The Directors and staff of Shared Service Architecture are aware of GDPR and the data rights of our customers under the regulations. They understand the impact this is likely to have on the collection and safeguarding of personal data and are supportive of changes to deliver the entitlement of clients to have their data respected.
The Directors and all staff in SSA have been provided, by the SSA Data Protection Officer, with guidance on the SSA GDPR policy and ICO supporting materials.
The Data Protection Officer is Dominic Macdonald-Wallace and can be contacted on firstname.lastname@example.org or by phoning 0333 939 8909.
2. Information we hold
We have documented the personal data we hold, where it came from and who we share it with.
SSA does not sell, swap or give individual’s data, or packages of data, to other organisations. Stored personal data is never shared by SSA without the explicit permission of the individual. For example, where a potential employer wishes to verify CTPrac™ or CTArc™ recognition, the individual concerned is contacted to seek their permission.
We have carried out an audit to achieve this and are putting in place procedures to identify the explicit permission we have been given by individuals to hold their data.
The information that we hold is provided, with explicit permissions for its collection and storage, by:
- Our workshop delegates and programme students, through a questionnaire on their evaluation form from the sessions they attend. They have the opportunity to request to be added to the SSA communications database, in order to receive updates and further information. For example, publication of collaboration news updates or news articles in Collaborative Transformation Magazine.
- Organisational leadership and staff who attend facilitate sessions within their organisations and partnerships. Following these sessions, they have the opportunity, through either written or email consent, to request to be added to the SSA communications database to receive updates and further information. For example, publication of news updates or news articles in Collaborative Transformation Magazine.
- Our Collaborative Transformation Practitioners and Collaborative Transformation Architects and Fellows through their applications for recognition.
- Our SSA Librarians who access the SSA online toolkit. SSA Librarians are given access to the SSA online toolkits under the annual licenses.
- Prospective business clients who approach SSA and supply their business cards, or email us with their details, or phone us, to provide their details to be added to the SSA communications database to initiate business enquiries, receive updates or further information that can help them make sales decisions. For example, individuals who sign in to the SSA Online Tools preview website, using their personal emails, to test out the tools and make a purchasing decision.
- Prospective business clients who are approached by SSA under our marketing strategy. The prospect data held is a name and business email address and will only be held for the purpose of prospecting and deleted when no longer appropriate to be held.
- SSA’s staff and associates who enter into a contract with us. This can include, for example, their full name and previous names, date of birth, race, gender, permissions to work in the UK, home address, national insurance number, health and welfare information, employment or business details (business insurances and due diligence evidence), bank accounts and next of kin information. This is in order to contract with SSA, or conform to employment law, be paid for their work with SSA, or to inform a next of kin as part of our health and safety policy.
3. Communicating privacy information
We have reviewed our privacy notices and have put a plan in place for making any necessary changes relating to GDPR implementation. This will provide those listed above with the opportunity to review, update or delete the information we hold on them.
4. Individuals’ rights
We have ensured our procedures cover all the rights individuals have, including how they can delete personal data or provide data electronically.
5. Subject access requests
Procedures and plans have been put in place to handle requests within the new timescales and provide any additional information. This will provide those listed above with the opportunity to review, update or delete the information we hold on them.
6. Lawful basis for processing personal data
Consent is recorded and, where relevant, existing consents have been refreshed to meet the GDPR standards.
8. Data breaches
The right procedures have been put in place to detect, report and investigate a personal data breach:
The SSA central database is hosted online in Microsoft Dynamics and is protected by their security systems. Timely action will be taken by SSA, if Microsoft notify us of a data breach of their system. All those we hold data on will be notified so that they can take action if required.
The SSA website is hosted by 34SP and is protected by their security systems. Timely action will be taken by SSA, if 34SP notify us of a data breach of their system that effects personal data that we hold. All those we hold data on in the website, will be notified so that they can take action if required.
The SSA Online Toolkit and Preview Toolkit is hosted by Clickfunnels and is protected by their security systems. Timely action will be taken by SSA, if Clickfunnels notify us of a data breach of their system that effects personal data that we hold. All those we hold data on in the website, will be notified so that they can take action if required.
Each member of the SSA staff has a responsibility to maintain the security of their own laptop or PC and delete all personal data that need not be retained following its use. For example, following an event for which we hold a delegate list, to delete details of all delegates who do not provide explicit permission to store their data.
9. Data Protection by Design and Data Protection Impact Assessments
We adhere to the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party and are committed to implement them in our organisation. Impact assessments will be carried out annually, or more frequently if required by unexpected circumstances.
10. Data Protection Officers
Shared Service Architecture’s Data Protection Officer is Dominic Macdonald-Wallace and can be contacted at email@example.com
On occasion where Shared Service Architecture may operate in more than one EU member state (ie carry out cross-border processing), we will determine our lead data protection supervisory authority under Article 29 Working Party guidelines.
This Policy has been approved & authorised by:
Name: Dominic Macdonald-Wallace
Position: Director of Shared Service Architecture Ltd