PURPOSE.
This data protection policy ensures that SDG Assessment Limited (“SDGA”):
- Complies with data protection legislation including the General Data Protection Regulation (GDPR).
- Protects the rights of staff, customers and partners.
- Is open about how it stores and processes Personal Data.
- Protects itself from the risks of a data breach.
- Follows International Standards and best practice guidance regarding Data Protection and Information Security.
This Policy provides information all SDGA employees should know regarding SDGA’s Data Protection and privacy practices. This Policy covers the security requirements and controls for managing all Personal Data, also known as Personal Information or Personally Identifiable Information, which is collected, processed or stored by SDGA.
This policy applies to SDGA Personal Data, External Personal Data and Customer Personal Data.
NOTE: For details of what data constitutes Personal Data see Appendix A for examples. Some Personal Data is considered very sensitive; see Appendix B for details.
DATA PROTECTION LAW.
The General Data Protection Regulation 2016 (GDPR) describes how organisations, including SDGA must collect, handle and store Personal Data. These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the GDPR, personal data must be collected, processed and used fairly, stored safely and not disclosed unlawfully. The GDPR states that Personal Data must be processed according to the following six data protection principles:
- Processed lawfully, fairly and transparently.
- Collected only for specific legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Must be accurate and kept up to date.
- Stored only as long as is necessary.
- Ensure appropriate security, integrity and confidentiality.
SCOPE.
This policy applies to all Personal Data that SDGA collects, holds and processes relating to identifiable individuals including:
- Names
- Postal Addresses
- Email Addresses
- any additional information as referenced in Appendix A of this Policy
This policy applies to all of SDGA’s legal entities and operations and must be complied with by the Personnel working for SDGA at all levels and grades, including Senior Managers, Directors and employees (whether permanent, fixed-term or temporary) wherever they are located.
It is the responsibility of all SDGA Personnel to have knowledge of all relevant SDGA information security and privacy policies and processes, including any updates made to the Information Security Management System (ISMS), Additionally, all consultants and suppliers must comply with this policy if they act on behalf of the company or collaborate with SDGA and have access to Personal Data.
POLICY RATIONALE.
SDGA collects, processes and stores Personal Data as a Data Controller in its internal human resources, finance, marketing, sales and operational functions. SDGA also processes and stores Personal Data provided by our customers as a Data Processor.
This Policy explains that SDGA will Process Personal Data of Personnel, customers, suppliers and other interested parties with the utmost care and confidentiality. SDGA achieves this by complying with Privacy Principles to collect, store and handle data fairly, transparently and with respect of individual rights.
DATA PROTECTION RISKS.
This policy helps to protect SDGA from some very real data security risks, including:
- Breaches of confidentiality: For instance, information being given out inappropriately.
- Failing to offer choice: All individuals should be free to choose how SDGA uses their Personal Data.
- Reputational damage: For instance, the company could suffer if hackers successfully gained access to sensitive data
PRIVACY PRINCIPLES.
When collecting Personal Data SDGA will ensure:
- It is collected fairly and for lawful purposes only;
- Apply privacy by design and default principles and data minimisation principles when designing the Processing;
- Undertake Data Protection Impact Assessments as required;
- Notify the Data Subjects of the Purpose of the Processing, providing all information as required by way of a Privacy Notice or similar notification, in particular cross-border Processing; and
- Where consent is required for the Processing obtain and record the granting of Consent.
Once SDGA has the Personal Data, and will ensure:
- It remains accurate and kept up-to-date;
- Processed legally only for the Purposes for which it was collected;
- If the Personal Data is to be used for a new Purpose SDGA will ensure the processing is legitimate;
- It is protected against any unauthorized or illegal access by internal or external parties;
- That the Personal Data is only stored for so long as it is necessary and deleted securely:
- That it is not disclosed to any Third Party, unless such disclosure is authorised but only for a purpose for which it was collected, and appropriate security and organisational measures are in place including a Data Processing Agreement;
- All Cross-border transfers or Processing of Personal Data will be in accordance with appropriate law;
- In the event of legitimate requests of law enforcement or regulatory officials for disclosure of Personal Data SDGA will comply with such requests; and
- Have procedures to handle Data Breaches in conformity with applicable law to minimise the effect of any incident on Data Subjects.
