General Data Protection
365 AM is committed to respecting and protecting our customers’ privacy and have created this Policy Document to show the steps we have decided upon to ensure best practice is followed.
365 AM Limited collect and hold data pertaining to those customers, suppliers and other agencies we work with on a transactional basis. We also hold data for sales and marketing purposes which is supported by consent, subscription preferences and overt opt in from the businesses and individuals concerned.
In the performance of our business of Dynamics 365 developers we may, at times, process data belonging to our clients’ customers. This requires the correct secure storage, transport and deletion procedures are carried out. It also requires that in our Sales and Marketing processes we institute the recognition of the concept of asking for and recording consent to be included in our database for this purpose in our processes.
Sales and Marketing data collection:
- We will ensure all staff understand the importance of asking for and recording consent to be included in our Sales and Marketing database and record their subscription preferences.
Third Party Processing:
- Any third-party supplier of data processing resources to 365 AM will be required to sign our Data Processing Agreement which covers all of the above points.
We will ensure the following is carried out:
- All Microsoft updates to any operating systems and/or Cloud environments will be applied as soon as possible and kept up to date.
- All data held in the Cloud is secured and covered by Microsoft’s threat mitigation practices and security strategy – details of which can be found here https://www.microsoft.com/en-us/trustcenter/security
Transfer of Data:
• Wherever possible we will encourage all data or access details to sites where data is held is provided to us by our clients is transferred via safe and encrypted methods such as ftp sites. The responsibility for the safe transfer of data to us remains with the customer.
Deletion of all relevant data Procedure:
- We will ensure all data is deleted from any machines, flash drives and passwords changed to any cloud storage areas once the task(s) has been completed.
- We will ensure that all Data held by 365 AM will be encrypted whenever possible or practical. If it is not practical to do this, ensure it will be deleted at the first possible opportunity on completion of the engagement with the Customer.
Long term engagement and access to data:
- Should we require long term access to any of our clients’ or their customers data we will ensure a Data Processing Agreement has been signed, and the protocols therein followed.
Physical Procedures – end of Life Equipment – the following actions will be taken:
- Ensure any paper/printed copies of data have been shredded and disposed of securely.
- Ensure any end of life machines have had their hard drives physically destroyed or securely wiped.
Ensure any end of life flash drives have been securely disposed of
- Regular checks are the responsibility of the Data Controller and will be implemented to make sure
these protocols are adhered to.
- The Data Controller will contact the Information Commissioners Office (ICO) if there is a Data Breach as soon as it has been recognised as such.
Information Deletion, Anonymisation, Requests and Complaints:
Data subjects of 365 AM data have the right to request information on what data 365 AM hold on them and also to ask for that data to be deleted. Our process for this is for this is that requests be forwarded to the following email firstname.lastname@example.org. On receipt of such a request the following actions will be taken:
- Where the data has formed part of transactional processes it will be kept for the minimum requirements of HMRC (i.e 7 years).
- Where the data has been held for marketing or other purposes but is also part of chains of information such as in CRM systems the relevant contact (and or Account) will be deleted.
- Where is cannot be deleted due to business requirements it will be anonymised so that the individual cannot be identified.
Complaints may be raised to the Data Controller – Ian Bourne. via email at email@example.com