GDPR -Process and details – Communication

SK9 SPORTS
72 Knutsford Road
Alderley Edge
Cheshire
CW9 8RY

paul@sk9sports.co.uk craig@sk9sports.co.uk

Project: GDPR – SK9 SPORTS
Date Created: April 2018 Last Updated September 2019
Prepared by: SK9 SPORTS
Subject: Process and details – communication

SK9 SPORTS GDPR BREACH LOG BOOK

(2) SK9 SPORTS AND SUFC DP_Agreement__GDPR_compliant 2

Data Controller
Our Data Controller is:
SK9 SPORTS
72 Knutsford Road
Alderley Edge
Cheshire
CW98RY
data@sk9sports.co.uk

Data Processing Summary Statement

Business Customers – We collect data on our business customers to allow us to deliver on the work we have been contracted to do. So we collect, names, addresses, emails and location details. It is a requirement that we communicate regularly with our customers so that we can fulfil their requirements. Communicating upcoming events, reminders and other important information we also send on the basis of Contractual Obligation and Legitimate Business interests. We also invoice and chase invoices on the grounds of legitimate interest.
With our business customers we mail and email them on the basis of legitimate business interest. Because they’re customers, and have been presented with the opportunity to opt out, on every communication, and when the data was collected, we do this in line with GDPR and PECR soft opt in.
Communications to business customers therefore include:
1) Communications throughout the service provided, email, letter and phone calls, all required to provide the product 2) Monthly email newsletter to customers, informing them of developments in the areas related to Sport, Fitness and Education.
Business Prospecting – We source data on Sports clubs, Educational establishments, the Fitness industry & individuals and prospect to them via direct mail, email newsletters and phone calls. We communicate with them on the grounds of legitimate business interest, it is in our interest to develop relationships with this audience in order to offer our services in the future. They have the opportunity to opt out, and opt in on our website.
Data Processors
Name
Data access level
Scope of Data Access
Scope of Process
Paul Grattage 1 1 Full Customer details
2 Supplier Details
3 Customers data
4 Analytics Data Job process
Craig Malbon 1 1 Full Customer details
2 Supplier Details
3 Customers data
4 Analytics Data Job process
Definitions:
1 Full Customer details Name, address, phone numbers, email of the end users of our servicers. Purchase history, spend and as needed financial and invoice details Made up of Natural and Legal Persons
2 Supplier Details Name, address, phone numbers, email of Suppliers to our business
Made up of Natural and Legal Persons
3 Details Customers data Data given to us by our customers for the purposes of marketing – our activity is covered by our data processing agreements. Made up of Natural and Legal Persons
4 Analytics Data Data on web traffic sourced through google analytics Made up of Natural and Legal Persons

Job Process The actions required to deliver on the contract of service. Collection of name, address and contact data.
Invoicing Sending out invoices and chasing of payment
Sales The process of communicating with a person or establishment that has expressed an interest. They have either made direct contact with us, or their details have been passed to us by a provider e.g. a club (Sandbach United) or a School (Terra Nova)
Mailing Mailing out invoices, reminders, and annual letters as part of our marketing process
Customer Re-contact Contacting existing customers to determine satisfaction and for the purposes of reselling
Email Marketing Campaigns Regular business to business (Schools or Clubs) email newsletters .
Prospecting
Souring and marketing to potential business to business clients.

Data Security

• Data Access
• Storage
• Encryption Levels
• Data Transfer to third parties

Data is stored in the most secure way that we can, which allows us to deliver the provision offered.
All pc’s are password protected and files within the pc that contain data are encrypted. Backups are stored on a secure hard drive. We use ‘We transfer’ to transfer customer data and images. The data we hold, being email addresses provided by 1&1 who are GDPR comliant. Data which is transferred outside of the office is transferred on an encrypted hard drive.
Online storage – we use Dropbox for some data storage, as well as ‘We transfer’. Files are backed up to Dropbox.
Our due diligence shows these organisations adhere to the standards required by GDPR.
PC’s are protected by a rigid password policy and all company phones have pin numbers and are connected via find my phone, allowing the data on them to be cleansed. All lap tops are password protected and not left unsecured.

Data Breach Process

We have the following obligations:
• To inform the Information Commissioner if there is a serious breach of data security within 72 hours of the breech occurring.
• A responsibility to inform the data subject (customer for example), if there is likely to be any harm arising from that breech.
• We also have to inform our customers – on who’s behalf we are processing the data

Our process is as follows:

1) Data breech is discovered. The breech is noted in the log book, time and dated. Which data has been effected. The extent, and seriousness of the breech is determined.
2) For a serious breech – The data controller will inform the ICO on the working day of the breech being discovered. This allows us to cover breeches during weekends. If the data controller is not contactable, then the Managing Director is responsible.
3) For all breeches If the data has been sourced from a provider (School or a club) then the data controller will inform the provider within 1 working day.
4) Within 1 working day the extent of the breech is identified, with regard to potential harm to the customer (subject). If harm is a likely outcome, then the data controller will inform the data subject (customer). For the sake of clarity name and address and contact details, are in our view, unlikely to give rise to harm, while credit card and bank details are highly likely to give rise to harm.
5) At the next monthly ‘board’ meeting, the breech is discussed reviewed and steps are then put in place to mitigate it occurring again

Note – the responsibility passes on to suppliers/providers who handle our data, they must make us aware on the same working day of any breaches.

