Data collection and retention
What personal data is processed?
Discover Helston collects only the minimum amount of personal information in order to handle enquiries regarding the website. This includes name, email, and message.
Through our website we also implement ‘cookies’ to provide the best user experience for our visitors. Information gathered through ‘cookies’ includes: visitor numbers, page views, country of origin, time on site, device used. This information is not connected in any way to personal contact information received either through the contact form, direct emails or phone calls.
You can learn more about ‘cookies’ here: https://ico.org.uk/your-data-matters/online/cookies/
How is that data collected and retained?
Personal data is collected through the contact forms within our website, direct emails and direct phone calls. The majority of information remains within our email system.
Is the data stored locally, on our servers, or both?
Personal data is collected and stored locally within our email client software, but that data is also referenced from an external email server via IMAP (Internet Message Access Protocol).
For how long is data stored, and when is the data deleted?
We implement a process of auditing and deleting data for private individuals after a period of two years. Individuals can request at any time during the two year period a copy of what data we hold in relation to themselves, as well as request that the data is deleted immediately. For any information or deletion requests we can provide and/or delete the data within seven working days (Monday – Friday) of the initial request.
Is the data collection and processing specified, explicit, and legitimate?
Our data collection and processing is specified both on the contact page of our website, contact form confirmation agreement (checkbox) as well as within this PIA (Privacy Impact Assessment).
The types of data collected, as well as how it is used are defined explicitly within this PIA.
Discover Helston only collect in the minimum amount of information in order to conduct our business operations. We only collect and use data that customers provide to us in agreement with our PIA. We never purchase personal contact information where the individual has not agreed to the data being used explicitly by Discover Helston.
What is the process for granting consent for the data processing, and is consent explicit and verifiable?
What is the basis of the consent for the data processing?
Personal and business data collected via contact form, direct emails and direct phone calls is only stored explicitly for internal use only within Discover Helston. Data is only collected where it is required and essential for our business operations and there is no other reasonable way to achieve that purpose.
If not based on consent, what is the legal basis for the data processing?
The legal basis for storing any person information where we have not been explicitly given consent is in the event of legal or civil proceedings; where we need to prove communications with the private individual or business in order to collect payment or liability in relation to work undertaken by Discover Helston.
Is the data minimized to what is explicitly required?
Is the data accurate and kept up to date?
The accuracy of the data is checked at the point where its is received by Discover Helston. If for any reason incorrect contact information is received where by it does not relate to the individual making the enquiry, then the data will the deleted and we will request the person submit a new enquiry. Business to business data is updated periodically to ensure we maintain the correct contact details with our existing clients. Contact details for individuals is not updated unless requested by the individual, but otherwise delete after two years of the initial enquiry.
How are users informed about the data processing?
Users are informed about how their data will be processed at the point of contact. This is either via confirmation and agreement by the individual using the contact form, or via the footer of our email communications.
What controls do users have over the data collection and retention?
By entering into communication with Discover Helston via the contact form, direct emails or direct phone calls users agree that we can store their contact information data for business operations. At any time users, clients and private individuals can request a copy of what personal information we store and also request that it is deleted from all our internal systems.
Technical and security measures
Is the data encrypted, anonymized or pseudonymized.
Discover Helston only collect the minimum data required for contacting private individuals and businesses. As this data is not stored within a single database or format where it can easily be extracted, at present we do not encrypt, anonymize or pseudonymise the data locally. However, data stored within third party hosting providers has encrypted access. By contacting Discover Helston the user enters into an agreement that they are satisfied with our level of protection of their data. At any point a user can request their personal data be removed from our systems if they are not happy with the level of data security we use.
Is the data backed up?
Communications via email are backed up periodically (daily) via remote backups of our website hosting server. Any data stored locally on computers within the office are backed up via third party cloud based data storage systems. We check that any third party software providers are GDPR compliant and offer a suitable level of security in order to best protect the contact information we store.
What are the technical and security measures at the host location?
Discover Helston’s third-party email and website hosting provider offers:
100% PCI-DSS scan compliant hosting.
1,000Gbps of DDOS protection.
Secure SSH/SFTP access.
Advanced firewall rules ensuring a high-level of security.
256-bit SSL certificates.
Weekly Security Scans.
Weekly/real time file scanning for malicious files.
Encrypted cPanel & email access.
Restrict access by IP.
“SpamExperts” email antivirus filter.
