GDPR

What's GDPR?

On 25th May 2018, the General Data Protection Regulation (GDPR) will be enforced across Europe, including the UK. It is a new set of rules governing the privacy and security of personal data laid down by the European Commission. The new single data protection act will make major changes to all of Europe’s privacy laws and will replace the outdated Data Protection Directive from 1995.

What's the point of this?

GDPR seeks to give individuals more control over how organisations use their data, and it will introduce hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.

Under the new rules, individuals have “the right to be forgotten”, meaning they will be able to request that businesses delete their no longer necessary or inaccurate personal data.

It is not affected by Brexit as it will be adopted into UK Law.

How does it affect my business or organisation?

The GDPR Identifies two key elements 'Data Controllers' and 'Data Processors'

A 'Data Controller' is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is to be, processed. They analyse the data they collect from individuals and assess whether the information is strictly necessary to carry out their activities. Any information that does not fall into this category must be securely deleted. They respond to requests from individuals for information held and they remove information on request. In most cases, your business or organisation will be a Data Controller.

A 'Data Processor' means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. KSC Group Limited (MarketMagnet UK) acts as a Data Controller. Please read our ‘Data Controller’ section below to learn more about our approach to this responsibility. We also act as a Data Processor as we process personal data that you have collected whilst creating or updating your sites. Find out more about our role as a Data Processor below. In the instance of MarketMagnet UK using a third-party service, (including hosting your website), this also makes the third-party your Data Processor.

What should I do as a Data Controller?

Basic website compliance: We are recommending that all websites have the following as a minimum. ICO have indicated that they are less likely to take punitive action against businesses who have demonstrated a significant effort towards compliance.

  • Update of terms and conditions and privacy policy including outlines of cookies used on the site and their purpose
  • Identify and detail any form of tracking used on your site and how it affects a user's right to privacy
  • Ensure all forms and ideally the entire site where possible is run over https
  • Update of Google Analytics code to make it GDPR compliant
  • Addition of new page detailing your approach to GDPR which will outline
    • What data you collect through the site
    • Why you collect it
    • What you do with it
    • How it is stored in a GDPR Compliant web host (if using Our Hosting Services)
    • How you would respond in the event of any data breach
    • How people can request a copy of any data stored and how you will respond
    • How people can request for their data to be destroyed and how you will be responding
  • Modification of existing forms to ensure that they are GDPR compliant

We can carry out all the compliance work specified above. Please click here to learn more.

Mailing list compliance: If you keep mailing lists and send out mailshots, then under the new regulations, you need to be able to show actual proof of how a person was added to your mailing list and when it happened. If you are unable to do this, then you have to contact everyone on the list that this applies to and request explicit permission for them to remain on the mailing list. Without permission, then you must not contact them after GDPR comes into effect

Our Mailing List Compliance Service

We can offer a mailing list cleaning service for you where we will contact people on your list and manage the responses and update the list. Please read our ‘Mailing List Compliance Service’ to learn more.

What happens if I do nothing?

The fines for non-compliance can be potentially severe. Article 58 of the GDPR provides the supervisory authority with the power to impose administrative fines under Article 83 based on several factors, including:

  • The nature, gravity and duration of the infringement (e.g. how many people were affected and how much damage was suffered by them)
  • Whether the infringement was intentional or negligent
  • Whether the controller or processor took any steps to mitigate the damage
  • Technical and organizational measures that had been implemented by the controller or processor
  • Prior infringements by the controller or processor
  • The degree of cooperation with the regulator
  • The types of personal data involved
  • The way the regulator found out about the infringement

Regulators have the authority to fine up to 4% of annual turnover for breaches. There is also a reputation issue for having data management issues made public.

Who do MarketMagnet UK Serve

 

MarketMagnet UK as a Data Controller

We take our responsibilities to client data extremely seriously and we have detailed this below in a full review of our systems effective as of the 11/04/2018

What information do we store and why do we store it ?

We process client data on a number of platforms outlined below.
We never sell or give away data to third party companies, unless authorised to do so.


Client Accounts
We store essential account information only to allow us to maintain contact with you.
This includes business name, first name, surname, postal address, email, landline and mobile.
This information is only kept as long as required and once a client no longer holds any services or dealings with us, it is removed.
We also store the date your account was opened and your order/invoice history.
We do not store any payment information.
All passwords are fully encrypted
Information is accessed by authorised personnel only and in some instances locked into an office IP address.
This information is stored with and processed by our hosting partners as our Data Processor.
Client information is shared only among our Service Providers, Contractors and or Partners, relevant only to the services a client requires.

Support Tickets
All support tickets are kept and stored. These are hosted securely by Teamwork.com in Ireland. Support tickets only contain your name and email address and email text. We don't store passwords or other secure information within tickets. We keep old tickets to allow us to look back at any previous issues you may have had and how they were resolved.

Client Websites and supplied data
All data supplied for client websites is stored in a secure office file system which is only accessible via its own IP address.
Once a client website is complete, we delete all supplied information that contains any information or images that contain personal or identifiable information.
All client websites that are hosted with us are stored and processed by the hosting company.

Payments
We process online payments through Lloyds Business Banking.
All payments are entered directly via the Lloyds Bank PLC website. Read their privacy policy here.

We use Zoho Books by Zoho Corporation to process our company invoicing.
We use two-factor authentication to authorise access.
You can read how they manage their data and their approach to GDPR here.

Any payments processed via PayPal are entered directly on the PayPal Servers which are PCI complaint.

We do not store card details - any written details are securely shredded, if provided.

Direct Debits
We process client Direct Debits via Lloyds Bank PLC.

