Version 1.0 | May 2018
- General Policy Statement
FibreCRM is fully committed to full compliance with the requirements of the General Data Protection Regulation.
As such, FibreCRM will follow procedures which aim to ensure that all employees (direct or sub-contractors) who have access to any personal data held by or on behalf of the Data Controllers or FibreCRM, are fully aware of and abide by their duties under the General Data Protection Regulation.
Statement of Policy
FibreCRM is a data processor, processing personal data on behalf of Data Controller(s) as part of its Customer Relationship Management (CRM) product. FibreCRM (as a provider of Customer Relationship Management – defined below) needs to collect and use information about people to operate and carry out its functions.
Customer Relationship Management: a category of software that covers a broad set of applications designed to help businesses manage many of the following business processes: customer data, customer interaction, business information, records of business to business (B2B) interaction. As such, persona data is fundamental to all CRM systems.
FibreCRM regards the lawful and appropriate treatment of personal information as essential to its successful operations, and central to maintaining confidence between the ourselves and our consumers. those with whom it carries out business. FibreCRM welcomes the GDPR and therefore fully endorses and adheres to the Principles of the General Data Protection Regulation.
Processing Personal and/or Sensitive Data
FibreCRM will, through management and use of appropriate controls, monitoring and review:
- Use personal data in the most efficient and effective way to deliver better services
- Strive to collect and process only the data or information which is needed
- Use personal data for such purposes as are described at the point of collection, or for purposes which are legally permitted
- Strive to ensure information is accurate
- Not keep information for longer than is necessary
- Securely destroy data which is no longer needed
- Take appropriate technical and organisational security measures to safeguard information (including unauthorised or unlawful processing and accidental loss or damage of data)
- Ensure that information is not transferred abroad without suitable safeguards
- Ensure that there is general information made available to the public of their rights to access information
- Ensure that the rights of people about whom information is held can be fully exercised under the General Data Protection Regulation
These rights include:
- The right to be informed
- The right of access to personal information
- The right to request rectification
- The right to request erasure (also known as the “Right to be Forgotten”)
- The right to restrict processing in certain circumstances
- The right to data portability
- The right to object to processing
Principles under the GDPR
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
Article 5 of the GDPR requires that personal data shall be:
- a) Processed lawfully, fairly and in a transparent manner in relation to individuals
- b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;
- c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) Accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Accordance with the rights of data subjects under the GDPR
The GDPR provides conditions for the processing of any personal data. It also makes a distinction between personal data and ‘special category’ data.
Personal data is defined as any information relating to an identified or identifiable natural person
Special category data is defined as personal data consisting of information as to:
- Racial or ethnic origin
- Political opinion
- Religious/philosophical beliefs
- Trade union membership
- Physical or mental health or condition
- Sexual life or sexual orientation
- Biometric data
2) The Categories/Personas of Personal Data we hold
FibreCRM handles/processes various categories of customer data, based on our role as both a Data Controller (of our own data) and as a Data Processor (through our provision of Customer Relationship Management CRM software).
