OUR DATA POLICY

INTRODUCTION

This Policy document formally outlines Thrive Online Group UK LTD (TOUK) data governance policy. The policies listed will outline how data processing and control / management should be carried out to ensure data is managed in an accurate, accessible, consistent, and protected manner.

The policies discussed in this document also establish who is responsible for information under various circumstances and specifies what procedures should be used to manage it. In addition, the policies will incorporate risk management and data ethics principles to reduce potential business problems, from the processing or controlling of data, in any territory where TOUK operates.

BUSINESS DETAILS

Registered Name: Thriveonline UK Ltd

Registration number: 14657874

Start date of operations: February 2023

Tel: +44 (0) 115 783 8374 / +44 (0) 7552 819 740 / +27 (0) 82 906 9087

Registered address: 12, Bridgford Road, West Bridgford, Nottingham, NG2 6AB, UNITED KINGDOM.

Compliance Officer – Mark Futcher (Interim appointment)

Business outline of TOUK

TOUK is a digital agency business, offering digital marketing solutions to its customers.

TOUK primary services are as follows:
  • Website Design
  • Website Development
  • Social Media Management
  • Pay Per Click Marketing
  • Search Engine Optimization
  • Creative Design – Digital and other
  • Direct Marketing
Secondary services:

Management consultation of outsourced marketing that is not core to digital, for example:

    • PR
    • Outdoor
    • Activations
    • Print

TOUK owns and holds rights to developed book management systems, lead management platforms and CRM systems, which are designed to reduce cost, create accountability and compliance, provide ease of access to information and manage the outcomes of the business relationships we build.

TOUK strategically manages its own operations and business relationships and implements outcome-based campaigns / business strategies, ensuring transparency, accountability, and compliance.

It is evident in the Business Outline and Core Services that TOUK may:

  1. Process data, for and on behalf of client controllers and suppliers controllers
  2. Control data in that the data is stored and with specific contractual rights given and territorial legislation followed, may be used by TOUK for the benefit of TOUK and or its clients.

Data Controller vs Data Processor

The formal definition of the processor as you can read it in the GDPR Articles (GDPR Article 4): Processor means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

GDPR defines a data controller as: “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” The data controller will decide the purpose for which personal data is required and what personal data is necessary to fulfill that purpose.

Territorial Regulations Followed

GDPR – General Data Protection Regulations, UK and Europe

Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as breach or they will face penalties for not doing so. Failure to comply with GDPR can result in a fine ranging from £14,000,000.00 to four per cent of the company’s annual global turnover.

GDPR outlines that the following measures must be taken to host, hold and use consumer data:

  • Have a data compliance officer and have records that demonstrate full data accountability compliance
  • Have comprehensive but proportionate data governance and policy measures
  • Companies need to implement appropriate technical and organisational data management measures
  • Auditable processing activities for transparent data processing and archiving reports
  • Auditable destruction of noncompliant data and data that has become irrelevant
  • Appropriate security measures as outlined in the ‘integrity and confidentiality’ principle

Industry Regulator: ICO https://ico.org.uk/

TOUK registration. Tier 1, for current period November 2023 to November 2024, of the ICO – certificate of membership available for inspection.

TOUK as a Data Controller

In its normal course of business, TOUK will have the ability to acquire data that it will become the owner of. In such cases, TOUK, will use a secure asset to store such data. The data will be stored in a defined, auditable, and secured manner.

Should TOUK wish to use any of the data it owns or determine the purpose of the data point, it will be obliged to do so within the legislative and regulated bounds of the territory the data is locked to.

Data Destruction Policy

As a processor TOUK will abide by the legal and legislative regulations of the territory where the data has been processed and in consultation with any regulatory body TOUK should engage or be a member of.

As a controller – upon request and as part of legal requirements and in consultation with any regulatory body TOUK should engage or be a member of.

Data breach notification procedures

Introduction

As a business TOUK may hold, process and control personal or business data for the purposes of our general business dealings. Every care must be taken to protect this personal information from accidental or deliberate misuse, to avoid a data breach that could compromise security and confidentiality of the data point. However, as the amount of data available grows and technology develops, there are many ways by which data can be breached.

TOUK needs to have in place a robust and systematic process for responding to any reported data breaches, to ensure it can act legally and responsibly, and protect personal data which it processes.

The aim of this procedure is to standardize TOUK response to any data breach and ensure that they are appropriately logged and managed in accordance with the law and best practice. The TOUK policy outlines the below as its response to any data breach:

  • Incidents are reported internally swiftly and can be properly investigated
  • incidents are dealt with in a timely manner and normal operations restored
  • incidents are recorded and documented
  • the impact of the incident is understood, and action is taken to prevent further damage
  • Any required regulatory body per territory and data subjects are informed where necessary in line with territorial legislation
  • incidents are reviewed for future proofing

What is a data breach? Article 4 (12) of the General data protection Regulation (“GDPR”) defines a data breach as: “a breach of security leading to the unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Rights of data subjects

Data Protection: TOUK notes the rights for data subjects

  • The right to be informed about the collection and the use of their personal data
  • The right to access personal data and supplementary information
  • The right to have inaccurate personal data rectified, or completed if it is incomplete
  • The right to erasure (to be forgotten) in certain circumstances
  • The right to restrict processing in certain circumstances
  • The right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
  • The right to object to processing in certain circumstances
  • Rights in relation to automated decision making and profiling
  • The right to withdraw consent at any time (where relevant)
  • The right to complain to the territorial regulator
  • The right to opt-out or opt-in for further communications

Conclusion

TOUK LTD will hold the legal requirements of its position as a data processor and or data controller to the highest standards within its course of business dealing. All staff, contractors, subcontractors, suppliers and clients can, upon request be made aware of our policies when considering data use and data security. Continuous training and engagement with the correct regulatory bodies will be implemented and we must, at all times, adhere to a principals of:

The Seven Principles
  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
BACK TO COMPANY POLICIES