1 Accountability & Governance.
1.1 Data Controller.
1.1.1 Applikation Ltd is the Data Controller of all Applikations data processing activities. This means that the organisation is responsible for deciding how personal data is processed, for what purposes and for implementing appropriate technical and organisational controls to protect their client’s personal data.
1.2 Nominated Supervisory Authority.
1.2.1 Applikation are registered with the Isle of Man Supervisory Authority: The Information Commissioner’s Office for our processing activities.
“We take responsibility for complying with the GDPR, at the highest management level and throughout our organisation.”
1.3.1 Applikation takes their responsibilities for complying with the GDPR extremely seriously and at the highest management levels across the organisation. Applikation is committed to establishing a culture of data protection within the organisation.
1.3.2 The Data Governance Manager is accountable to the Applikation Board for Data Protection.
1.3.3 Data protection is a standing agenda item in all Board Meetings. The following management information is tracked:
- Details of any major data protection decisions since the last meeting.
- Number of data breaches by month – if any.
- Number of data breaches report to the Information Commissioner.
- Number of data breaches not reported to the Information Commissioner.
- Number of Subject Access Requests (SAR) received since last meeting.
- Number of completed SARs.
- Number of ongoing SARs.
- Number of other “Individual Rights Requests” received by month since last meeting.
- Number of Legitimate Interest Assessments reviewed since last meeting
- Number and title of Legitimate Interest Assessments due review ahead of next meeting.
- Date of next internal audit review.
1.4 Data Protection Officer.
“We have appointed a data protection officer.”
1.4.1 Applikation have nominated a Data Protection Officer. They can be contacted at Data Protection Officer, Applikation Ltd, 2nd Floor, 14 Athol Street, Douglase, Isle of Man, IM1 1JA.
1.5 GDPR Evidence.
“We ensure appropriate technical and organisational measures, by keeping evidence of the steps we take to comply with the GDPR.”
1.5.1 All Data Protection compliance decisions, agreements and events are documented in the Data Governance Register. The Data Governance Manager is responsible for maintaining and updating the register. The register is subject to an annual review by the Board.
1.6 Data Protection Policies.
“We ensure appropriate technical and organisational measures, by adopting and implementing a data protection policy.”
1.6.1 In order to ensure appropriate “technical and organisational measures” Applikation has produced this data protection policy to document and direct how the organisation approaches data protection and achieves its compliance obligations. All staff are expected to read this policy as part of their onboarding into the company, understand its content’s and their obligations and review annually thereafter.
1.7 Data protection by design and default.
“We ensure appropriate technical and organisational measures, by taking a ‘data protection by design and default’ approach.”
1.7.1 Applikation take a data protection by design and default approach and seeks to implement appropriate data protection measures in place throughout the entire lifecycle of our processing operations. Applikation achieves this by adhering to the data protection principles of
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
- Accountability principle
1.8 Governance Documentation.
1.8.1 Applikation maintain the following documents to manage their data protection governance and accountability obligations:
1.8.2 Governance Register. The Governance Register is a chronological log that captures all key data protection decisions and actions. It is used to demonstrate Applikation’s active development of and compliance with data protection accountability obligations.
1.8.3 Data Protection Risk Register. The Data Protection Risk Register is a live document that is used to record Applikation’s information security risks and contribute to the wider enterprise’s risk management regime. The register is used to assist the identification, documentation and management of risk so that appropriate technical and organisational security mitigation measures can be implemented, and the business can demonstrate their decision-making process. The risk register is reviewed at minimum quarterly.
1.8.4 Record of Processing Activity. In observance of Article 30(1) of the GDPR and as detailed in paragraph 1.6.1, Applikation is required to document a “Record of Processing Activity (RoPA).” A business should not process any data in a way which is not included in the document. The document should be reviewed as required and at minimum annually.
1.8.5 Data Protection Impact Assessment (DPIA) Register. The DPIA register documents what DPIAs Applikation has conducted and are currently live within the business. It also acts as a crib for ensuring that DPIAs are conducted correctly, logically and in a comprehensive manner.