Company Emails
We use G-Suite by Google to process our company emails.
Any emails containing passwords or other secure information are deleted.
You can read how G-Suite manage their data and their approach to GDPR here.

Zendesk To Live Chat
We use the live chat service provided by Zendesk (Zendesk Group) to provide customer support and to handle sales enquiries on our website
They store transcripts of chats on their system which are also emailed to us to keep for reference. We remove any sensitive information from chat transcripts before archiving them. The archives are kept for reference for any future discussion.
You can read how they manage their data and their approach to GDPR here.

Phone Calls
We use Everreach (Voxygen Limited) to process our phone calls.
All call logs are recorded, stored and processed within their network. No calls are recorded, except those via voicemail.

We delete voicemail calls where a call has been made and secure details are detailed in the call.
You can read how they manage their data and their approach to GDPR as soon as they make their statement available.

Miscellaneous
We use the project management board ‘Trello’ to store client contact details for on-boarding, project progress and future for reference purposes. No client passwords or other secure information are held.
We use two-factor authentication to authorise access.
You can read how they manage their data and their approach to GDPR here.

We use Dropbox to store our client proposals and related documentation. No client passwords or other secure information are held.
We use two-factor authentication to authorise access.
You can read how they manage their data and their approach to GDPR here.


Cookies and Visitor Tracking

A cookie is a small text file which is placed on your computer by your browser.

Temporary Cookies
We use Temporary Session Cookies to manage your movement between pages and to handle the session of your visit. These are essential for the site to function correctly
They have a maximum lifetime of 100 minutes and are removed once expired
They contain no identifiable information and do not track your activities on other sites.

Analytical Cookies - Google Analytics
We use analytical cookies from Google Analytics to identify which pages are being used. These usually have names such as UTMA, UTMB, UTMC, UTMZ
This helps us analyse data about web page traffic and general visitor behaviour on our website in order to tailor it to customer needs.
We only use this information for statistical analysis purposes and it does not contain any personally identifiable information. We ensure this by using Google Analytics anonymizeIp function to ensure that the IP address of a visitor cannot be matched with analytical data.

Analytical Cookies - Zendesk
Zendesk is our live chat software detailed above. Please read their cookie policy.

 

How to request a copy of your data/data removal

We believe in complete transparency in line with the purpose of the GDPR and will endeavour to meet the following targets:

Respond to a request for an individual's data within 12 working hours and supply the data where possible within three weeks
Respond to a request for data to be removed within 12 working hours and complete the deletion subsequent to appropriate checks within three weeks with completion documentation to prove this.
To make a data request, please contact us on This email address is being protected from spambots. You need JavaScript enabled to view it.

 

Our response policy in the event of a data breach

We endeavour to keep the sites we design as secure as possible by keeping all plugins and components up to date on our client sites.
We also apply security updates as they are released.
We also ensure that passwords are as secure as possible using a combination of upper and lower case letters and special characters
We also, through our hosting partners, ensure each client site is kept in a virtual cage, completely isolated from any other site. Therefore, in the result of there being a data breach, the people involved will not be able to access further than the site in question.

Data breach within a single client site
In the event of a client reporting a data breach on their site, we will change all passwords relevant to that account and restore the site from a clean backup where possible (assuming we have been notified in time to use a backup). If the client has registered users on their site, we would recommend that all passwords are reset and that they contact their own clients to advise them of a data breach under their GDPR responsibilities.

Data breach within our own internal systems
The immediate priority is to identify and isolate the breach by locking down all systems and resetting all system passwords
We would then reset all client passwords and check the logs to see if any client sites have been accessed as a result of the breach
We would notify all clients of the breach, explaining what had happened and what steps we had taken to prevent future occurrence.

If we detected that any client sites had been accessed as a result of the breach, then we would notify them and if the client has registered users on their site, we would recommend that all passwords are reset and that they contact their own clients to advise them of a data breach under their GDPR responsibilities.
In the event that client websites had been accessed as a result of the breach of our system, we would then report the breach to the relevant authorities within 72 hours as per the GDPR requirements.

Why choose MarketMagnet UK

MarketMagnet UK as a Data Processor

Choice of who we use as sub processors
We also apply security updates as they are released.
We can only appoint sub processors. e.g for our server management or to outsource data backups that have demonstrated full GDPR compliance

Restrictions on Sub-Contracting
Under the terms of the GDPR, we cannot subcontract out any part of our service without the consent of the Data Controllers who are using our service/s. The contractual obligations supplied by any sub contracted processors must reflect the same contractual obligations between ourselves as processors and the controllers.

Data Processing Agreement
We can only process personal data on behalf of the controller where a contract is in place between us that outlines the service provided and the terms on us as your Data Processor. We have to ensure that we are only acting on the documented instructions of the controller.

Security
Under the terms of the GDPR, we are required to implement appropriate security measures.

Data Breach
We must inform controllers of any data breach without any undue delay after becoming aware.

Keep records of our processing activities
We must maintain records on several things such as processing purposes, data sharing and retention.



Disclaimer:
The advice and service packages offered by KSC Group Limited (MarketMagnet UK) are based on our understanding of the new regulations. We strongly recommend that you take the time to read both our own and third-party recommendations to comply. This does not constitute legal advice and can be no substitute for professional legal advice with regard to a particular individual’s or company’s situation or circumstances. KSC Group Limited (MarketMagnet UK) accepts no responsibility for any loss which may arise from any reliance on any information provided.

Links:

Contact us

Ready to start your digital marketing campaign or need more help? Contact us here or use the chat facility below.