SDGA recognises Data Subjects have rights and will ensure:
- Data Subjects can access their Personal Data and obtain copies of the Personal Data we hold;
- Request the amendment or deletion of their Personal Data;
- Request restrictions on the processing of their Personal Data or object to any or some Processing;
- There is a comprehensive process to consider and respond to complaints; and
- SDGA will respond to these rights subject to applicable legislation which may allow SDGA to refuse the request in whole or part.
SDGA is committed to protecting Personal Data by:
- Publishing a Privacy Statement on the SDGA external customer facing websites as required;
- Developing robust Policy and processes to ensure compliance with applicable law;
- Training employees in privacy and security measures to help them understand their responsibilities when handling Personal Data;
- Incorporating Privacy by Design into our Products, providing the functionality to enable users to comply with the requirements of Data Protection;
- Incorporate Privacy by Design into our internal processes and procedures when handling Enterprise Personal Data and Personal Data on behalf of our customers;
- Deploying appropriate security to secure networks and to protect data from cyber-attacks;
Establish clear procedures for reporting privacy breaches or data misuse; - Include appropriate contractual provisions in contracts with customers and suppliers covering Processing of Personal Data.
- Regularly reviewed and updated (if it is found to be out of date). If Data is no longer required, it should be deleted and disposed of.
- Appointing a senior manager to the role of Data Protection Officer (DPO) to manage and develop SDGA’s Data Protection and privacy practices.
General Staff Guidelines
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
- Employees should keep all data secure, by taking sensible precautions and following SDGA Data Protection Policies and using pre-defined procedures.
- Strong passwords must be used, and they should never be shared.
- Personal Data should not be disclosed to unauthorised people, either within the company or externally.
- Employees should request help from their line manager or the DPO if they are unsure about any aspect of data protection.
Receiving Personal Data from Customers
As part of providing its Managed Services, SDGA receives data from customers that needs to be processed. Our customers may intend that Personal Data will be contained in the data or may consider Personal Data may be provided.
SDGA’s position is that we will only receive and Process Personal Data for the purposes of providing sustainability assurance, carbon footprint measurement, sustainable development goal assessment and provided for in the customer’s contract with an appropriate Data Processing Agreement.
In the event the contract does not provide for Processing of Personal Data the procedure set out in the Privacy Guidance must be followed.
Human Resources
The SDGA Privacy Principles particularly apply to the collection and processing of Personal Data by the Human Resources (HR) department.
DATA STORAGE.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the CTO or DPO.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see or access it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees should make sure paper and printouts are not left where unauthorised people could see them, for example on a printer or on their desk.
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (USB, CD or DVD) these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud service.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All servers and computers containing data should be protected by approved security software and firewall.
- Data stored electronically should only be retained for as long as it is necessary as per SDGA’s Data Retention and Destruction Policy.
DATA ACCURACY.
The GDPR requires SDGA to take reasonable steps to ensure data is kept accurate and up to date. Data, especially Personal Data must be accurate. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
Data will be held in as few locations as necessary. Staff should not create any unnecessary additional data sets or storage locations.
Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call or contact use via email or social media
SDGA will make it easy for Data Subjects to update the information we hold about them via the submission of Data Subject Access Requests.
Data should be updated as inaccuracies are discovered. For example, if a customer’s contact details change we will need to update any systems that contain this information.
DATA SUBJECT ACCESS REQUESTS.
All indviduals who are the subject of Personal Data held by SDGA are entitled to:
- Ask what information the company holds about them and why.
- Asked how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the company is meeting its data protection obligations.
SDGA has a dedicated procedure for the management of any Data Subject Access Requests, which must be followed at all times.
DISCLOSING DATA FOR OTHER REASONS.
In certain circumstances, the GDPR allows Personal Data to be disclosed to law enforcement agencies without the consent of the Data Subject. Under these circumstances, SDGA will disclose requested data. However, the Data Protection Officer will ensure that that the request is legitimate, seeking assistance from the CTO and SDGA’s Legal Counsel where necessary.