1.8.6 Consent Statement Register. This document acts as a register of all consent statements in use by the business and controls the active version and valid from date. This assists a business in governing and proving what version of a consent statement were in place at a particular time.
1.8.7 Privacy Notice Change Register. The Privacy Notice Change Register documents the evolution of Applikation’s Privacy Notice. It controls the active version and valid from date of the Privacy Notice and assists in governing and proving what version of a consent statement was in place at a particular time.
1.8.8 Subject Access Request (SAR) Register. The Subject Access Request Register is used to document all Subject Access Requests and assist the effective management of response. It should be used in conjunction with the Subject Access Request Management Process.
1.8.9 Individual Rights Register. The Individual Rights Register is used to document all Individual Rights Requests and assist the effective management of response. It should be used in conjunction with the relevant each Individual Rights Request Management Process.
1.8.10 Contracts Register. The Contract Register records all Applikation’s contract relationships where personal data is shared. It acts as a crib for ensuring that the necessary data sharing obligations are passed onto any Joint Controller or Data Processor.
1.8.11 Data Breach Register. The Data Breach Register enables a business to manage their GDPR Article 33 obligations – notification of a Data Breach to the Supervising Authority (IoM Information Commissioner). While not all breaches require to be reported, depending on the severity, a business has an obligation to record and document all data breaches: reportable and non-reportable.
1.8.12 International Transfer Register. The International Transfer register documents where Applikation may be sharing information internationally and where appropriate what safeguard condition has been implemented to ensure that any customer data shall be managed appropriately and diligently.
1.9 Documenting Our Processing Activities.
Article 30(1) & 30(2)
“We ensure appropriate technical and organisational measures, by maintaining documentation of our processing activities.”
“We document our processing activities in electronic form so we can add, remove and amend information easily.”
1.9.1 Record of Processing Activity (RoPA). As the Data Controller, Applikation maintains a RoPA for all the organisation’s data processing activities. The record is an electronic and live document and subject to update and review. The document records:
- The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal data;
- The condition for processing we rely on in the Data Protection Act 2018 (DPA 2018);
- The lawful basis for our processing; and
- Whether the information is stored.
- How long the personal data is retained.
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
1.9.2 If the processing activity is not recorded in the RoPA, the processing is unlawful and should not take place. All Applikation staff have a responsibility to check that the processing activity is recorded prior to processing any data. Should a processing activity need to occur, and the process is not recorded in the processing register, authorisation by an Applikation Director and confirmation from the Data Governance Manager that the processing purpose has been recorded is required prior to processing commencing. If a member of staff identifies a processing activity taking place which is not recorded or an inaccuracy in the RoPA the Data Governance Manager should be informed immediately and the RoPA updated.
1.9.3 RoPA Review. The register is reviewed at minimum annually, as part of the Annual Accountability Review Regime detailed at paragraph 1.9.
1.9.4 Special Category Data. Where Applikation processes special category or criminal conviction and offence data, the following additional information is recorded in the RoPA:
- The condition for processing we rely on in the Data Protection Act 2018 (DPA 2018);
- The lawful basis for our processing; and
- Whether we retain and erase the personal data in accordance with our policy document.
1.10 Annual Accountability Review Regime.
“We review and update our accountability measures at appropriate intervals.”
“We conduct regular reviews of the personal data we process and update our documentation accordingly.”
“We review our policies, procedures, contracts and agreements to address areas such as retention, security and data sharing.”
1.10.1 To meet their accountability obligations, Applikation conducts a formal internal audit of all governance documentation at minimum annually. This includes reviews of:
- Privacy Notice.
- Register of Processing Activities and actual processing activities.
- Data holdings.
- Data retention.
- Legitimate interest assessments.
- Data sharing agreements and contracts.
1.11 Contracts and Data Sharing Agreements.
“We ensure appropriate technical and organisational measures, by putting written contracts in place with organisations that process personal data on our behalf.”
