transfer;
- The retention period for Personal Data and the criteria used to determine this;
- How Data Subjects can exercise their right of access, rectification, erasure, restriction to processing, objection to processing and data portability if such rights apply;
- How Data Subjects can retract their consent to the processing, where the processing by the Company is based on consent;
- The right to submit a complaint to the relevant Data Protection Supervisory Authority (i.e. DPC or the ICO);
- Whether the Data Subject is required to provide their Personal Data pursuant to statute or a contract, and the consequences of failing to provide such data; and
- The existence of automated decision-making, including profiling, and the logic and consequences of the processing for the data subject.
4. The Rights of Data Subjects
The Data Subjects of the Company have the following rights:
- Right to be informed (see Privacy Statement under Section 5);
- Right of access (see below);
- Right to rectification (see below);
- Right to erasure (Right to be forgotten – see below);
- Right to restrict processing (see below);
- Right to object (see below);
- Right to data portability (see below); and
- Rights re: automated decision making and profiling.
Data Subject Access Requests (DSARs)
Data subjects have the right to make a DSAR. The DSAR may be for all Personal Data of that Data Subject held by the Company or a subset of the data. The Company must respond to the request within 1 month unless the Company can show that the request is manifestly unfounded or excessive, or where the request is sufficiently complex or one of a number of requests (in which case the response time may be extended to 3 months). The Company does not have the right to charge a fee for processing this request, again unless the Company can show that the request is manifestly unfounded or excessive.
Any DSAR received by the Company shall immediately be referred to Rose Kervick who is responsible for coordinating the Company’s response to any DSAR.
Where the Company receives a DSAR, the Company will first conduct due diligence to confirm the identity of the Data Subject. The Company will not comply with DSARs made by anyone other than the Data Subject him/herself.
Where the Company receives a DSAR, the Company will assess all data held on behalf of the individual, including data held on:
- The Company’s central data server;
- Laptops and personal computer in the Company;
- Stored emails and other electronic messaging systems; and
- Paper files.
Hard copies will be made of any documentation containing Personal Data of the Data Subject who made the DSAR.
All data relating to any individuals other than the maker of the request will be redacted. The Company will consider whether its legal and professional obligations require any data held by the Company to be kept confidential.
Records of all DSARs and response times shall be kept by the Company in a DSAR register.
Right of Erasure (Right to be Forgotten)
Data Subjects have the right to request the erasure of their Personal Data where the Company does not have a legitimate reason for retaining such data. Where the Company receives a request for erasure from a Data Subject, then the Company will assess all Personal Data held on the Data Subject, including data held on:
- The Company’s central data server;
- Laptops and personal computer in the Company;
- Stored emails and other electronic messaging systems; and
- Paper files
All Personal Data deemed as not held for a legitimate purpose will be deleted/destroyed in line with the Company’s policy.
Right of Rectification
Data Subjects have the right to require that their Personal Data be up to date and accurate. Where the Company receives a request from a Data Subject, the Company will verify whether the Data Subject’s data is up to date and accurate, and if not will make requested corrections.
Right to Restrict Processing
Where a Data Subject is contesting the accuracy of his/her Personal Data held by the Company (see right to rectification above), or is objecting to processing (see right to object below), or where the processing is unlawful, the Data Subject has the right to restrict processing of his/her Personal Data.
The Company’s policy is to follow the same procedure as a request under the Right to Erasure. It will review all data held by the Company relating to the Data Subject and consider whether it holds any data in excess of that needed under its legitimate purpose. It will then restrict future processing of any “excess” data in accordance with the request of the Data Subject.
The Right to Object to Processing
Under this right, the Data Subject can object to the processing of his or her data. The Company’s policy is to follow the same procedure as a request under the Right to Erasure above. It will review all data held by the Company relating to the Data Subject and consider whether it holds/processes any data in excess of that needed under its legitimate purpose. It will cease any processing of any “excess” data in accordance with the request of the Data Subject.
Right to Data Portability
The right to data portability allows individuals to obtain and reuse their Personal Data for their own purposes across different services. This means they should be able to move, copy or transfer Personal Data easily from one IT environment to another, and from one service provider to another, in a safe and secure way. This is an extension of the access right, and Data Subjects have the right to receive their data in a structured and machine-readable form.
