GDPR compliance: How we deal with your data safely

Any business will by its very nature acquire and store data on other businesses and individuals. At Pixooma we are committed to upholding high standards of data protection and transparency, so below is a summary of the data we may hold on you as an individual and/or your company. We NEVER add your data to lists that are sold or otherwise provided to other companies for them to use and we maintain robust systems to help ensure your data is protected at all times. If you have any concerns or requests regarding the data we may hold on you please contact our data controller.

Who collects the data?

Data on individuals and companies is collected by Pixooma Ltd for legitimate business reasons only. The data controller and processor is Mark Coster.

How we collect data:

Website – This website (pixooma.co.uk) collects data in the form of cookies which help us with our website analytics (number of visitors, pages visited etc). This data is automatically transferred securely between Google and Pixooma, and is not provided to third-parties. The data is needed in order to analyse the way our website is used so that we can continue to provide a useful service and source of information.

Consent – If any member of Pixooma staff or anyone acting on behalf of Pixooma gain consent from a business contact to keep in touch, that contact is sent a data confirmation statement which links to this article confirming that they gave consent. The consent may be gained verbally (on the phone, at a meeting or event), via email, via signup forms on our website, or via a social media direct message. For our mailing lists we use a double-opt-in process to ensure that no one is signed up without their knowledge or consent. This data is held securely and not added to data lists for resale or transfer to third parties. We may, with your explicit permission provide your details to one of our contacts in order to refer, recommend or otherwise introduce you both for mutual benefit.

How we protect your data

Website – This website (pixooma.co.uk) has an SSL certificate meaning that when you connect to it via your web browser the connection is secure and encrypted. A security plugin (Wordfence) is used to protect against malicious attacks and access to the admin control panel for the website is protected by a username, password and two-factor authentication. The site is backed-up hourly by the hosting company and weekly backups are also made by our trusted WordPress developer.

Pixooma hardware – Connection to the internet for Pixooma computers is via two firewalls (router and the computer) and requires a personal login and password. The computer is monitored and protected via an anti-virus program and separate malware software. The computer hard disk is also encrypted with a password.

Cloud software – The cloud software we use which contains personal data is protected via a login and password, and two-factor authentication.

Backups and clones – All client files are saved on Dropbox automatically. In the main these are marketing materials so they will contact addresses etc on them, but this is intended for public viewing anyway. However, we do try to minimise the effects of ransomware and other malware attacks by using the Pro version of Dropbox which comes with 30 day ‘Versioning’ (giving us access to 30 days worth of changes to every file) and we get automated warning emails if large numbers of files are changed in one go – which is a possible sign of a ransomware attack – meaning we can deal with the threat early and minimise the damage it causes. Access to Dropbox is via two-factor authentication at all times. We also back up data every hour to an external drive, which is one of a pair of drives that are swapped every week with the non-live backup being removed to an off-site location.

What data we hold

CRM – The CRM system we use, Capsule, stores contact information in the form of one or more of the following: Name, company address, email, phone, website, and social media. Capsule requires a login and password and we protect it further via two-factor authentication. Capsule has its own data protection policies in place that mean it is able to comply with GDPR

Mailing list – The mailing system we use, Mailchimp, stores contact information in the form of name and email address. MailChimp requires a login and password and we protect it further via two-factor authentication. MailChimp has its own data protection policies in place that mean it is able to comply with GDPR.

Telephones – Phone numbers and names are stored on our telephone system(s) to enable us to easily call our contacts.

Xero –  Our cloud-based accountancy software, Xero, stores client data in the form of name, address and email to enable us to invoice our clients electronically. Xero requires a login and password and we protect it further via two-factor authentication. Xero has its own data protection policies in place that mean it is able to comply with GDPR.

Payment systems – We collect some of our client invoice payments via Direct Debit using a system called GoCardless. This system collects sort code and account number information securely, but it is not transferred to Pixooma in any way. GoCardless is FCA compliant and therefore conforms to GDPR.

Why we hold your data

We hold data on individuals and companies due to one or more of the following criteria, and under the following lawful bases as defined within GDPR:

  1. The contact is a current customer – Lawful basis for processing: legitimate interest as we need to maintain contact information for the purpose of providing services and invoicing the customer
  2. The contact has been a customer historically – Lawful basis for processing: legitimate interest as we need to maintain contact information for the purpose of providing future services, and of holding historical financial records (for HMRC etc)
  3. The contact gave us direct consent to hold their data – Lawful basis for processing: Consent 
  4. The contact provides a useful service relevant to Pixooma or its network of contacts – Lawful basis for processing: legitimate interest. The contact in question is a Business to Business (B2B) service provider, and their services are ones that we, or our clients may find useful
  5. The contact has signed up for one or more of our mailing lists –  Lawful basis for processing: Consent to receiving specified emails from us

Your rights

GDPR gives everyone greater control of their data and puts the emphasis firmly back with the individual rather than the company, which is a great step. Therefore you have the right to ask what data we hold on you, restrict the processing of it and to request that it be deleted (as long as doing so does not conflict with a regulatory requirement or other need).

Should you wish to know what data we hold, amend your records, or simply request that we delete them then please contact the data controller.

 

 

Share this article: Share on LinkedIn
Linkedin
Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on Google+
Google+


Pixooma