Confident Communication Data Protection and GDPR Compliance Policy


General Statement of Confident Communication Duties and Scope  

Confident Communication processes relevant personal data regarding members of school staff as part of its operation and shall take all reasonable steps to do so in accordance with this policy.

 

Confident Communication is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct.


Confident Communication’s leadership is fully committed to ensuring continued and effective implementation of this policy and expects all Third Parties to share in this commitment.


This policy applies to all processing of personal data in electronic form (including electronic mail and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.


This policy has been designed to establish a baseline standard for the processing and protection of personal data by Confident Communication. Where national law imposes a requirement that is stricter than that imposed by this policy, the requirements in national law must be followed. Furthermore, where national law imposes a requirement that is not addressed in this policy, the relevant national law must be adhered to.


Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.


Data Protection 

Confident Communication ensures that all personal data is processed in compliance with this Policy, the Principles of the Data Protection Act 1998, and the General Data Protection Regulation Directive 2018.

 

Personal Data - Schools 

Personal data of schools (corporate subscribers) and school employees (corporate users) held by Confident Communication does not include sensitive personal data. This data is limited to:

 

  • Corporate Subscriber Postal Address
  • Corporate Subscriber Email Address
  • Corporate Username
  • Corporate User Job Title
  • Corporate User Email Address
  • Corporate User Postal Address

 

Confident Communication processes the above school data for direct marketing purposes. Data subjects have the right to request an opt-out to these activities, which must be respected.

 

Data Security 

Confident Communication will take appropriate technical and organisational steps to ensure the security of personal data.

 

Confident Communication are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.

 

An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and be encrypted when transported offsite.

 

No data held by Confident Communication will be shared with any other party.

 

Confident Communication will adopt physical, technical, and organisational measures to ensure the security and protect the confidentiality, integrity, and availability of the Personal Data.


External Processors

Confident Communication must ensure that data processed by external processors, for example, service providers, Cloud services including storage, CRM systems and web sites are compliant with this policy and the relevant legislation.

 

Secure Destruction

When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.

 

Retention of Data

Records will only be stored for statutory period as required by HMRC or other national organisations.

 

Evaluation Data 

Confident Communication processes data supplied by schools for the purposes of evaluation.

 

This data is always anonymous – without any names present on any of the data provided to Confident Communication for processing purposes.

 

Where hard copies of this data are provided to Confident Communication, they will be kept securely as described above. Hard copies of this data will be destroyed securely as per above security statement.

 

This data will only be retained as per conditions set by national organisations.

 

 

Confident Communication GDPR Compliance – Marketing to Schools 

Where digital marketing is carried out in a ‘business to business’ context, there is no legal requirement to obtain an indication of Consent to carry out digital marketing to individuals, provided that they are given the opportunity to opt-out.

Confident Communication marketing to School and School Teacher Data fall under the business-to-business marketing regulations.

 

Employees of corporate entities, i.e., limited companies and government departments (schools and academies) are provided on an opt-out basis not opt-in.

 

Emails to employees of corporate entities are given the option to easily unsubscribe or opt-out from receiving further email marketing.

 

Confident Communication will ensure that:

 

All recipients are given the option to easily unsubscribe or opt-out from receiving further email marketing.

 

All products or services that Confident Communication promotes are relevant to the audience that we are emailing.

 

Confident Communication will follow the GDPR compliance rules concerning:

 

The Right of Access

If an individual asks Confident Communication what information we hold on them, we must provide this without delay (Name / Job Title / Email Address / School Address)

 

The Right to Erasure

If an individual asks for all data that can identify them to be erased, Confident Communication will do this without any delay.

 

Data Breach

Any individual who suspects that a Personal Data Breach has occurred due to the theft or exposure of Personal Data must immediately notify Confident Communication, providing a description of what occurred. Notification of the incident can be made via e-mail to info@confidentcommunication.co.uk or by calling PHONE NUMBER. Confident Communication should update the internal breach log, including pertinent facts relating to the incident, effects and remedial actions taken.

All reported incidents will be investigated to confirm whether a Personal Data Breach has occurred. For severe Personal Data Breaches, Confident Communication must inform the ICO within 72 hours of becoming aware of the breach. In some cases, affected Data Subjects should be advised of the personal data breach.


Confident Communication – Legitimate Interest Statement


This document demonstrates compliance in line with Confident Communication’s accountability obligations under Articles 5(2) and 24 of the GDPR.

Confident Communication adopts legitimate interest for marketing activities as the most appropriate basis for the use of data. The data is used in ways that people would reasonably expect and in a way that has a minimal privacy impact.

The right to object to our direct marketing is absolute and Confident Communication will stop processing an individual’s data following an objection from that individual. Confident Communication’s legitimate interests are not compelling enough to override the individual’s right to object.


Confident Communication – Legitimate Interest Assessment


Identifying a Legitimate Interest 

What is the purpose of the processing operation?

The processing operation is limited to storage of corporate subscriber’s data. The purpose is to promote confident communication skills to improve educational and life outcomes for the individual subject.

 

Is the processing necessary to meet one or more specific organisational objectives?

Yes. The processing operation is required to achieve the lawful business objective of Confident Communication in promoting the products and services available to corporate subscribers.

 

Is the processing necessary to meet one of more specific objectives of any third party?

This does not apply. Confident Communication does not pass any data to third parties.

 

Does the GDPR, ePrivacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?

Yes. Confident Communication processes information only for the purposes of administration (Recital 48). Sensitive personal data processed in the employee context refers to Article 9(2)(b).

 

The Necessity Test 

Why is the processing activity important?

The processing activity is business critical. Data is processed to promote Confident Communication to improve education outcomes for individual subjects.

 

Why is the processing activity important to other parties the data may be disclosed to?

Not applicable to Confident Communication. No data is shared with other parties.

 

Is there another way of achieving the objective?

Any other way would require disproportionate effort and would be far more intrusive.

 

The Balancing Test 

Nature of relationship between Confident Communication and individuals

Business to Business relationship

 

Is any of the data sensitive or private?

No. Most of the data is also freely available in the public domain.

 

Would people expect Confident Communication to use their data in this way?

Yes.

 

Is Confident Communication happy to explain the use of data to individuals?

Yes. Individual data is limited to:

  • Corporate Subscriber Postal Address
  • Corporate Subscriber Email Address
  • Corporate Username
  • Corporate User Job Title
  • Corporate User Email Address
  • Corporate User Postal Address

 

Confident Communication only uses this data for business-to-business marketing. It is not supplied to any third parties. Individuals have the right to opt-out at any time.

 

Are some people likely to object or find it intrusive?

Our direct marketing is sporadic and in no way intrusive. If any individual no longer wishes to receive our direct marketing, they have the clear option to opt-out.

 

Are you processing children’s data?

Yes. Data processed by Confident Communication is anonymous and only at the request of the school concerned.

 

Are any of the individuals vulnerable in any way?

No.

 

Does Confident Communication offer an opt-out?

Yes. Confident Communication also offers the Right to Access and the Right to Erasure in compliance with the GDPR. 


Legitimate Interest Assessment Outcome

 

Based on the outcomes of the balancing test – Confident Communication is confident that our legitimate interests are formed on an appropriate basis. Confident Communication’s legitimate interest is not overridden by any risks that have been identified.

 

7th June 2021