The right to data portability applies:
- to Personal Data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- the processing is carried out by automated means.
The Company considers that, because it does not generally process Personal Data by purely automated means, it does not hold data which would be subject to a data portability request.
In the event that the Company determines that it holds data relevant to a data portability request, it will review the Personal Data held. The Company will then determine the electronic format in which the data has been requested to be transferred, (e.g. the electronic file type). All data relating to any individuals other than the maker of the request will be redacted. The Company will then consider whether its legal and professional obligations require any data held by the Company to be kept confidential and transfer the data deemed not subject to these restrictions to the third party as requested by the individual.
5. Data Governance
The Company is required to be able to demonstrate compliance with each of its obligations under the GDPR. This requires that internal mechanisms and control systems are put in place to ensure compliance with the GDPR and that there is documentary evidence to prove this. This evidence may need to be produced to external stakeholders, including supervisory authorities (such as the Data Protection Commissioner (DPC) in the Republic of Ireland and the Information Commissioner’s Office (ICO) in the UK & Northern Ireland).
Some example policies for the Company to demonstrate GDPR compliance include through its policies addressing Data Protection Impact Statements, Privacy Notices and applying the concept of Privacy by Design, as well as Data Retention.
Data Protection Impact Assessments (DPIAs)
DPIAs are requirements under the GDPR in relation to processing activities that are likely to result in high risks to the rights of data subjects. DPIAs may be required, particularly in relation to the roll-out of new technologies, such as significant new IT systems or new working practices.
It is the Company’s policy to conduct a DPIA to assess the risks that are inherent in any new proposed processing activities, which will, in turn, be designed to allow the Company to identify and mitigate the associated data protection risks, before we commence these new processing activities. In rollouts of new IT systems, for example, all DPIAs must be completed, with satisfactory results, before processing of live data is carried out.
It is the Company’s policy to not carry out any activities that would require mandatory DPIAs, such as systematic and extensive evaluation of individuals based on automated processing (profiling), large scale processing of special categories of data and personal data relating to criminal convictions and offences, or systematic monitoring of public areas on a large scale.
Where a DPIA is required, Rose Kervick shall be responsible for coordinating the DPIA within the Company. The DPIA shall include:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interests pursued by the Controller
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of Data Subjects;
- the measures envisaged addressing the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this regulation, taking into account the rights and legitimate interests of Data Subjects and other persons concerned.
Where appropriate and practical, the Company will seek the views of Data Subjects or their representatives on the intended processing.
Privacy by Design
It is the Company’s policy to place the protection of privacy at the centre of all decision making processes and at the start of any new service development or process development. The Company will consider both appropriate technological and organisational measures to ensure GDPR compliance in these circumstances.
If the Company is considering, for example, changes to working practices (e.g. homeworking), an office redesign or installing new technology, then means to protect the privacy of Data Subjects must be included in the decision making process and the rolling out of the change.
Transferring Data out of the European Economic Area (EEA)
It is the Company’s policy to not transfer any personal data outside the EEA for any purpose. This policy will be reviewed following the United Kingdom leaving the European Union.
Data must only be held for the purpose for which it was collected and only for ‘as long as necessary’.
The Company’s policy in relation to document retention for Personal Data
The Company has a policy of retaining all documentation in relation to Coach/Client accounts for seven years from the date the account was cancelled. Data is also held for former newsletter subscribers under this policy.
It is the Company’s policy to carry out an annual review of all the data it holds and on what grounds the data is held (by category). Following on from this review, decisions must be made whether the Company continues to need the data that it holds.
The Company’s policy for holding data of former employees (following the retention period noted above) is to only hold the employee name, address and email details to enable the Company to contact the former employee, for a specific purpose (e.g. changes to a pension scheme, employment opportunity) in the future.
6. Security Controls under GDPR
Appropriate Security Controls for Information
It is the Company’s policy to comply with its security obligations in relation to personal information by implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are present.
These measures include:
- Pseudonymisation of data where possible and practical.