Data Providers

Data providers are classed as our customers, listed in the processing table below.
Segments Type Sources Storage Processes Legal Basis for the processes Notes
Customers Legal Persons and some Natural Persons Direct contact Stored on password protected pcs and dropbox.
All core data files are encrypted Delivery of service /process
Legal and Contractual Obligations for the purpose of undertaking the work contracted To include parents (if U16) individuals, Clubs & Schools
Follow up with email newsletter

Follow up with seasonal reminders Legitimate business interest
Business prospects Legal Persons and some Natural Persons Research
Referral Stored on password protected pcs and dropbox.
All core data files are encrypted Email marketing
Telephone contact
mailings Legitimate business interest To include parents (if U16) individuals, Clubs & Schools
Web data analytics

Legal Persons and some Natural Persons Google Web Analytics Stored on google systems, accessible via gmail password. We do not track or store IP address
Analysis of traffic, sources to general demographics, geographical and occasionally IP Legitimate business interest While the data will include legal and natural persons there is no process to use it to a level to identify individual persons. Data is never used to id individuals, or to a level other than general overview.

Documentation

The Balancing Test IDENTIFYING A LEGITIMATE INTEREST FOR COMMUNICATION WITH CUSTOMERS & PROSPECTS
Question Answer Guidance
1 What is the purpose of the processing operation? Legitimate interest – We want to sell services to them (for the benefit of their children in most cases) The first stage is to identify to a Legitimate Interest – what is the purpose for processing the personal data?
2 Is the processing necessary to meet one or more specific organisational objectives? Yes, in order to achieve a lawful business objective. If we didn’t we wouldn’t be in business. If the processing operation is required to achieve a lawful business objective, then it is likely to be legitimate for the purposes of this assessment.
3 Is the processing necessary to meet one or more specific objectives of any Third Party? No
While you may only need to identify one Legitimate Interest for the purposes of an LIA – the interest that you are seeking to rely on – it may be useful to list all apparent interests in the processing, those of you as the Controller, as well as those of any Third Party who are likely to have a Legitimate Interest.
4 Does the GDPR, ePrivacy Regulation or other national legislation specifically
identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome? Yes For example: Legitimate Interests might be relied on where an individual’s (including client or employee) information is processed by a group of companies for the purposes of administration (Recital 48). If the Controller is processing sensitive Personal Data in the employee context, then they may be able to rely on Article 9(2) (b).

Question Answer Guidance
5 Why is the processing activity important to the Controller? The survival and growth of the business is dependent on the processing activity and is critical for the purpose of functioning.
A Legitimate Interest may be elective or business critical; however, even if the Controller’s interest in processing personal data for a specific purpose is obvious and legitimate, based on the objectives of the Controller, it must be a clearly articulated and communicated to the
individual.
6 Why is the processing activity important to other parties the data may be disclosed to, if applicable? The processing activity is ‘Business critical’ as we work in partnership with School and clubs. Parents may also be deemed ‘third party’ when they want their children to attend an activity.
We share and disclose important information related to the delivery of our services.
A Legitimate Interest could be trivial or business critical, however, the organisation needs to be able to clearly explain what it is. Some purposes will be compelling and lend greater weight to the positive side of the balance, while others may be ancillary and may have less weight in a balancing test. Consider whether your interests relate to a fundamental right, a public interest or another type of interest.
Just because the processing is central to what the organisation does, does not make it legitimate. It is the reason for the processing balanced against the potential
impact on an individual’s rights that is key. It is important to consider whose Legitimate Interests are being relied on. Understanding this will help inform the context of the processing. In combination with the reason the Personal Data is being processed, this information will determine the weight of the Legitimate Interest that needs to be balanced.
7 Is there another way of achieving the objective? No • If there isn’t, then clearly the processing is necessary;

8 Would the individual expect the processing activity to take place? Yes If individuals would expect the processing to take place then the impact on the individual is likely to have already considered by them and accepted.

Question Answer Guidance
9 Why is the processing activity important to the Controller? The processing activity is both legally and business critical.
In order to deliver our services its is essential that we have the data of our customers, most of whom are under 16. A Legitimate Interest may be elective or business critical; however, even if the Controller’s interest in processing personal data for a specific purpose is obvious and legitimate, based on the objectives of the Controller, it must be a clearly articulated and communicated to the
individual.
Question Answer Guidance
10 Does the processing add value to a product or service that the individual uses? Yes. People directly benefit from the service we provide.

