Impamark GDPR Policy

Dated 01/05/2018

For many individuals, consent is the lawful basis for which Impamark can process their data. Impamark will review existing records and contact the individual involved if the existing level of consent does not meet the GDPR standard.

Consent for different communication channels is ‘unbundled’. This means that different channels of communication are separate and consent for using each channel must be gained separately. This principle is kept largely already. When communicating through one medium, another method of communication may be asked for. For example, when communicating via phone, the email address of the customer may be requested with the explicit purpose of sending over a quote.

If a communication method fails then another method may be used. The publicly available business phone number of a customer may be retrieved if necessary in order that the performance of a contract may be completed. While not with explicit consent, the retrieval of such a phone number is lawful due to both the requirement for performance of a contract and the legitimate commercial interest. Additionally the email would be retrieved from the company website which would offer explicit consent usually with a sentence beginning like “you can call us at”.

The problem of contact information is less for Impamark as the company predominately supplies to other businesses and organisations. These organisations and businesses will make methods of contacting them publicly available explicitly so that people can.

One of the steps that Impamark is taking to properly confirm consent is to record the origin of the contact. As previously mentioned, Impamark’s CRM system can record the ‘lead source’ related to a particular customer.

None of Impamark’s customers are children and as such we keep no child’s data. Impamark supplies merchandise to organisations. Generally these organisations are businesses so for Impamark to have a child as a customer another company must be illegally using child labour.

At Impamark, all members of staff are aware of the GDPR and that it could affect how we do business. At Impamark, job roles can be split into two categories. These are sales and IT.

The IT department handles the running, installation and maintenance of computer and telecoms systems. This includes the CRM system in which customer information is stored. The IT department has the general responsibility within the company of handling data protection. The right of access for customer information should be handled by the IT department to ensure all information held is communicated.

The sales department focuses on the acquisition and retention of customers, and fulfilling their customer needs. One of the steps Impamark will be taking is ensuring that the source of leads is recorded. This allows Impamark to more properly justify the legal holding of personal information.

Regular training is given to all members of staff with respect to GDPR, data security and privacy.

Impamark holds an IT policy which all members of staff must read and sign when they commence their employment.

In the case of a data breach where customers’ personal information is at stake, the customers involved will be informed in a timely manner. When legally required, Impamark will inform the ICO of a data breach when one is found to have occurred. A large amount of the information we have relating to customers is already publicly available and not as likely to result in a risk to the rights and freedoms of individuals.

Under the GDPR, data protection should be by design. Documentation within Impamark is in the process of being redrafted with data protection in mind. This will include Terms and Conditions documents, company policies, contracts, and privacy policies. Compared to other companies, Impamark already only collects and stores a relatively minimal amount of information. Impamark does not use any advanced analytics, big data analysis or machine learning. Some large social media companies such as Google and Facebook collect large amounts of information on individuals that do not even use their services.

The IT department within Impamark will take responsibility for compliance in matters regarding data protection. The head of IT is currently John Crisp. With matters relating to information rights, the IT department will liaise with staff and John will liaise with the Managing Director, Nicola Crisp.

Impamark is not formally required to designate a Data Protection Officer (DPO). Impamark does not fall under the following categories which would make it necessary to do so:

• a public authority (except for courts acting in their judicial capacity);
• an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
• an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions

Impamark recognises the information rights of individuals and will not take up a practise which infringes on these rights. Customers can request information which we hold relating to them and can restrict our use of their information. Customers are legally able to request that information we have relating to them. Some information relating to invoices we are legally required to keep for a period. VAT records for example should be kept for at least six years.

Personal information is held in our CRM system and backups. At the time of writing, the system is a patched installation of Vtiger 5.4 which will be converted into a CoreBOS install. This CRM system stores personal information regarding customers – that is their name, the organisation they are attached to and their contact information. This contact information being email addresses and phone numbers which are usually publicly available. Delivery addresses are also stored in order than a customer can receive the merchandise they purchase. Any information which is not publicly available has been consensually given.

Personal data held by Impamark is all legally sourced and stored. Customers are often found through networking events and enquires from customers themselves. Some customers are found through word of mouth and some contact us by appearing at the office door.

The origin of personal data is stored in the CRM system using a field named ‘Lead Source’. This field has a list of possible sources for a particular customer and custom sources including some which indicate the specific conference.

With Impamark’s years of experience, some organisations we have previously dealt with have had changes in staff. To find new business customers will be dealt with. In some cases the relevant contact will have changed and the appropriate information may be given.

For some marketing campaigns, Impamark has use publicly available information to contact potential customers. On all email campaigns sent out, there is an unsubscribe link. The CRM system has an email opt-out check box which allows us to opt out customers of unwanted emails.

Information collected by Impamark is collected often from customers by email or phone and entered manually into the CRM system. The information we collect is needed largely to fulfil contracts with our customers and is consensually given.

Some information will be collected before contact is made with the potential customer. This information is collected so that Impamark can find and contact potential customers and enter into a mutually beneficial relationship. This processing of this information is done so lawfully with legitimate commercial interests as the basis. If individuals object to such information being stored they can invoke their right to restrict processing and their right to erasure.

With decades of experience within the promotional merchandise industry, Impamark has some historic data regarding customers. Some of this information can be removed from the system. Some information regarding purchases is useful for reference and some information we are legally obligated to keep. HMRC, for example, requires information to be kept for seven years.

A full policy regarding data retention periods will be created and put into force within the company. In the aim of transparency the length of data retention periods will be made available to customers and others that Impamark has information relating to.

