Data processing policy
Data processing policy
Any data processors we use must first be vetted by the DPO. The list of currently approved data processors can be found here.
All data processors that we use are subject to periodic review by the DPO.
The DPO must be informed, at all times, of all of the various processors (and their systems) in use.
If you stop using a particular processor, securely delete all information stored with that processor and inform the DPO. Do not transfer the data elsewhere without obtaining approval from the DPO.
Unless expressly permitted by the DPO, only use data processors who can guarantee that the personal data we collect will only be stored and processed in the UK or EU. This policy is in place because, for UK and EU residents, personal data relating to them must be processed either within their respective privacy jurisdictions, or may be transferred (without any additional appropriate safeguards) to a country, territory, or international organization covered by adequacy regulations. For any personal data that the Company is likely to process, the UK and EU mutually regard each other as having the proper adequacy regulations, and therefore we may transfer personal data back and forth between the two.
As we are not aware of any similar data transfer restrictions in other countries or territories where we are likely to operate in the indefinite future, processing the personal data of residents in these other countries or territories in either the UK or EU should satisfy any other countries' requirements. If you are aware of a country or territory where we advertise or sell products whose data regulations contradict this policy, inform the DPO.
In some cases, chiefly for performance or cost reasons, we may choose to process personal data in the same jurisdiction as the customer (or at least geographically closer to the customer than either the EU or the UK), but as this will increase costs and complexity, we should only do this when it is justified.
Only store and process personal data in systems designed for that purpose, e.g., a third-party CRM. Do not use, even temporarily, text editors, note-taking applications, git repositories, spreadsheets, etc. If you are asked to record or collect personal data and do not have access to the specific system in which that data is meant to be recorded, defer the request until such time as you do have access. This policy applies irrespective of whether the system is owned by an approved data processor. For example, we may use Google as a data processor (e.g., to store personal data in a Google-hosted cloud database), but that does not mean you should use Google Docs to store personal data that we've collected. Upon request and if provided with a compelling business reason, the DPO may allow exceptions to this rule, but only as a temporary measure: at the DPO's discretion, either the data should be processed and then promptly (and securely) removed from the unfit-for-purpose system, or it should be stored there only until a proper, fit-for-purpose system can be found.
Never access a system we are using for processing personal data from a non-Company device; e.g., a device you personally own. You may only use Company-owned devices to access such systems. Note that this is an exception to the Company's general guideline that members may use their own personal devices for Company-related work, due to the extremely sensitive nature of personal data.
Never knowingly access a system we are using for processing personal data from an insecure network; e.g., using public WiFi. If in doubt about whether a particular network is considered to be secure, contact the DPO and information security team.
Do not make backups of personal data. This is the responsibility of our processors, and the availability, resiliency, and frequency of backups should be a major component of vetting a given processor for suitability.
Do not "cross the streams." Personal data stored with one processor's system must remain in that system unless the DPO has given explicit permission to copy it to another processor's system. If you wish to do so, present a business case for this activity to the DPO.
Unless it is not possible for some reason, all personal data must be stored encrypted-at-rest. The data processor's data processing agreement (DPA) should explicitly mention that personal data is encrypted in their system. Exceptions can be made if there is a very strong business case, but only with express approval by DPO.
Any data processor we use must limit access to personal data to only those employees who need access in order to support our needs or otherwise fulfill our contract with the data processor. Preferably, end-to-end encryption should be used such that the data processor has no ability to see the plaintext personal data in the first place.
The DPO or the Director are the only persons authorized to sign data processing agreements with third parties. Similarly, the DPO must be informed if any third party we work with offers or requires such an agreement.
The DPO must have a login/account in every third-party system in which we process personal data. The DPO's account must have full admin privileges, unless otherwise agreed with the DPO. (Password/account sharing is acceptable, so long as it is within the terms of service of the system being used to process the data.)
At this time, as the Company has neither the staff nor the expertise to securely store personal data, personal data may only be stored and/or processed by an approved third party data processor, and never on our own systems, devices, or databases. In other words, until further notice, the Company must not act as a data processor for any personal data. This means you may not store personal data (other than your own, of course) on any of your Company-owned devices.
In some cases, if explicitly approved by the DPO, you may temporarily store personal data on a Company-owned device, so long as it is promptly and securely removed, or promptly and securely moved to a secure third-party data processor. For example, a member of the Company who is doing UX testing may, with the express permission of the DPO, record the video from the session on their Company-owned laptop, but may only keep it there long enough to analyze the recording. Upon completing the analysis, the member must securely delete the recording, after possibly first securely copying the video to encrypted storage managed by an approved third-party data processor.
The above exception is permitted only if the member's Company-owned device is encrypted. All Company-owned devices must be encrypted according to the Company's information security policy, so this should not be a problem in practice.