The standard assumption among many business owners is that only large companies, charities, and public sector organisations are targeted for their data.
Whilst this is a reasonable assumption to make, Couno’s monitoring activities supports findings from other companies in our business sector. It’s the smaller businesses with a lot of sensitive information which are at the gravest risk.
Criminal organisations are finding that compromising sensitive data from large companies, charities, and public sector organisations is becoming increasingly difficult.
This Policy sets out the obligations of Couno Limited (“the Company”) regarding data protection and the rights of our clients and prospective clients (“data subjects”) in respect of their personal data under the General Data Protection Regulation (“the Regulation”).
The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets out the procedures that are to be followed when dealing with personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
This Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. All personal data must be:
The Regulation seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The Regulation states that processing of personal data shall be lawful if at least one of the following applies:
The Company will only collect and process personal data for and to the extent necessary for the specific purpose(s) informed to data subjects as under Part 4, above.
The Company shall ensure that all personal data collected and processed is kept accurate and up-to-date. The accuracy of data shall be checked when it is collected and at regular intervals thereafter. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
The Company shall not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without delay.
The Company shall ensure that all personal data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Further details of the data protection and organisational measures which shall be taken are provided in Parts 22 and 23 of this Policy.
The Company shall carry out Privacy Impact Assessments when and as required under the Regulation. Privacy Impact Assessments shall be overseen by the Company’s data protection officer and shall address the following areas of importance:
The Regulation sets out the following rights applicable to data subjects:
Where the Company uses personal data for profiling purposes, the following shall apply:
The following personal data may be collected, held, and processed by the Company:
The Company shall ensure that all its employees, agents, contractors, or other parties working on its behalf comply with the following when working with personal data:
The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data: