The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in recent history, replacing that of the 1995 EU Data Protection Directive (European Directive 95/46/EC). It aims to support the rights individuals have on data about themselves which is collected and stored. It also aims to detect, identify and mitigate against data breaches or leaks for all companies in the EU, as well as enforcing reporting on these issues. This aims to create one uniform policy across the EU regardless of whether the UK is part of the European Union. Any business that deals with EU nationals and business alongside their data must comply with the legislation.
Arkesden Partners Ltd aims to comply with the applicable GDPR regulations as a data processor and controller. Working alongside its employees, clients, candidates and suppliers, it will comply when the GDPR legislation takes effect on 25th May 2018.
Arkesden Partners Ltd uses Third Party suppliers and software to process, control and manage data. These systems have been audited in line with GDPR commitments and outlined below. In the context of this statement, data subject refers to the person or entity submitting data and can include employees, clients and other individuals or organisations that Arkesden Partners Ltd work with.
Arkesden Partners Ltd collects potential candidate and client information via meetings, pitches, referrals, references and social media outlets. Data collection and processing is necessary for the performance of a contract with our clients and the advisory aspects of working with any candidate. The Contract a data subject enters, will entail Arkesden Partners Ltd Terms and Conditions which are made available to them in both the signed contract, on the website and by request. By submitting data, the data subject agrees that this data can be processed and stored. We would obtain consent to process and store personal data including but not limited to; name, email and mobile number taking the Legitimate Interest approach. Arkesden Partners Ltd reserve the right to contact data subjects who have submitted this data both upon submission and in the future to ensure data is accurate.
Data Retention and Deletion
Arkesden Partners Ltd delete customer data after a period of 8 years unless Legitimate Interest is established for that data record. Should any client or candidate of a Arkesden Partners Ltd contact feel they wish to make a Subject Access Request (SAR), Data subjects must request their data by phone, email or letter stipulating what data they would like to access to, and this will be processed within 48 hours. We would send confirmation of this either by email or letter (whichever is most appropriate). If data has been deleted, erased or otherwise irretrievable the subject will also be informed of this.
Arkesden Partners Ltd aims to keep data on file for a period of 8 years unless otherwise stipulated or Legitimate Interest has not been established. Data would be hard erased after this time unless the subject of the data requests otherwise or has been engaged with during this time and data on them is necessary for archiving purposes in the public interest. Subjects of data have the right to be forgotten and erased from records upon request. Subjects must request their data by phone, email or letter stipulating what data they would like erased and this will be processed within 48 hours. We would send confirmation of this either by email or letter.
The personal information Arkesden Partners Ltd hold is limited to the contractual obligations and should any personal data be required to move to another provider, this would be made available in a suitable format.
Reporting data breach within Arkesden Partners Ltd
As per the GDPR guidelines Arkesden Partners Ltd must report a data breach within 72 hours after becoming aware of the breach, unless the breach itself is low risk. This is to be reported to the top authorities which would be ICO (Information Commissioner’s Office) and the Data Protection Act Submission Form. This can be reported by phone on 0303 123 1113. Once a data breach or leak has been detected than it would be reported to this authority. A data breach or leak includes but is not limited to, a lost USB stick, loss or theft of portable devices or data sent to the wrong person. Arkesden Partners Ltd is not responsible for monitoring and recording data breaches of its third party clients or candidates. The third party client or the candidate is the Data Controller and therefore responsible.
Internal Policies for GDPR
Arkesden Partners Ltd execute a stringent security and access policy for employees that safeguards data and protects the integrity of data. The Company also ensure this doesn’t impact business function and data subject or data subject experiences. Arkesden Partners Ltd have a data security policy, confidentially policy, a password policy and a policy to target Bring Your Own Devices (BYOD) in the workplace. These policies aim to mitigate any instance of data breach or leaks and employees are trained in maintaining data security. Arkesden Partners Ltd has undergone a full GDPR audit of all its internal systems and holds for its and all its third party suppliers, certificates and or confirmations of full GDPR compliance.
Arkesden Partners Ltd use a number of cloud based systems in order to carry out their contractual obligations. These systems may hold customer information in the UK and Europe in secure data centres. To ensure customers information is safe, access to these systems are restricted to authorised personnel only and only accessed via Multi Factor Authentication, ensuring breaches are avoided as much as possible. Some of these systems enable trained Arkesden Partners Ltd staff to remotely access a client system. Further information relating to these policies ae found within the internal Arkesden Partners Ltd GDPR Procedure Manual.
Arkesden Partners Ltd do not hold any client or candidate data onsite as this is stored on its third party premises, or within another cloud system which is not accessible by Arkesden Partners Ltd. Most commonly, email and files are stored within the secure Microsoft Cloud.
Arkesden Partners Ltd CRMs and other Applications / Databases
Arkesden Partners Ltd don’t provide any business line applications or CRM systems and therefore the policies around data for these are the responsibility of the client and / or the database manufacturer.
It is the customer’s responsibility to determine what data is stored and processed, how long their data is stored for, to keep the data up to date and accurate and to ensure only required data is stored. Arkesden Partners Ltd is here to assist with GDPR requests and best practice where we legally can.
This document is provided as of April 2018 for informational purposes to explain Arkesden Partners Ltd stance on GDPR legislation and compliance. It is subject to change or removal without notice