- The GDPR distinguishes “anonymous” data, (namely, data rendered anonymous in such a manner that the individual is not identifiable), from “pseudonymisation”, which is data from which the identity of an individual is removed but it can be recovered (e.g. from a numerical identifier). For example, instead of naming particular data subjects in an audit, these could be numbered, with an associated spreadsheet held detailing the data subject name and matching numbers.
- Encryption of data – all data held on laptop computers and other handheld devices is encrypted.
- The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services – the Company has a business continuity plan in place should it be the subject of a fire, flood or other severe operational shocks.
- The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident – this is also covered in the Company’s business continuity plan.
- A process for regularly testing, accessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing – it is the Company’s policy to test this on a regular basis (i.e. once every 6 months at least)
Under GDPR, all organisations must have a security policy, with the following topics included in our Company’s policy:
- Security Objectives and Scope;
- Management Intent;
- Security Principles, Standards and Compliance requirements at your Company;
- Roles and Responsibilities for Security Management;
- Asset Control;
- Remote Access;
- Data Backup;
- CCTV (where in place); and
- Overview of the Technical, Administration and Physical Safeguards in place.
A detailed list of examples of practical technical security measures to aid GDPR compliance at our Company include:
- Ensuring that IT security is properly managed and overseen by an appropriate person in the Company with adequate support from IT professionals;
- Adequate Access Control is employed, including identity and access management;
- Intrusion Detection/Pretention and Data Loss Prevention Systems are put in place;
- Appropriate IT education for staff is undertaken. This includes demonstration examples of data unauthorised data access and malware;
- Employees and other users are required to change passwords on a regular basis;
- ensuring that all computing devices such as PCs, mobile phones, and tablets are using an up-to-date operating system;
- ensuring all computing devices are regularly updated with the manufacturer’s software and security patches;
- using antivirus software on all devices;
- implementing a strong firewall;
- reviewing vendor-supplied software and updating default system, administrator, and root passwords and other security parameters to ensure defaults are not left in place;
- ensuring data backups are taken and are stored securely in a separate location;
- ensuring data backups are periodically reviewed and tested to ensure they are functioning correctly;
- ensuring that data is collected & stored securely;
- ensuring that mobile devices (such as laptops and mobile phones and tablets) are encrypted;
- ensuring that two-factor authentication is enabled for remote access; and
- ensuring that websites have TLS (transport layer security) in place to securely collect personal data via web forms (such as for newsletter subscriptions) or on e-commerce websites.
Detailed examples of practical physical security measures employed at our Company include:
- keeping offices and storage units locked;
- keeping server rooms or cabinets locked;
- cabling desktop machines and laptops to desks;
- implementing clean desk policies;
- ensuring that fire and burglar alarms are in place and that they are functioning correctly;
- ensuring that ICT equipment such as hard drives and old laptops, computers and mobile devices are securely disposed of at end of life; and having specific and adequate insurance to cover the costs of any data breaches or cybercrime.
Review of these policies, including cybersecurity policies and procedure, on a regular basis, is advised to ensure that they are up to date and effective.
7. Data Breaches
Definition of Data Breach
The GDPR defines a “personal data breach” as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Any suspected breach of Personal Data held by the Company must be immediately reported to Rose Kervick who shall be responsible for coordinating the Company’s response to the breach and any required communications with the DPC / ICO and data subjects.
All data breaches will be fully documented, as to the source of the breach, its nature, extent and the remedial action taken. As a Controller of Data, the Company will comply with its obligation to notify data breaches to the [DPC / ICO] not later than 72 hours after having become aware of the breach.
The following are the contents of a notification breach under the GDPR to be used by the Company:
- Who – categories of data subjects affected
- How many – the approximate number of data subjects and data records impacted
- What types – the categories of data records involved
- Contact – Rose Kervick the Head of Privacy in Upskill Coach
- Consequences – description of the likely consequences of this breach
- Follow up – all measures taken or to be taken in relation to mitigating the breach
Informing Data Subjects of Data Breaches
As a Controller, we will inform the impacted Data Subjects if there is a high risk that they will be adversely affected by the breach. This will be done as soon as feasibly possible and without undue delay.