Two-Factor Authentication (TFA/2FA).
The CRM that Discover Helston uses has top-tier, third-party services located in the US to host their online and mobile services. This means that personal information is transferred to servers in the US. To satisfy the requirements relating to the transfer of data from the EU to the US, they have agreements in place with each of their hosting providers that use European Commission model contract clauses. Data is encrypted using industry-standard data encryption, multiple layers of firewalls are in place, all access to data centres and servers used by the CRM is controlled and monitored 24/7, and they perform regular security audits.
Who has access to the data?
Access to data within Discover Helston is restricted to relevant staff members who require the information in order to complete their assigned role within the organisation.
What security measures do those individuals work with?
Team members are instructed to only use strong passwords for securing devices as well as accessing local and cloud based software. They are also instructed to periodically change passwords at least once every two months. All computers used by the web development company have antivirus and malware software installed to reduce the risk of malicious attacks and external parties accessing the devices/data.
What data breach notification and alert procedures are in place?
Both our third-party CRM and email hosting client have data breach and malicious attack notification services in place. In the event of this, or breach of Discover Helston’s internal systems we have an automatic notification system setup inform all our partners via email. If we believe any specific individuals or businesses data has been compromised we will begin a process of informing them as soon as possible by direct phone calls.
What procedures are in place for government requests?
In the event of a data breach and government request to inspect our data, we can provide the relevant information within two working days. The majority of data can be provided in spreadsheet or database format, along with supporting documents.
Subject access rights
How can an individual see a copy of the data 3deep Media holds on them?
Inline with GDPR, any individual or business can exercise their rights to access what data we hold on them. They can do this via contacting us directly by email or phone.
How does the data subject exercise their right to data portability?
The data we hold on individual private clients is minimal (name, email). This can be provided in a variety of formats (CSV, PDF, DOCX, Email). The individual can request which is their preferred format when contacting Discover Helston.
How does the data subject exercise their rights to erasure and the right to be forgotten?
An individual can contact Discover Helston to request their information is deleted from our systems. On request we will provide them with a copy of what data we hold, and also what systems the data has been removed from.
How does the data subject exercise their right to restrict and object?
At any time an individual can contact Discover Helston to object to their personal information being processed within our systems. On request we will provide them with a copy of what data we hold, and also what systems the data has been removed from. Discover Helston shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Are the obligations of all data processors, including subcontractors, covered by a contract?
Discover Helston, has entered into agreements with any/all subcontractors and third-party data processors to ensure we operate with only legitimate suppliers that comply with the GDPR guidelines and keep personal data protected throughout all our business operations.
If the data is transferred outside the European Union, what are the protective measures and safeguards?
Due to the nature of website hosting servers and cloud based software systems such as our CRM, data is likely to move outside of the European Union during day to day operations. To ensure the security of our customer’s person data we only use reputable providers for web services and ensure they meet the GDPR guidelines. Access to online cloud based software systems is done through a limited number of logins which all use the maximum level of password strength. Passwords are also changed periodically to reduce the risk of access being gained by unwanted parties.
What are the risks to the data subjects if the data is misused, mis-accessed, or breached?
Discover Helston only store the minimal amounts of personal contact data required to complete our business operations. In most cases this is limited to name and email address. The main risk would be identity theft, but as this is same data is often commonly available through other means, such as online searches, the risk to an individual in the event of a data breach would be very minimal.
What are the risks to the data subjects if the data is modified?
The personal data that Discover Helston store is only related to client contact information and does not form part of any online account, e-commerce system or otherwise. In the event of a data breach where personal data is modified within our systems, the risk to individuals is minimal and would not pose a threat to personal finances, privacy or identity theft.
What are the risks to the data subjects if the data is lost?
Personal contact data for our clients is backed up regularly and encrypted by the third party software systems such as our CRM. The likelihood of the data being lost permanently would be very small, and would not directly affect the individual beyond a delay in communications from Discover Helston.
What are the main sources of risk?
The main source of risk would be unwanted access to our CRM software, either through login details being obtained by a rogue party or data breach of the third party supplier. The result of which would at most be the data being harvested and sold on.
What steps have been taken to mitigate those risks?
To minimise access to any of our systems, all members are instructed to only use the strongest level of secure passwords, and to change these periodically (roughly every two months). Passwords are unique to each system and user, and in the case of client’s control panel’s for online hosting, these are always changed from the default passwords set at time of purchase.