Categories of Personal Data we process as a Data Controller:
- Customers/Consumers: a person who is already engaged in procuring goods and/or services from FibreCRM
- Leads: a person who has reached out to FibreCRM and expressed an interest in our goods and/or services
- Prospects: a person who is involved in two-way communication with FibreCRM with regards to an interest in our goods and/or services
- Suppliers: a person within an organisation who is involved in providing FibreCRM with goods and/or services
- Employees: a person who is working for FibreCRM on a permanent basis
- Contractors: a person who is engaged in carrying out work on behalf of FibreCRM, on a non-permanent basis, paid for the work they carry out
Categories of Personal Data we process as a Data Processor:
This data will (in the main) be the property of Accountancy practices, and as such the personal data within it will relate to their own interactions (3rd party) as opposed to interaction with FibreCRM direct:
- Customers/Consumers: a person who is already engaged in procuring goods and/or services from the Data Controller
- Leads: a person who has reached out to the Data Controller, and expressed an interest in our goods and/or services
- Prospects: a person who is involved in two-way communication with the Data Controller, with regards to an interest in our goods and/or services
- Suppliers: a person within an organisation who is involved in providing the Data Controller with goods and/or services
- Employees: a person who is working for the Data Controller on a permanent basis
- Contractors: a person who is engaged in carrying out work on behalf of the Data Controller, on a non-permanent basis, paid for the work they carry out
- Key Data Protection Concepts & Definitions under the GDPR
Definitive concepts and definitions, to support understanding of the GDPR:
- A Data Controller determines the purposes and means of processing personal data
- If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR
- A Data Processor is responsible for processing the data on the Controllers behalf
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach
- A natural person, who`s data is processed by a Data Controller or a Data Processor
- The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier
- This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people
- The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data
- Personal data that has been pseudonymised (e.g. key-coded) can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to an individual
Sensitive Personal Data:
- The GDPR refers to sensitive personal data as “special categories of personal data”
- The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual
- Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing
Processing of Personal Data:
- “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, if by automated means, such as:
- Adaptation or Alteration
- Disclosure by Transmission
- Dissemination or otherwise Making Available
- Alignment or Combination
- Restriction, Erasure or Destruction
- “Restriction of Processing” means the marking of stored personal data with the aim of limiting their processing in the future
4) Compliance Procedure
FibreCRM has developed and implemented a robust and in-depth stepped compliance process, designed to ensure that the business reaches and maintains a constant state of compliance well before the May 25th, 2018 deadline.
- Establish an Accountability and Governance Framework
- Data Protection lead briefed the management team on the GDPR risks and benefits
- Management support was gained for a GDPR compliance project
- Assigned a director with accountability for the GDPR (Data Protection Lead)
- Incorporated data protection risk into the corporate risk management and internal control framework
- Scope and Planning of our GDPR project
- Appointed and trained a GDPR-lead, the business did not deem it necessary to employ a full-time DPO. Data Protection Lead will be undertaking the Certified GDPR Practitioner training in March 2018
- Identified which entities will be in scope: business units, territories, jurisdictions
- Identified other standards or managements systems that could provide a framework for compliance. The business has committed to implementing Cyber Essentials, Cyber Essentials Plus, IASME Governance and IASME Gold Standard – all of which demonstrates our commitment to information security best practice
- FibreCRM has considered Brexit implications, as part of our GDPR planning
- Conducted a Data Inventory and Data Flow Audit
- Assessed the categories of data held, where it comes from and the lawful basis for our processing. In most instances our lawful basis for processing of personal data will be that of “Legitimate Interest”
- Map of data flows into, within and from FibreCRM
- The completed data map was used as a tool to identify potential risks in our data processing activities, and whether a data protection impact assessment (DPIA) was needed
- The decision was to conduct a Data Risk Assessment as a matter of due diligence
- Conducted a Detailed Gap Analysis
- We audited our current compliance position, against the requirements of the GDPR
- Where any compliance gaps existed (which is the norm, as the GDPR requirements that stretch beyond any regulations that were already in place) we took remedial action
- Development of GDPR compliant Operational Policies, Procedures and Processes
- Creation and development of Article 30 documentation; this is the record of personal data processing activities drawn from the data flow audit and gap analysis that we carried out
- Development of revised (GDPR compliant) Data Risk Assessment, Data Breach Procedure, Privacy Notice and Data Protection Policy
- While FibreCRM does not anticipate requiring “Consent” as grounds for processing of data. However, where we may possibly need to rely on consent FibreCRM will ensure the quality of that consent meets the GDPR requirements
- Reviewing of/updating employee, customer and supplier contracts in line with the GDPR. This is a key area of focus with regards to the relationship between ourselves as a Data Processor, and the Data Controllers we engage with