11 Is the processing likely to negatively impact the individual’s rights? No.
12 Is the processing likely to result in unwarranted
harm or distress to the Individual? N o. (MPS & TPS ? before mailing. Bereavement ?)

Question Answer Guidance
13 Would there be a prejudice to the Data Controller if processing does not happen?
No
14 Would there be a prejudice to the Third Party if processing does not happen?
No
15 Is the processing in the interests of the individual whose personal data it relates to?
Yes
16 Are the legitimate interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?
The customers benefits from a service that is required and therefore is a Legitimate Interest. What are the benefits to the individual or society?
If the processing is to the benefit of the individual, then it is more likely that Legitimate Interests can be relied on, as the individual’s interests will be aligned with those of the Controller.
Question Answer Guidance
17 What is the connection between the individual and the organisation?
The majority are individual (s), Schools, Sports clubs, parents and children.
We need communication with the adults in order to deliver the product to the children. We don’t communicate to the children directly.

Question Answer Guidance
18 What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?
Name, address, medical including dietary requirements Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; Article 9(2) of the GDPR:
This refers to the deliver of our services to under 16’s. If processing Special Categories of Personal Data, an Article 9 condition must be identified as the lawful basis of processing.

19 Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? If so how close is that relationship?
No. Customers or prospects

The opposite is also possible but it does depend on the purpose of processing.

Question Answer Guidance
20 Would the processing limit or undermine the rights of individuals? No If processing would undermine or frustrate the ability to exercise those rights in future that might well affect the balance.
21 Has the personal information been obtained directly from the individual, or obtained indirectly?
obtained indirectly (see above) if we providing for children.
Directly when we are providing for adults. If the information was obtained directly from the individual then you should take due consideration of the notice of fair processing (e.g. your Privacy Notice), the relationship with the individual and their expectations of use. If the data was collected directly and these factors are positive, then it may help to tip the balance in favour of the processing operation. Where Personal Data is not collected directly, there may need to be a more compelling Legitimate
Interest to overcome this. It will also depend on the context of the processing and if the organisation has a two-way relationship with the individual.
22 Is there any imbalance in who holds the power between the organisation and the individual?
No Does the individual have a choice regarding the processing of their personal information? If the organisation has a dominant position, this will tip the balance slightly against the use of Legitimate Interests. That said, the rights and freedoms of individuals laid down in the GDPR go some way to redressing this issue. The Controller will need to consider how it addresses any imbalance of power to ensure individuals’ rights are not impacted.

23 Is it likely that the individual may expect their information to be used for this purpose?
Yes. Parents would expect their information to be used for the purpose of delivering the product. Given the relationship between the parties, services/products being provided, including the information notices available, would the individual reasonably expect or anticipate that their information would be used for those or connected purposes? The stronger the expectation, the greater the chances that Legitimate Interests can be relied on.

Question Answer Guidance
24 Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?
No Processing should not be unwarranted – intrusion into the private life of an individual may be justified based on the nature of the relationship or special circumstances.

Question Answer Guidance
25 Is a fair processing notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?
Yes. It is stated on the SK9 SPORTS legal documentation that all parents sign, what the purpose of the processing is for. We also have full privacy statement on the site. Remember that the more unusual, unexpected or intrusive the processing, the greater the importance of making the individual aware of the processing.
Particularly where Legitimate Interests are to be relied on.
26 Can the individual, whose data is being processed, control the processing activity or object to it easily?
Yes Giving the individual increased control or elements of control may help a Controller rely on Legitimate Interests where otherwise they could not. If individual control is not possible or not appropriate, explain why.

27 Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?
Our processing does not present a privacy risk to the individual This is a similar concept to a Data Protection Impact Assessment. Where a DPIA might identify potential privacy harms it also allows the organisation to mitigate the risk of non-compliance by adapting or altering the scope of the activity. The same is true for an LIA. If you conclude that the processing presents a privacy risk to the individual, the processing can be limited or adapted to reduce the potential impact.

D) Safeguards and Compensating Controls
Safeguards include a range of compensating controls or measures which may be put in place to protect the individual, or to reduce any risks or potentially negative impacts of processing. These are likely to have been identified via a Privacy Impact Assessment conducted in relation to the proposed activity. For example: data minimisation, de-identification, technical and organisational measures, privacy by design, adding extra transparency, additional layers of encryption, multi-factor authentication, retention, restricted access, opt-out options. , hashing, salting, and other technical security methods used to protect data.
Please include a description of any compensating controls that will be put in place or are already in place to preserve the rights of the individual.

E) REACHING A DECISION AND DOCUMENTING THE OUTCOME
Using the responses above now document if you believe you are able to rely on Legitimate Interests for the processing operation. Please explain, perhaps using bullet points, why you are, or are not, able to rely on this legal basis. You should draw on the answers you have provided in this LIA.

Outcome:
Yes, it is a legitimate business interest.

Signed by:

Role:

Dated: