Data Protection and GDPR - Internal Policy

The GDPR law grants the public increased rights and imposes rules on how data must be handled.

Good-Loop supports the GDPR. This policy document covers how Good-Loop handles the GDPR.

This document is for internal training. It can also be shared with external bodies on request. All staff must also complete the iHasco training course on GDPR.

Hosting

Good-Loop services are hosted within the UK and the EU, and comply with GDPR regulations.

Process around Data Issues

Clients can contact Support with data and GDPR issues. We will provide support and help. This is also the process for subject-access requests.

The contact for our data protection officer (DPO) is: dpo at good-loop.com

Consent

It is important that companies have consent from individuals to store and process their data, and to communicate with them.

Most adverts will not need extra consents.

Where Good-Loop collects personal data from users, for example emails for a mailing-list, we do so on an opt-in basis.

Data Security and Breaches

Good-Loop stores all data on secure servers. Please see our Security Policy for more details.

If you suspect a data breach, you must notify Good-Loop support straight away.

The GDPR places legal obligations on handling data breaches, including time limits for responding. We aim to respond strictly faster than this in the event of any data breach.

If we suspect a data breach we will notify affected clients within 24 hours. We would then work with the affected client to identify the scope of the breach and take remedial action.

Good-Loop has not had a data breach in its history.

We maintain a register of data breaches and near misses here.

Staff Handling of Data

Good-Loop staff and sub-contractors who handle personal information or confidential client data must take appropriate care to prevent unauthorised people from accessing the data.

Rights of the Data Subject

Individuals ("data subjects") can contact a Good-Loop client with various requests. The client should lead the response to a data subject request, with the Good-Loop support team available to help clients handle these.

Right to be Informed

This does not apply to our activities.

Right of Access

Good-Loop's databases support filtering by individual. When responding to a subject-access request, you must first verify the identity of the data-subject (to avoid releasing potentially private data incorrectly).

Right to Correct Data

Individuals should contact us by email, and we will make corrections as requested. However we will first verify the identify of the person making the request.

Right to Erasure (right to be forgotten)

Please contact the support team, who can erase the data from the system. As this is not reversible, the support team must first verify the identity of the data-subject and the range of data to be deleted.

Erased data will instantly vanish from front-end use. It will take one month for all data to be removed from the system.

Right to Data Portability

Contact support by email, and we will arrange a data export.

Automated Decision-Making

We do not recommend using Good-Loop services as part of automated decision-making about a person that has legal or similar significant effects for that person. We are not aware of any clients who do so. If you should wish to do so, please check GDPR regulations.

GDPR Article 28 Compliance Checklist

Good-Loop acts as a Data Processor for its clients. We support the aims of the GDPR and we fully accept our responsibilities as a Data Processor. In order to comply with the requirements of Article 28 of the GDPR:

• As a Data Processor, we will only act on the instructions of the Data Controller (unless required by law to act without such instructions).
• All people processing the data within our organisation, whether they are staff or contractors, agree to confidentiality clauses.
• We take data security seriously, and take appropriate measures to ensure the security of processing (please see our security policy for more detail).
• We will only engage a sub-processor with the prior consent of the Data Controller and with a written contract.
• We will assist the Data Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR.
• We will assist the Data Controller in meeting its GDPR obligations in relation to the security of processing (Article 32 GDPR), the notification of personal data breaches (Article 33 GDPR), and data protection impact assessments (Article 35 GDPR).
• We will delete or return all personal data to the Data Controller as requested at the end of the contract.
• We agree to reasonable audits and inspections, and to provide the Data Controller with whatever information it needs to ensure that we are both meeting Article 28 obligations.
• We will tell the controller immediately if asked to do something infringing the GDPR or other data protection law of the UK, the EU, or a member state.

ePrivacy

Cookies

Cookies are important for the functioning of modern internet, but if misused they can threaten privacy rights. Our website and adverts use cookies. You can opt-out from cookies at any time: there is a simple button for this on the Privacy Policy page.

We aim to provide clear and comprehensive information about cookie use in our privacy policy and linked documents. If you have any questions, please do contact us.

Messages (email, SMS, push notifications)

We do not send unsolicited email or similar electronic messages. All such communications are done on the basis of the user opting in. The user can unsubscribe at any time.

See also

Please also see the following relevant policies:

• Access Control Policy
• Cookie Policy
• Privacy Policy
• Security Policy