- Planning process to recognise and handle Subject Data Access Requests, ensuring we can provide responses within a month (30 Days)
- Planning process to recognise and handles Requests for Erasure (Right to be Forgotten), ensuring we can provide responses within a month (30 Days)
- Securing of personal data through appropriate procedural and technical measures
- Ensuring our policies and procedures are in place to detect, report and investigate a personal data breach
- Planning process to recognise our ability to manage GDPR standards in relation to the reporting of a Data Breach, either to the Data Controller (if they did not report the breach to us in the first instance) or to the Data Subject IF the breach presents a risk to the Data Subject that requires an urgent intervention from FibreCRM
- Review whether the mechanisms for data transfers outside the EU are compliant. This is a key area for FibreCRM, as we employ the service of software development contractors based in India
- GDPR is a positive change to how data management/processing and communications (both B2C and B2B) are conducted. This also affects how we communicate with our own employees, stakeholders and supply chain
- Employees of FibreCRM have been empowered to take ownership of GDPR, to understand the key headlines of the regulations and to focus on key areas that particularly/specifically impact on their role in the business
- The Data Protection Lead conducts regular GDPR awareness sessions, flags issues that require priority attention and we are also in constant communication with Data Controllers who are in some instances at an earlier stage in their GDPR compliance journey
- Monitor and Audit Compliance
- GDPR “Compliance” is not a fixed or permanent/semi-permanent state. An act of non-compliance can occur at any given time where GDPR best practice is not applied, and that can lead to implications to FibreCRM that would potentially prove business-changing. On that basis FibreCRM has in place a process for the continual monitoring and auditing of our compliant state, to ensure we remain in that state and (where possible) surpass the demands of GDPR and become an exemplar in our own right
- Records of personal data will be kept fully up to date
- Data Protection Impact Assessments will be carried out as and when required
- Data Protection Lead / Data Protection Officer
FibreCRM has allocated the task of Data Protection Lead to Richard Jackson (Project Manager). Richard has been focussed on driving FibreCRM towards a state of GDPR compliance since January 2018, and will be the point of contact for any external customers who require our support/intervention/action based on a GDPR related issue. Richard will continue in his role as Project Manager, and balance his GDPR activities with his existing role at FibreCRM.
Richard qualified as a Certified GDPR Practitioner in March 2018, and as such FibreCRM and its consumers/partners will benefit from being able to access the services of an accredited GDPR professional.
6) Subject Data Access Requests
Under the GDPR, the Data Subject is entitled to have access to and information about the personal data that the Data Controller has concerning them.
In the case of FibreCRM (in most instances a Data Processor) the request will come from the Data Subject to the Data Controller, who in turn will advise the Data Protection Lead (Richard Jackson) of the request. The Data Subject is entitled (under the GDPR) to wait no more than 30 calendar days from their request, to receive the data concerning them.
Under the GDPR, individuals will have the right to obtain:
- Confirmation that their data is being processed;
- Access to their personal data; and
- Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15)
The purpose of the Right of Access under the GDPR:
- The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63)
- FibreCRM must provide a copy of the information free of charge. However, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive
- FibreCRM may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that we can charge for all subsequent access requests
- The fee must be based on the administrative cost of providing the information
- Information must be provided without delay and at the latest within one month (30 days) of receipt
- FibreCRM will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we must inform the individual within one month of the receipt of the request and explain why the extension is necessary
Where requests are manifestly unfounded or excessive, or because they are repetitive, FibreCRM can:
- Charge a reasonable fee considering the administrative costs of providing the information; or refuse to respond
- Where FibreCRM may refuse to respond to a request, we must explain why to the individual, informing them of their right to complain to the ICO and to a judicial remedy without undue delay and at the latest within one month (30 days)
- FibreCRM must verify the identity of the person making the request, using ‘reasonable means’
- If the request is made electronically, FibreCRM should provide the information in a commonly used electronic format
- The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well
- The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others
- In instances where FibreCRM may process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to (Recital 63)
- The GDPR does not include an exemption for requests that relate to large amounts of data, but FibreCRM may be able to consider whether the request is manifestly unfounded or excessive
7) 3rd Party Service Providers
As part of our GDPR compliance process, FibreCRM is obliged to consider its relationship with 3rd Party Service Providers. FibreCRM employs the services of contracted software developers based in Italy and India; while Italy falls within the approved EU states under the GDPR, India does not. Therefore, as a business we have conducted a thorough review and engaged with the business in India that develops software on our behalf, to ensure that they meet the standards required under the GDPR.
The GDPR makes it clear that organisations are accountable for data breaches caused by third-party service providers.
