Purpose

This document has been produced to outline the intended use of customer data and our privacy policy surrounding data protection.

Introduction

Swype is certified to ISO 27001 Security Management System through a UKAS approved Certification body.  As part of the day-to-day operations of Swype, there are times where we need to access information that can be classed as “key identifiers” which enable us to perform the requirements of a contract.  This policy provides and overview of how customer’s data is used, stored and disposed of.

Why this policy exists:

This data protection policy ensures Swype:

  • Complies with the General Data Protection Regulations and to follow good practice
  • Protect the rights of data subjects
  • Outlines how data is stored and processed
  • Protects Swype from risk of data breach

Data Protection Law:

The Data Protection enforced 25th May 2018 supersedes the UK Data Protection Act 1998. This describes how the organisation – Swype, must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically on paper or on other materials.

The Data Protection Act is underpinned by eight important principles.

  1. Data must be processed fairly and lawfully
  2. Data must be obtained only for specific use
  3. Be relevant and not excessive
  4. Be accurate and continually monitored
  5. Data cleansed and not held for any longer than necessary
  6. Data must be processed on accordance with the rights of data subjects
  7. Be well protected
  8. Not to be transferred, unless otherwise instructed.

All transfers must include a high level of protection.

People, Risk and Responsibilities

This policy applies to:

  • Office of Swype – St Helens Worsley Brow, Sutton, St Helens, WA9 3EZ
  • All staff and agency staff at Swype
  • All suppliers and customers of Swype products

This applies to all data held by the company regarding the identity of individuals, even if that information has been submitted on behalf of another individual. Information as follows:

  • Names of individuals
  • Full postal addresses
  • Email addresses
  • Telephone numbers
  • Artwork submitted including photographs and personal data

Risks:

This policy has been put in place to protect Swype from data breach and reinforce their strict security policy.

  • Breach of confidentiality – Information being given out inappropriately, without consent and for unlawful use.
  • Failing to offer opt out – Customer must be informed of their data rights within Swype policy and offered the option to opt out of future communication.
  • Reputational damage – Swype must have security in place to ensure to avoid hackers successfully gaining access to sensitive data.

Responsibilities

Those responsible for handling data within Swype must ensure all data is kept within the company and used as specified, for the purpose of providing the customer with their product and service.

Should the customer wish to receive more information all staff must request consent for further communication.

People of responsibility:

  • The director is responsible for ensuring that Swype and their subdivisions meet their legal obligations.
  • The Data Protection Officer is responsible for:
    • Keeping the board updated about data protection responsibilities, risks and issues
    • Reviewing all data protection procedures with an agreed schedule
    • Arrange GDP training for the individuals covered by this policy
    • Dealing with requests from individuals to see the data Swype holds about them
    • Checking and approving any contracts or agreements with third parties (our resellers)
  • Our IT and System Provider is responsible for:
    • Ensuring Swype system, service and software used for storing data, meet acceptable security standards
    • Perform regular (scheduled) checks to ensure security hardware and software is functioning properly
  • Business Development and Marketing are responsible for:
    • Approving any data protection statements attached to communications such as emails and letters
    • Addressing any data queries from magazines or media outlets
    • Where necessary, work with other staff to ensure marketing initiatives abide by the GDPR act of 25th May 2018

General Staff Guidelines

  • The only people able to access data covered by this policy should be those who need it for their work.
  • Data will not be shared informally. Strict access is in place.
  • Swype will provide training to all employees to help them understand their responsibilities when handling data.
  • Employees will keep all data secure, by taking sensible precautions according to our ISO 27001.
  • Security must be at the highest level when dealing with all personal data.
  • Data will be regularly reviewed and updated.
  • Employees will request help from the data protection officer if they are unsure about any aspect of data protection.

Data Receipt and Storage

Here we explain how and where data should be safely stored.

Receipt of data, preferably should not be sent via email, but by secure methods such as FTP2, encrypted etc. Alternatively any new data must be checked by account managers for accuracy and must also be submitted via secure method, either including password protection or encrypted files. Incorrectly set data will be erased and customers notified to resend correctly

Unnecessary data should NOT be submitted, only data required to carry out current orders.

Any printed data must be used to perform work related tasks and destroyed securely once orders have been completed.

  • Paper files will be kept in a locked drawer or filing cabinet.
  • Employees will make sure paper and printouts are not left where unauthorised people could see them.
  • Data printouts will be shredded and disposed of securely.
  • Electronically stored data must be protected from unauthorised access, accidental deletion or misuse
  • Electronic data must be reviewed after a set amount of time, please refer to our ‘Timescale Policy’.
  • All server and computers containing data will be protected by and approved security software and a firewall.
  • Data will be backed up frequently.
  • Data will not be saved directly to personal laptop or smart devices such as personal mobiles and tablets.
  • Data will be stored on designated drives and servers.
  • Servers containing personal data will be sited in a secure location, away from general office space.
  • Removal of data is organised upon request.

On any occasion Swype works as a sub processor all the above rules will be applied.

Data Use

Personal data is of no use to Swype unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

  • Employees will ensure their computer screens are locked when left unattended.
  • Personal data should NOT be shared informally. For example, being sent via email or another unsecure method.
  • Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorise external contacts.
  • Employees will not save copies of personal data to their own computers.

Bureau Data

Swype bureau service enables clients the opportunity to purchase stock cards, ready to order when necessary. Data is submitted for each order in a secure manner, by fax or email, as specified by each client. Removal of data from clients’ accounts can be organised on request. Alternatively bureau client’s data is stored securely, as previously acknowledge within their contract, prior to their initial order.

Data Accuracy

The law requires Swype to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all employees who work with data, to ensure all their individual work data is kept as accurate and up to data as possible.

  • Data will be held in as few places as necessary.
  • Staff will not create any additional data sets.
  • Staff must confirm customers details are accurate on a regular basis
  • Inaccuracies must be flagged up and amended with immediate effect.
  • It is the Marketing Executives responsibility to ensure marketing databases are checked.
  • Marketing must not send unrelated marketing literature and request permission for future contact.
  • Any outgoing marketing mail must be approved by the recipient or include and opt out option.

Subject Access Request

All individuals who are subject of personal data held by Swype are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to access their data.
  • Be given the opportunity to keep their data up to date.
  • Remain informed as to how the company is meeting its data protection obligations.

Subject Access Request – the right, given to any individual whose personal information Swype holds.
Subject access requests from individuals should be made by email, addressed to their account manager. The data controller can supply a standard request form, although individuals do not have to use this.
The data controller will always verify the identity of anyone making a subject access request before handing over information.

Prospecting 

Swype will only target individuals based on legitimate interest. They will ask for consent to contact the individuals further and will provide the option to unsubscribed at all times. Anyone who opts out of our marketing emails will be removed instantly and their data erased.

Providing Information

Swype aims to ensure that individuals are aware that their data is being processed, and that they understand:

  • How data is being used
  • How to exercise their rights to access their data
  • How we manage data
  • The duration of time our data is held (unless otherwise specified) available within the ‘Timescale Policy’

To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.

Click here to download this document