1.11.1 Where Applikation shares data with a 3rd Party, a contract and/or data sharing agreement is established that mandates that the partners use and protect the personal data we share with them and ensure they:
• Abide by the requirements of all relevant data protection and privacy legislation;
• Treat the personal data entrusted to them as carefully as we would;
• Only use the information for the purposes it was supplied (and not for their own purposes or the purposes of any other organisation); and
• Allow us to carry out checks to ensure they are doing all these things.
1.11.2 All contracts are to be logged in the Contract Management Register and are reviewed annually as part of the annual accountability review process as detailed at paragraph 1.9. Reviews are to be logged in the Governance Register.
1.11.3 Applikation use contract clauses and data sharing agreements to ensure that organisations with whom data is shared manage data in accordance with Isle of Man Data Protection Regulation. All Applikation contracts include the following compulsory details:
- The subject matter and duration of the processing;
- The nature and purpose of the processing;
- The type of personal data and categories of data subject; and
- The obligations and rights of the controller.
- The processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
- The processor must ensure that people processing the data are subject to a duty of confidence;
- The processor must take appropriate measures to ensure the security of processing;
- The processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
- The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- The processor must delete or return all personal data to the controller as requested at the end of the contract; and
- The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
1.11.4 As a matter of good practice, all Applikation contracts and data sharing agreements:
- State that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the Data Protection Regulation; and
- Reflect any indemnity that has been agreed.
1.12 Security measures.
“We Implement appropriate security measures.”
1.12.1 Full details of the measures that we use to secure our information is included within our Information Security Policy.
1.13 Codes of Conduct and Certification Schemes.
“We adhering to relevant codes of conduct and signing up to certification schemes (where possible).”
1.13.1 The Isle of Man’s Information Commissioner’s Office is yet to endorse any relevant codes of conduct and/or certification schemes.
1.14 Data Protection Training
1.14.1 Annual Awareness Training. All Applikation staff will conduct mandatory data protection awareness training as part of their induction training and annually thereafter. The training year aligns with the financial year and training is expected to be completed by the end of quarter one. Training is conducted using an online digital training package. Completion of training is a mandatory requirement of all staff’s terms and conditions. The percentage of staff that have conducted training is tracked as management information using the learning management system report function and is part of the data protection agenda item at board meetings.
1.14.2 Quarterly Training. To compliment data protection awareness training an ongoing programme of training workshops is conducted to develop and maintain an understanding of key data protection areas. This includes:
- Data breach training.
- Data protection by design.
- Data protection impact assessment training.
- Subject access request training.
- Right to erasure and anonymisation training.
1.14.3 Training Records. For any training workshop conducted, a nominal role of attendance is taken and filed for accountability purposes.
1.14.4 Training in the event of a breach. In the event that a member of the Applikation team causes a data protection breach, or near miss event occurs, the individual is required to retake the data protection awareness training within 5 business days of the event.
2 Personal Data Breaches.
“We record and, where necessary, reporting personal data breaches.”
2.1 Data Breach Recognition.
“We know how to recognise a personal data breach. We understand that a personal data breach isn’t only about loss or theft of personal data.”
2.1.1 Application recognises that data breaches can occur in numerous ways. These include:
- External malicious intent.
- Internal accidental error.
- Internal malicious intent.
and can take the form of Personal Data that is:
- Accessed or viewed by individuals that should not
- Destroyed ahead of its retention date – unless requested.
- Unable to be accessed
2.2 Data Breach Response Plan.
“We have prepared a response plan for addressing any personal data breaches that occur.”
2.2.1 Applikation have implemented a robust data breach response plan to address any personal data breach that may occur. A copy is included as an enclosure to this document.
2.3 Data Breach Management.
“We have allocated responsibility for managing breaches to a dedicated person or team.”
2.3.1 The Data Governance Manager is responsibility for managing data breaches with support from the Data Protection Officer.
2.4 Data Breach Escalation.
“Our staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.”