3rd Party Provider Review
FibreCRM approached this review in a diligent and thorough manner, and considered the following key elements:
- FibreCRM did not assume that our third-party vendors take security and compliance seriously
- FibreCRM did not assume that our third-party vendors are already GDPR compliant (ie our vendor based in Italy)
- FibreCRM clearly defined all the areas and activities in which GDPR is in scope
- FibreCRM ensured that our third-party vendors agreed with our requirements under the GDPR, and subsequently provided signed contractual assurances that they will achieve all the GDPR compliance intricacies by 25 May 2018
- FibreCRM secured written assurance that our third-party vendors will not outsource any GDPR-relevant scoped services without written approval from FibreCRM
- FibreCRM has carried out due diligence, and will regularly audit your third-party vendors’ processes to ensure they are compliant under the requirements of the GDPR. It is anticipated that these audits will take place on an annual basis
- FibreCRM will ensure (as much as is practicable) that our third-party vendors provide thorough background checks for all staff and contractors – including credit, employment and criminal records
- FibreCRM will endeavour to obtain confirmation from our third-party vendors, regarding where your third-party vendors’ employees are located. FibreCRM will make balanced decisions in relation to whether we are prepared to work with vendors employing staff and contractors in countries where hostile state actors are employed and/or are known for supporting, tolerating or ignoring cyber-criminal activity
- FibreCRM is aware of the GDPR rules relating to transferring data outside the EU. The GDPR applies to the location of the data subject, not where the data is collected or stored. So, whether our third-party service provider is based in the EU or not, the Regulation applies if they are collecting EU residents’ personal data. FibreCRM will therefore work in a security conscious manner always and retain a clear focus on the data transfer rules
Third Parties that FibreCRM engages:
Memset is a cloud hosting provider, utilised by FibreCRM because of its quality of service and (crucially) levels of data security. Memset data centres that are high security, and all employees are BPSS or SC vetted. Memset is independently audited for governance and compliance standards such as ISO 27001, and FibreCRM is assured that it is hosting with a trusted provider. In addition to this, Memset supplies all customers with free firewalling and vulnerability management as well as security monitoring services to protect Memset infrastructure.
Telephone: 0800 634 9270
EEA / European Union
The vendor we work with in Italy is Alberto Pozzi of Datamain, based in Italy.
Via Leopardi 10
22070 Grandate (CO)
Telephone: +39 031 505609
+39 031 2280508
The vendor we work with in India is Offshore Evolution Pvt.Ltd, based in Gujarat. They are a specialist in CRM, ERP, Open Source and Web Application development.
Offshore Evolution Pvt. Ltd
D-1109, Titanium City Centre
Anand Nagar Road
NR. Sachin Tower
Ahmedabad – 380 015
- Data Security Measures
FibreCRM is committed to the highest standards methods for securing your data and that of all our customers of data security. “Trust” is an essential element of our business model, providing assurance on all levels and to meet threats of all natures and levels.
As such we have in place several layers of security protection, such as:
Security vulnerability scanning is the process of checking the server regularly for possible routes of entry for a hacker or malcontent. On a more technical level, we combine port scanning with regular vulnerability assessments of the server configuration and software to highlight potential areas of exploit. The scans originate from outside our network to make it a “real life” test.
Firewalling enforces a set of rules about what data packets will be allowed to enter or leave a network. Firewalls are incorporated into a wide variety of networked devices to filter traffic and lower the risk that malicious packets traveling over the public internet can impact the security of a private network.
This is the last line of defence. While our other countermeasures (a firewall and vulnerability scanning) attempt to stop an attacker gaining access to the server – Intruder Detection alerts will be sent to our data security manager whenever a significant event occurs on the server. FibreCRM can configure the alert level to react where necessary.
Our level of Intrusion/Intruder Detection security is very high. It detects multiple user generated errors such as multiple bad passwords, multiple failed logins, etc. They may indicate an attack -or it may just be that a user just forgot his credentials. In any case, we take no risks and this ensures our security standards remain high always.
10) Consequences of Non-Compliance
- ICO Powers of Enforcement:
Compared to its predecessor (the Data Protection Directive (95/46/EC), the GDPR gives data protection authorities more investigative and enforcement powers and the power to levy more substantial fines. The GDPR is a regulation that applies in all member states of the EU.