Impamark is not in the business of selling customer information and the only information which is shared is that which is necessary to fulfil the customer’s order. In order for customers to receive their purchased goods delivery addresses may need to be passed onto suppliers or delivery companies. Customers have previously collected their merchandise from our UK office. In this case a delivery address would not be needed.

Unusually, for the size of the company, Impamark has both a Spanish and a UK office. No information shared or transferred to countries out side of the EU. Currently, Impamark only transfers data between Spain and the UK with some IT infrastructure hosted in France. The Spanish office is the home of the managing director (Nicola Crisp) and the head of IT (John Crisp). Manning the Spanish office is also Denise Sanders.

Data transferred is only accessible to members of staff. In order to prevent external individuals from accessing data that they shouldn’t, all internal systems are password protected and data is transferred using an encrypted IPSec connection. Another security measure implemented within the company is the use of encrypted and signed email. Using Enigmail for Thunderbird, we at Impamark can send encrypted emails and cryptographically sign emails to ensure that email legitimate come from who in the company it says they come from.

With the upcoming withdrew of the UK from the EU, Impamark has in mind possible changes that may entail. With further changes to the law and information rights, Impamark will be ready to adapt.

All information which Impamark processes is done so lawfully. Under Article 6 of the GDPR lawful processing must include at least one of the following:

• Consent (feely given, specific, informed, unambiguous, via clear affirmative action). It must be as easy to revoke as it is to give.
• Performance of a contract
• Compliance with legal obligation
• Protection of vital interests
• Public interests
• Legitimate interests

Impamark generally collects and processes information only under the consent of the data subject. Personal information is voluntarily given. Impamark uses customer information to serve the customer and to provide them with prestige branded merchandise.

In order to provide customers with their order we must use some information relating to them. This is perfectly lawful as this processing is done in performance of a contract.

When contacting business leads which have not been contacted previously, Impamark does so with a legitimate commercial interest in mind. We at Impamark do not want to harass individuals by any means. If nothing else it’s bad for business to annoy potential customers.

Some records may be kept in order to comply with legal obligations. As previously mentioned, this may impact the right to erasure given under the GDPR and obligate Impamark to refuse such a request from the data subject.

Information collected by Impamark is collected so that the company can fulfil their contractual duties. In order to properly deal with an organisation, Impamark needs information about both the organisation and the contact. Contacts are needed so that staff know who from an organisation they should contact.

Information relating to these individual contacts is therefore needed. Contact information such as phone numbers and emails is fundamentally needed in order for people to be contacted. Similarly the name of the contact is needed so that staff know who to talk to and who to ask for. To properly serve our customers, Impamark also records the person’s title, job title and the source of the contact. Other non-personal information is recorded such as ‘Do Not Call’, ‘Email opt-out’ and whether the contact has had a catalogue. In order to deliver to customers, mailing addresses will be recorded.

Information regarded potential customers may be recorded under the basis of legitimate commercial interests. This information can be removed from our system if requested. This information is publicly available or is available through membership of an organisation such as the Essex Wildlife Trust.

Information collected and processed by Impamark is done so with legitimate interest. Information from customers is largely given consensually or available publicly. Other information may be voluntarily available to us through corporate membership of an organisation such as the Essex Wildlife Trust. Information which is not consensually given is processed with the lawful basis of legitimate commercial interest. Information of customers which we process is processed to fulfil our contractual obligations to them.

Impamark currently keeps the data within the CRM regarding business contacts for an indefinite period. Data about historic contacts such as names and contact information can be removed. Older information within our CRM system is useful for internal company reports and historical data but these reports usually only use information from purchase orders, sales orders, and invoices.

Some data that is retained is done so as a matter of legal obligation. HMRC requires data generally be kept for up to seven years for example. Information regarding VAT purchases need to be kept for six years.

To ensure that Impamark complies properly and completely with the GDPR, a data retention policy will be written and put into force within the company. Lengths of data retention periods will be made available to customers.

Complaints regarding information rights, relating to organisations including Impamark, can be made to the ICO. The ICO is the Information Commissioner’s Office. The ICO is an independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The website can be found at https://ico.org.uk with specific information to do with concerns at https://ico.org.uk/concerns/. The ICO can be contacted through live chat or through their helpline on 0303 123 1113.

Impamark would appreciate concerns about how will collect and process data to be communicated to us first. We hope that we can resolve issues quickly and effectively.

As previously stated, Impamark is not in the business of selling customer information. Any information that third parties have access to is only given in a narrow set of circumstances. Addresses will be required by third parties, whether they be suppliers or delivery companies, in order for merchandise to be received. This information is supplied only as part of necessity in fulfilling our contractual obligations to our customers. Customers have previously instead collected from our UK office. Other information may also be communicated to suppliers in order for Impamark to fulfil its contractual obligations. Awards, for example, are often engraved with the names of those who won those awards. This information needs to be communicated to the person doing the engraving.

Under the data protection rules, subjects are legally able to request information. These are subject access requests. Impamark will not charge for subject access requests and in most cases would not be able to anyway. Information provided to data subjects will be provided within the month as legally required. Some time may be needed in order to ensure all data is collected and that the information rights of others are not infringed.

Requests may be legally refused if they are unfounded or excessive. Impamark will not give out information regarding customers without caution. Impamark cannot give out information regarding customers without certainty that the individual requesting the information is actually the data subject. When a request is refused, the individual will be informed of their right to complain to the supervisory authority and to a judicial remedy.

Nicola Crisp - Managing Director