2.4.1 All staff have conduct data protection training as part of induction and annually thereafter. The training includes how to recognise a data breach and the importance of swift escalation to the Data Governance Manager when it is believed that a breach has occurred.
2.5 Data Breach – Subject Notification.
“We have in place a process to assess the likely risk to individuals as a result of a breach.”
“We have a process to inform affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.”
“We know what information about a breach we must provide to individuals, and that we should provide advice to help them protect themselves from its effects.”
“We know we must inform affected individuals without undue delay.”
2.5.1 Where a data breach represents a high risk to individuals, the data breach processes prompts an assessment of the risk to rights and freedoms of affected individuals so that they may be informed.
2.5.2 Applikation consider high risk to rights and freedoms to include personal data of a financial and/or special category nature. Where a high-risk breach has occurred notification of the individuals concerned may pre-date notification of the ICO.
2.5.3 While all Applikation staff are expected to escalate swiftly any potential data breach, a breach involving financial data and/or special category data must be escalated as quickly as possible to ensure that action can be taken to mitigate any risk to the rights and freedoms of the individual.
2.5.4 A pre-prepared email template has been established as a crib to ensure that the requisite information is gather and notification can occur swiftly, along with details of further support.
2.6 Nominated Supervisory Authority.
“We know who the relevant supervisory authority for our processing activities is.”
2.6.1 Should Applikation experience a data breach, where required the breach will be reported to the Isle of Man Supervisory Authority.
2.7 ICO Notification Process.
“We have a process to notify the ICO of a breach within 72 hours of becoming aware of it, even if we do not have all the details yet.”
2.7.1 The Applikation Data Breach Process takes into account the need to notify the IoM Information Commissioner of a suspected data breach within 72hrs of becoming aware of it, even if all details are not yet complete.
2.8 ICO Information Requirements.
“We know what information we must give the ICO about a breach.”
2.8.1 A data breach template form online within the data breach management folder. Should the breach involve a Ransomware attack an off-network device will be used to download a template from the Information Commissioners website.
2.9 Breach Documentation.
“We document all breaches, even if they don’t all need to be reported.”
2.9.1 All reportable breaches and non-reportable breaches are recorded in the Data Breach Register.
3 International Personal Data Transfer.
3.1.1 Individuals risk losing the protection of the General Data Protection Regulation and/or Data Protection Act 2018 if their personal data is transferred outside of the EEA. The GDPR restricts transfers of personal data outside the EEA, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way.
3.1.2 Applikation does not presently transfer personal data to any countries outside of the EU or international organisation. If in the future data is transferred internationally, and the country to which we transfer your personal data does not have a recognised EU or UK Adequacy Agreement, we shall ensure that the endorsed ICO Safeguard contract is in place with the Data Controller or Data Processor within the Country which contractually obliges them to protect your information to the same standard required by the General Data Protection Regulation.
All members of the Applikation Team have a responsibility to assist with the identification of instances where data may be transferred internationally or where a project may require international transfer and should inform the Data Governance Manager of any processing needs identified.
4 Data Protection Impact Assessments.
4.1.1 A Data Protection Impact Assessment (DPIA) is a process that helps to identify and minimise the data protection risks of a project. Applikation staff must carry out a DPIA for processing that is likely to result in a high risk to individuals.
4.1.2 The DPIA process is owned by the Data Protection Officer but carried out by the Data Governance Manager. All members of the Applikation Team have a responsibility to assist with the identification of processing activities that may require a DPIA. If there is any doubt whether a DPIA should be conducted, guidance must be sought from the Data Governance Management.
4.2 DPIA Management Process.
“We have created and documented a DPIA process.”
4.2.1 See enclosures at the end of the document.
4.3 DPIA Training.
“We provide training so that our staff understand the need to consider a DPIA at the early stages of any plan involving personal data.”
“We provide training for relevant staff on how to carry out a DPIA.”
4.3.1 Applikation use an online Data Protection Awareness Training package which includes details on when a DPIA should be conducted. Training on how to carry out a DPIA is covered as part of the quarterly training workshop programme.