The GDPR provides a new one-stop-shop regulatory framework for the investigation of complaints and enforcement of the GDPR requirements. Under this framework a member state’s supervisory authority will operate in one of three roles:
- Lead Supervisory Authority: in the UK the ICO will act as the lead supervisory authority for the controllers and processors whose main establishments are in its member state. This will permit a controller or processor to rely on the guidance and enforcement procedures of one single EU supervisory authority
- Local Authority: may deal with complaints or infringements that only affect data subjects in its member state
- Concerned Authorities: will act when data subjects in their member state are substantially affected and will cooperate with the lead supervisory authority for the matter
This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to data subjects residing within their territory
How is the fine calculated?
Article 58 of the GDPR provides the supervisory authority with the power to impose administrative fines under Article 83 based on several factors, including:
- The nature, gravity and duration of the infringement (e.g., how many people were affected and how much damage was suffered by them)
- Whether the infringement was intentional or negligent
- Whether the controller or processor took any steps to mitigate the damage
- Technical and organizational measures that had been implemented by the controller or processor
- Prior infringements by the controller or processor
- The degree of cooperation with the regulator
- The types of personal data involved
- The way the regulator found out about the infringement
If it is determined that non-compliance was related to technical measures such as impact assessments, breach notifications and certifications, then the fine may be up to an amount that is the greater of €20 million or 4% of global annual turnover (revenue) from the prior year.
In the case of non-compliance with key provisions of the GDPR, regulators have the authority to levy a fine in an amount that is up to the greater of €20 million or 4% of global annual turnover in the prior year.
Examples that fall under this category are non-adherence to the core principles of processing personal data, infringement of the rights of data subjects and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.
- Organic, Reputational and Commercial damage to FibreCRM and its brand
For a business such as FibreCRM, who`s business model is based entirely on data, personal data and client trust – any kind of breach or non-compliant act under the GDPR could have catastrophic and business changing implications.
As such FibreCRM takes sees GDPR as an opportunity to ensure we operate within and beyond the requirements of the new regulations.
Version 1.0 | May 2018
The EU General Data Protection Regulations (GDPR) include rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are more detailed and specific than in the DPA and place an emphasis on making privacy notices understandable and accessible. To that end FibreCRM has created a robust and transparent Privacy Notice, designed to adhere to the GDPR and provide the Data Subjects with the highest possible levels of assurance and confidence in the security standards FibreCRM applies to their personal data.
The GDPR focuses on ensuring that privacy information is clear and understandable for data subjects. The GDPR make explicit what has always been set out as good practice.
As expected under the GDPR, FibreCRM will provide information to data subjects about how it processes their personal data, in a format that is:
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language, particularly if addressed to a child
- Free of charge
Underpinning this privacy notice is our Personal Information Management System (PIMS), a suite of our GDPR & Data Privacy Policies and Procedures. These 25+ documents represent our commitment to data security, and evidence our qualities in relation to adhering to the GDPR and surpassing its expectations where possible. These documents are available on request, and we ask that you contact our Data Privacy Lead (Richard Jackson) in the first instance.
- The identity and the contact details of the controller
- The contact details of the data protection officer
- The purposes and legal basis for the processing
- Where the processing is based on legitimate interests, details of what these are
- The recipients or categories of recipients of the personal data
- Details of any transfer to a third country and details of the safeguards and how to obtain a copy of them or where they have been made available
- The retention periods or the criteria used to determine that period
- Details on rights of access to and rectification/deletion of personal data. Rights to object to processing and the right to data portability
- If processing is based on consent, the right to withdraw consent
- The right to lodge a complaint with the supervisory authority
- Details on whether the data subject is obliged to provide the personal data and the consequences of failure to provide it
- Details of any automated decision making, including details of the logic used and potential consequences for the individual
Identity and Contact Details of the Data Controller
Simon Leek (Director of FibreCRM Ltd) is the Data Controller. Simon`s contact details are as follows:
Address: FibreCRM Ltd
Tremough Innovation Centre
Telephone: 020 3598 0898
Office Hours: 09:30 to 17:30 Monday to Friday
Identity & Contact Details of the Data Protection Lead
FibreCRM does not employ a Data Protection Officer (DPO), as under the GDPR we are not required to do so. However, we have assigned the role of “Data Protection Lead” (DPL) to an existing member of the FibreCRM team (Richard Jackson)
Richard is a Certified GDPR Practitioner (IBITGQ) and the role closely mirrors that of a DPO. We apply the same standards to the DPL position as the DPO role, and FibreCRM is committed to supporting our DPL and providing all the resources required to comply with the GDPR.