SDGA’s has a procedure for the management of Official Data Access Requests, which must be followed at all times.
PROVIDING INFORMATION.
SDGA’s aims to ensure that individuals are aware that their data is being processed, and that they understand how their data is being used and how to exercise their rights.
SDGA’s has a privacy statement, setting out how data relating to individuals is used by the company. A version of this statement is available on the SDGAs website.
GUIDANCE AND PROCESSES.
This Policy sets out the high level the aims of .
To implement these aims, the following detailed guidance and Processes have been produced:
- Privacy by Design and Default
- Data Privacy Impact Assessments
- Official Access Request for Personal Data Procedure
- Non-Official Access Request for Personal Data Procedure
- Request for Amendment, Blocking, Correction or Deletion of Personal Data Procedure
- Privacy Complaints Procedure
- Request for transfer of Personal Data to another Controller under GDPR Procedure
- Process to Deal with Unexpected Personal Data
- Procedure to undertake Privacy Audits
- Personal Data Breach Incident Response Procedure
AUDITING.
This Information Security Policy is audited on an annual frequency. The Senior Executive Team is responsible for addressing non-conformances within this Information Security Policy. Enforcement of the Policy is achieved via organisational, departmental, or product specific security profiles. Audit findings related to Policy enforcement are recorded via audit findings and corrective actions are to be resolved by the DPO.
VIOLATION AND ENFORCEMENT.
Disclosure of Personal Data without authority is a serious breach of SDGA’s duty to maintain the security of Personal Data. To ensure continuous improvement of SDGAs Information Security Management System (ISMS), all violations of this Policy will be reported to the CTO as a Security Incident. This should be completed as soon as the non-conformance is identified either via an email to CTO@SDG-Assessment.com or by raising an Information Security Incident in the Internal SDGA Service Desk system.
Violations of this Policy may result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with SDGA’s disciplinary procedures – up to and including termination. SDGAmay need to advise law enforcement when a criminal offense may have been committed.
ROLES AND RESPONSIBILITIES.
The purpose of this matrix is to define the roles and responsibilities of all parties within SDGA’s Data Protection processes.
The goals of the roles and responsibilities matrix are to:
- Define roles and responsibilities of stakeholders.
- Improve overall stakeholder communication.
- Proactively identify gaps in assignments, accountability, or resources.
- Clarify cross-functional interactions between stakeholders.
Role | Activity | ||||
Requirements | Design | Implement | Communication | Training | |
Data Protection Officer | R | A | A | A | A |
CTO | A | C | C | C | C |
Senior Executive Team | C | C | C | C | C |
Managers | I | I | I | I | R |
SDGA Staff Members | C | C | C | C | I |
Key:
R – Responsible for completion of task. (Task can be delegated to this person.)
A – Accountable for successful completion of task.
C – Requires communication about the task.
I – Informed and Support the task.
Title | Responsibilities |
Senior Executive Team (Board) |
|
CTO |
|
Data Protection Officer (DPO) |
|
Managers |
|
SDGA Staff Members |
|
Data Protection Officer (DPO)
European Data Protection law, the General Data Protection Regulation (2016) requires organisations in any case where the core activities of the controller or the processor consist of processing operations which:
- by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
SDGA have assessed the need for a DPO and have concluded that CTO will be able to fulfil this responsibility alongside their current role. The SDGA Senior Executive team will assign this role to a senior individual and delegate to them the responsibility for ensuring that SDGA complies with this policy and all applicable data protection legislation.
APPENDIX A: Items we collect typically considered to be Personal Data
- Name
- Telephone numbers (personal and business)
- E-mail address (personal and business)
- Username and passwords
- Personal interests derived from tracking use of internet web sites (cookies)
- Product and service preferences
APPENDIX B: Items we do not collect typically considered to be Special or Sensitive Personal Data
Countries may categorise some classes of data as having more sensitivity than other classes of Personal Data.
It varies from country to country but the common classes of data are:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade-union membership
- Health or sex life
Criminal convictions