The General Data Protection Regulation (GDPR)
The GDPR is a new European regulation for the protection of personal data that came into force on 25 May 2018 and put into UK law through the Data Protection Act 2018.
What personal information we hold?
Where provided, we have the names, work addresses and email addresses of post holders working for companies and organisations in each of the Power 100 lists, awards and publication sectors.
Post holder data is not shared publicly and only disclosed to third parties where it meets the necessary conditions and tests of legitimate interest and relevance (further details below). Post holder data is recorded and used to ensure effective and efficient communication with the organisations, posts and responsibilities listed. No sensitive personal data, or anything relating to an individual’s preferences or personal life is held or recorded.
What do we do with the data?
We use the data we collect in the following ways:
- We are a leading provider of market intelligence for all private and public sectors and conduct regular surveys in support of our range of market reports. We rely on having good, up to date data to ensure we reach the right people.
- We use the data for direct marketing purposes. Any communications that we send clearly include an ‘unsubscribe’ option.
- We license data to third parties who may use it for analysis and marketing purposes. It is important to note that we do not sell data – it is licensed to clients on a time and use restricted basis.
- We use data for the processing of sales and the delivery of orders to clients.
How we collect information
We collect data in the following ways:
- From public websites which publish contact information.
- Through our surveys. Individuals are given the opportunity to opt out from receiving emailed surveys.
- Through our sales process during which we require client’s details to invoice them and send them the products they order.
- Through networking in the normal course of business, collecting details from people we meet who are likely to be interested in our products and services.
Our data is held in the following places:
- Our proprietary SQL database which can only be accessed by staff working on the company’s networks.
- Our password-protected CRM systems which are only accessible to selected staff.
- Our data portal which is password protected using AES-256 encryption and may only be accessed by employees and people who have been licensed to use the data held within it.
Entry controls. Any stranger seen in entry-controlled areas will be reported.
Secure lockable desks and cupboards. Desks and cupboards are kept locked if they hold confidential information of any kind. (Personal information is always considered confidential).
Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
Retention Period. Post holder data is on average reconfirmed, validated or changed every 6 months. The maximum period for storage without securing a reverification or update is 2 years.
If you do not wish us to use your data ourselves or license your personal data to a third party for marketing purposes you can:
- Request to unsubscribe via any of the direct marketing communications that we send.
- Write to our Head of Data Analytics at firstname.lastname@example.org.
What marketing channels and on what basis can data be used for communication, including research and marketing?
Our communications are ‘business to business’ (B2B) and as a result we are processing data on the legal basis of ‘legitimate interest’.
- Postal Communication/Marketing – this will remain on an ‘opt-out’ channel (subject to the Mailing Preference Service (MPS) where appropriate).
- Telephone Communication/Marketing – all telephone numbers must be screened against the TPS and CTPS (Telephone/Corporate Telephone Preference Scheme) prior to being used for marketing purposes. Beyond which, this will remain an ‘opt-out’ channel.
- Email Communication/Marketing – the rules for e-mailing employees of Public Bodies and Companies are governed by the PECR (Privacy and Electronic Communication Regulations) which will be replaced by the forthcoming e-Privacy Regulations (tbc). This will remain an ‘opt-out’ channel. Private individuals are asked to opt-in to receive electronic communication and marketing from us.
What restrictions are there on the use of our data for marketing?
- All communications must be relevant and proportionate.
- All communications must contain a clear opportunity to opt-out from future correspondence.
- All requests to opt-out are honoured.
- Data used for marketing must be recently downloaded (i.e. within the past month) to ensure it is as up to date as possible.
We process data on the basis of ‘legitimate interest’ and can make legitimate interest assessments available for viewing as required. Any party who purchases a data license from us must establish their own legal basis for processing.
We offer a range of data solutions among our product and services. While much of the data we gather and pass on to others is anonymous and used for analysis and benchmarking, a portion of the data we hold relates to post holders in companies and organisations as described above and may be used by us and third parties whom we license for marketing purposes. It is up to these third parties to decide their own legal basis for processing.
In doing this, we provide a necessary function for communication and research in the independent health and social care sectors. The interests of both the data subjects and data users are considered to the fullest possible extent and all our database content and services are made as transparent as possible.
Data Export and License
Any data shared is in compliance with the Information Commissioner’s Office Checklist.
In all cases the rights of the individual whose personal data is associated with a post listed on our database is considered and put in the context of both reasonable expectation of those fulfilling senior, important, budget holding and influential roles within Public Bodies/those providing Public Services and those rights and legitimate interests of other Public and Commercial Bodies who wish to discuss aspects and responsibilities of the roles directly or to provide details of relevant documents, events, services and publications that will be beneficial to the Post Holders.
No personal data is ever sold to third parties and where any personal data relating to a post holder is licensed for a set period or purpose for use by a client (user), a consultation with the user is made available to ensure suitability, and in addition, the following conditions relating to direct communication with a post holder must be met:
- The user is a Public Body or a Supplier/Body offering or conducting relevant research, services or work
- The means, content and amount of communication is appropriate, relevant and not excessive
- The user’s contact information is always available and clear to the post holder
- A clear and unambiguous opportunity to stop any further communication is offered
- All data is screened against any necessary official preference services before use
- All data supplied can only be held and used for a prescribed period and purpose.
- All data held must be done so securely and not transferred to any third parties without consent.
- All requests to remove data is respected and a record held to prevent further use.
Where requested by post holders, users must provide details of ourselves as the source of the personal data used and provide a link to this document.
Transparency, Rights, Updates and Preferences for Post Holders
Our services are only possible with the kind cooperation of companies, not for profit organisations, public service organisations and their staff. Without which, neither our business nor the services we provide would be viable. We hope that the openness of our data to the post holders listed and the opportunities and information offered by ourselves and our users are both valuable and useful to those concerned.
If you wish to access any post holder that we hold on you, please contact email@example.com and a copy will be supplied to you. Please use the same email address if there are changes needed to any organisational or post holder data. These will be actioned, and a confirmation email will be sent.
If a post holder would like more information about how we obtained their information or would like their name and/or email address removed from the database, please email us at firstname.lastname@example.org including your name and the organisation you work for. We will review the data held and respond with the appropriate information and a list of preference options, including limiting access to the personal data in question or complete removal, according to the post holder’s wishes.
When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the following conditions are met:
- We will check the caller’s identity to make sure that information is only given to a person who is entitled to it.
- We will suggest that the caller put their request in writing if we are not sure about the caller’s identity and where their identity cannot be checked.
Our employees will refer a request to the company Chief Operating Officer for assistance in difficult situations. Employees should not be bullied into disclosing personal information.
If an individual has engaged with the Company but is still dissatisfied, they are free at any time to raise concerns and/or complaints of any alleged breaches with the Information Commissioners Office either by visiting their website https://ico.org.uk/concerns/.