DPL: Richard Jackson
Address: FibreCRM Ltd
Tremough Innovation Centre
Telephone: 020 3598 0898
Purpose and Legal Basis for Processing
FibreCRM processes personal data for Customer Relationship Management (CRM) software.
CRM is a strategy for managing an organisation’s relationships and interactions with customers and potential customers (prospects and/or leads).
CRM is designed to allow a Data Controller to manage their customer/business relationships, as a tool for growth and business development, efficiency and integration with existing/other business software tools.
In its simplest form, CRM provides a central location for storing customer and prospect information, and that data can be shared with internal colleagues. CRM tracks the historical interactions with customers, through telephone calls, emails, meetings and documentation.
Typical CRM systems will provide tools such as:
- File and Content Sharing
- Sales Forecasting
- Email Campaign Generation
- Instant Employee Messaging
- Email Integration
- Software Integration (FibreCRM specialises in the integration of its CRM products with accountancy practice software)
- Dashboard Analytics
- Prompts and Reminders, Calls to Action
FibreCRM will only process personal data where the data subject has either confirmed their consent for us to do so, or where there is a legitimate interest. In the instance of processing on the lawful basis of legitimate interest, FibreCRM will in every case carry out a full and robust Legitimate Interest Assessment (LIA) which will include/involve the ICO`s recommended 14-point check list, and the 3-stage balancing test – as follows:
Legitimate Interest as a Lawful Basis for Processing Personal Data:
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child.”
Legitimate Interest 14-point Checklist:
- We have checked that legitimate interest is the most appropriate basis
- We understand our responsibility to protect the individual’s interests
- We have conducted a legitimate interest assessment (LIA) and kept a record of it, to ensure that we can justify our decision
- We have identified the relevant legitimate interests
- We have checked that the processing is necessary and there is no less intrusive way to achieve the same result
- We have done a balancing test (see below), and are confident that the individual’s interests do not override those legitimate interests
- We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason
- We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason
- If we process children’s data, we take extra care to make sure we protect their interests
- We have considered safeguards to reduce the impact where possible
- We have considered whether we can offer an opt out
- If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA
- We keep our LIA under review, and repeat it if circumstances change
- We include information about our legitimate interests in our privacy notice
Three Stage Balancing Test:
- FibreCRM identifies the legitimate interest(s). This is achieved through balanced consideration:
- Why does FibreCRM want to process the data – what are we trying to achieve?
- Who benefits from the processing? In what way?
- Are there any wider public benefits to the processing?
- How important are those benefits?
- What would the impact be if FibreCRM couldn’t go ahead?
- Would FibreCRM`s use of the data be unethical or unlawful in any way?
- FibreCRM applies the necessity test. This considers:
- Does this processing help to further that interest?
- Is it a reasonable way to go about it?
- Is there another less intrusive way to achieve the same result?
- FibreCRM carries out a balancing test. We consider the impact of our processing and whether this overrides the interest we have identified. We find it helpful to consider the following:
- What is the nature of FibreCRM`s relationship with the individual?
- Is any of the data particularly sensitive or private?
- Would people expect FibreCRM to use their data in this way?
- Is FibreCRM happy to explain it to them?
- Are some people likely to object or find it intrusive?
- What is the possible impact on the individual?
- How big an impact might it have on them?
- Is FibreCRM processing children’s data?
- Are any of the individuals vulnerable in any other way?
- Can FibreCRM adopt any safeguards to minimise the impact?
- Can FibreCRM offer an opt-out?
