Why this policy exists
This data protection policy ensures Future Friendly Ltd:
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
- The “Company” refers to Future Friendly Ltd, a Company registered in England and Wales and trading as “Kind”
- A “Data subject” is a reference to any individual who may be a customer, client, prospective customer or client, or anyone who works part-time or full-time for the company under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. This includes past employees, temporary employees and independent contractors. This also includes anyone who can be identified, directly or indirectly, by reference to an identifier defined under “Personal Data” in the ‘Definitions’ section of this policy.
- “Personal data” is defined as any information (including opinions and intentions) relating to an identified or identifiable natural person. It can reference, but is not limited to, the following identifiers: a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Processing” of personal data may include “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and any may be by automated or manual means.”
- A “Client” is a reference to past, current or prospective Future Friendly Ltd. clients.
- A “Customer” is a reference to past, current or prospective Future Friendly Ltd. customers.
- A “Supplier”, is a third party, vendor, subprocessor company, contractor or organisation that is either a data processor or data controller and in a business relationship with Future Friendly Ltd.
The company uses personal data within the business for personnel, administrative, financial regulatory, payroll and business development purposes, including sales and marketing.
The company also process personal information for clients who utilise their digital design and development services.
This policy is defined by Future Friendly Ltd being a Data Processor on behalf of the Data Controller as defined in General Data Protection Regulation (2016÷679) and applies to all internal employees, third-party suppliers and subprocessors.
Company employees are trained and required to be compliant. Third party subprocessors are audited to ensure their systems form the basis of compliance with this policy.
This policy remains current until it is reviewed or reissued. When this occurs, all affected personnel will be made aware before the new policy is adopted.
The company Data Protection Officer (DPO) is Mat Hayward. The Data Protection Officer is responsible for the day-to-day implementation of this policy and remains the individual in charge of data protection within Future Friendly Ltd.
Policy & Procedures
Future Friendly Ltd as a Data Processor
The company will have a clear and specific agreement with the Data Controller to ensure that personal data is kept secure and up to date.
The company agrees to:
- comply with the requirements of the Services Agreement in the provision of services to the Data Controller;
- process and use the Data only to the extent strictly necessary to perform its obligations or as otherwise provided under the Services Agreement;
- only disclose the Data to the Data Processor’s employees and personnel that have a need to access the Data for the Data Processor’s compliance, while the Data Processor shall ensure that all such employees and personnel are bound by a confidentiality agreement;
- take all reasonable steps to ensure the reliability of all its employees and personnel who have access to the Data;
- ensure that appropriate controls are in place to prevent the Data Processor’s access to special categories of Data, where relevant, except in circumstances expressly authorised by the Data Controller;
- implement, maintain and at all times operate adequate and appropriate technical and organisational measures to;
- protect the security, confidentiality, integrity and availability of the Data, and
- protect against unauthorised or unlawful processing of the Data and against accidental loss, destruction or the making vulnerable of, or damage to, the Data; such measures shall, at a minimum, meet:
- the requirements of Data Protection Law;
- the standards required by all applicable accepted industry practices;
- comply with its obligations under Data Protection Law, and shall take such steps as are requested by Data Controller to enable the Data Controller to comply with the Data Controller’s obligations under Data Protection Law;
- provide evidence to the Data Controller on request of the technical and organisational measures the Data Processor has taken to comply with its obligations.
The company will not subcontract personal data processing without the written permission of the Data Controller.
If written permission is provided, then the company will ensure that all third parties engaged to store or process personal data on the company’s behalf (i.e. Data subprocessors) are aware of and comply with the contents of this policy and the GDPR (2016÷679) regulation.
Assurance of such compliance is obtained from all subprocessors, whether companies or individuals, prior to granting them access to Personal Data controlled by the company.
Breach or Compliance Failure
If the company discovers or suspects a compliance failure, security incident, suspected incident or breach, then it will:
- implement immediate containment of the breach;
- accurately record the details of the incident;
- provide an initial assessment of the incident to the Data Controller within 24 hours;
- provide support to the Data Controller to establish the details surrounding the breach.
Upon the request of the Data Controller or on Termination of the Agreement of Services, the company will return or securely destroy any personal data relevant to the Data Controller.
Privacy by Design and Default
The company encompasses privacy by design as an approach to projects and applications.
International Data Transfers
No data is transferred outside of the UK without it being agreed by the Data Controller and the company’s Data Protection Officer. It is the responsibility of the Data Controller to ensure that specific consent from the data subject is obtained prior to transferring their data outside the UK.
Upon request, a data subject has the right to receive a copy of their data in a structured format. Where relevant, and where there is no undue burden and it does not compromise the privacy of other individuals, the company will assist the Data Controller in transferring the data directly to another system.
Right to be Forgotten
With a formal written request from the Data Controller to the company Data Protection Officer, the company will assist the Data Controller, where relevant, in deleting or removing any personal data requested.
The company Data Protection Officer has overall responsibility for this Policy and will monitor it regularly to make sure it is being adhered to.
For further information, please contact the company Data Protection Officer.
The Data Protection Officer
Future Friendly Ltd
16 Commerce Square