4.4 DPIA Conduct.
4.4.1 Applikation will consider conducting a DPIA if any processing or development projects include the following:
- Evaluation or scoring;
- Automated decision-making with significant effects;
- Systematic monitoring;
- Processing of sensitive data or data of a highly personal nature;
- Processing on a large scale;
- Processing of data concerning vulnerable data subjects;
- Innovative technological or organisational solutions;
- Processing that involves preventing data subjects from exercising a right or using a service or contract.
4.4.2 If following consideration, the decision not to conduct the a DPIA is taken, the decision and justification is documented in the DPIA Register – see enclosures at the end of the document.
4.4.3 Applikation will always carry out a DPIA if any processing or development projects:
- Use systematic and extensive profiling or automated decision-making to make significant decisions about people;
- Process special-category data or criminal-offence data on a large scale;
- Systematically monitor a publicly accessible place on a large scale;
- Use innovative technology in combination with any of the criteria in the European guidelines;
- Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
- Carry out profiling on a large scale;
- Process biometric or genetic data in combination with any of the criteria in the European guidelines;
- Combine, compare or match data from multiple sources;
- Process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines;
- Process personal data in a way that involves tracking individuals’ online or offline location or behaviour, in combination with any of the criteria in the European guidelines;
- Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them;
- Process personal data that could result in a risk of physical harm in the event of a security breach.
4.5 DPIA Checklist.
4.5.1 When Applikation conduct a DPIA, we:
- Describe the nature, scope, context and purposes of the processing.
- Ask our data processors to help us understand and document their processing activities and identify any associated risks.
- Consider how best to consult individuals (or their representatives) and other relevant stakeholders.
- Ask for the advice of our data protection officer.
- Check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure compliance with data protection principles.
- Conduct a objective assessment of the likelihood and severity of any risks to individuals’ rights and interests.
- Identify measures we can put in place to eliminate or reduce high risks.
- Record our decision-making in the outcome of the DPIA, including any difference of opinion with our DPO or individuals consulted.
- Implement the measures we identified, and integrate them into our project plan.
- Consult the ICO before processing, if we cannot mitigate high risks.
- Keep our DPIAs under review and revisit them when necessary.
5 Individual Rights
5.1 Right to be Informed.
5.1.1 Privacy Notice. Applikation has implemented a GDPR and DPA 2018 compliant Privacy Notice.The Privacy Notice is located at the following link: https://www.applikation.co.uk/privacy-policy. In observance of the Information Commissioners direction, the Privacy Notice includes the following detail:
- The name and contact details of our organisation.
- The name and contact details of our representative (if applicable).
- The contact details of our data protection officer (if applicable).
- The purposes of the processing.
- The lawful basis for the processing.
- The legitimate interests for the processing (if applicable).
- The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
- The recipients or categories of recipients of the personal data.
- The details of transfers of the personal data to any third countries or international organisations (if applicable).
- The retention periods for the personal data.
- The rights available to individuals in respect of the processing.
- The right to withdraw consent (if applicable).
- The right to lodge a complaint with a supervisory authority.
- The source of the personal data (if the personal data is not obtained from the individual it relates to).
- The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
- The details of the existence of automated decision-making, including profiling (if applicable).
5.1.2 Privacy Notice – When we provide it. Applikation provides a master copy of their Privacy Notice on their website. Whenever personal data is collected from a customer/client or Data Subject we ensure that we provide an opportunity to review the Privacy Notice or we signpost the web link so that the data subject can review the Privacy Notice. In circumstances where we are unable to provide details of, or a link to, the Privacy Notice we send out a hard copy.
5.1.3 Privacy Notice Management. The Applikation Privacy Notice is version and date controlled to ensure that it is clear what Privacy Notice is extant or was in place at any given time. Applikation maintain a Privacy Notice Change Register to keep track of the extant Privacy Notice and any changes that have been made. The Privacy Notice is reviewed as required and at minimum annually. Reviews are recorded in the Privacy Notice Change Register.