Details of our Legitimate Interests
FibreCRM`s core business activity is the provision and subsequently product support for Customer Relationship Management (CRM) software. Our primary clients are accountancy practices, a strong market sector for CRM. On that basis our generic legitimate interest is as follows (in the case of each Data Subject we conduct a specific Legitimate Interest Assessment (LIA), the following statement is a broad description of our lawful basis for processing persona data:
- FibreCRM has an interest in processing personal data, for promoting and providing CRM software products for the accountancy practice sector
- Processing the data by the method(s) we apply is the most appropriate means of engaging with the current/prospective customer, and this data processing is a means of furthering the interests of the data subject
- FibreCRM has carefully considered the impact upon the data subject, and is of the view that the data subject would expect FibreCRM to process their data in this manner. In addition, there will either be an existing relationship with the data subject (in many instances on a contractual basis, a further basis for the lawful processing of personal data) or the processing will not be found to be intrusive where the data subject is not yet known to FibreCRM. This is balanced by our consideration that CRM is a standard tool within the accountancy practice sector, and that all accountancy practices would expect a CRM provider to process their personal data based on legitimate interest
Third Country Transfers
FibreCRM will, on occasion, need to transfer personally identifiable data outside the EEA, to third countries or international organisations. This is necessary due to the need to access appropriate CRM product expertise which not always available in the EEA, and is for the benefit of our clients and data subjects. FibreCRM closely monitors the findings and recommendations of the Article 29 Working Party, in relation to guidelines and recommendations on data transfers, binding corporate rules and contractual clauses.
Data Retention Periods
FibreCRM respects and adheres to all six GDPR principles of personal data processing, and based on data retention we refer to the principle of Data Minimisation.
Data Minimisation is a principle that states that data collected and processed should not be held or further used unless this is essential for reasons that were clearly stated in advance to support data privacy. In the General Data Protection Regulation (GDPR), this is defined as data that is adequate and/or relevant.
On that basis, FibreCRM retains data only for as long as is required, and at the point there is a) no requirement for retaining that data and/or b) it becomes irrelevant to the original purpose for processing – that data is erased.
Data Subject Rights under the GDPR
The GDPR provides the following rights for individuals:
- The Right to be Informed
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restrict Processing
- The Right to Data Portability
- The Right to Object
- Rights in relation to Automated Decision Making and Profiling
In each instance and with respect to each of the 8 data subject rights, FibreCRM has created a clear and transparent set of policies and procedures. These are designed to demonstrate our compliance under the GDPR, provide the data subject with the rights they are entitled to, and maintains our data protection standards and culture. These policies and procedures are freely available on request, please contact Richard Jackson (DPL) for further information.
Right to Withdraw Consent
FibreCRM does not rely on Consent as our lawful basis for processing personal data, however if at any stage we do rely on Consent as our lawful basis – we will ensure that the Data Subject is afforded the opportunity to withdraw their consent, as easily as it was to give their Consent initially.
Data Subject Right to Complain to the ICO
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority (ICO in the United Kingdom), in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Should the data subject desire to lodge a complaint with the ICO in relation to a perceived infringement to the GDPR in respect of data that relates to them, FibreCRM provides information to guide the data subject towards how to manage this complaint.
In more details, the complaint will progress in this manner:
- Every data subject should have the right to lodge a complaint with a single supervisory authority (ICO in the UK), in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject
- The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case
- The supervisory authority (ICO) should inform the data subject of the progress and the outcome of the complaint within a reasonable period
- If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject
- To facilitate the submission of complaints, the ICO should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication
Data Subject Obligations to provide Data
FibreCRM processes personal data only where there is a lawful basis to do so, and it every instance provides the data subject with a clear and straightforward route to “opting out” of that data processing or to request to have their data erased.
There is no obligation on the data subject to provide the personal data, and there are no consequences of failure to provide it to FibreCRM.
- 0303 123 1113 (local rate, calls to this number cost the same as calls to 01 or 02 numbers)
- If calling from outside the UK, please call +44 1625 545 700
- The ICO welcomes telephone calls in Welsh on 029 2067 8400
- Rydym yn croesawu galwadau yn Gymraeg ar 029 2067 8400
- The ICO`s normal opening hours are Monday to Friday between 9am and 5pm
The Information Commissioner’s Office – Scotland
45 Melville Street
Telephone: 0303 123 1115
Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Telephone: 029 2067 8400
ICO Northern Ireland
The Information Commissioner’s Office – Northern Ireland
14 Cromac Place,
Telephone: 028 9027 8757 / 0303 123 1114
How we Protect your Information:
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site.
Sensitive and private data exchange between the Site and its Users happens over a SSL secured communication channel and is encrypted and protected with digital signatures.
we will post a notification on the main page of our Site, revise the updated date at the bottom of this page. We encourage Users to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect.
Address: Tremough Innovation Centre
Telephone: +44(0)203 598 0898