House of Experience Ltd (“House of Experience”) is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct.
This policy sets forth the expected behaviours of House of Experience Employees and Third Parties in relation to the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to a House of Experience Contact (i.e. the Data Subject). House of Experience, as a Data Controller- i.e. any organisation that handles Personal Data, is responsible for ensuring compliance with the Data Protection requirements outlined in this policy.
House of Experience’s leadership is fully committed to ensuring continued and effective implementation of this policy, and expects all House of Experience Employees and Third Parties to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction. This policy has been approved by House of Experience’s Chief Executive Officer, Damian Clarke.
2.1 Policy Dissemination & Enforcement
To demonstrate our commitment to Data Protection and enhance the effectiveness of our compliance efforts, House of Experience has established a Data Protection Champion. The Data Protection Champion ensures that each team within House of Experience responsible for the Processing of Personal Data are aware of and comply with the contents of this policy. Data Protection training and procedural guidance is in place to ensure that Data Protection is part of House of Experience’s company culture.
Additionally, all Third Parties engaged to Process Personal Data on behalf of an House of Experience employee will be aware of and comply with the contents of this policy. Assurance of compliance will be obtained prior to granting them access to Personal Data controlled by House of Experience.
2.2 Data Protection by Design
To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each must go through an approval process. All IT systems and applications in the process of being built prior to GDPR implementation date have undergone rigorous Data Protection Impact Assessments.
2.3 Compliance Monitoring
To confirm that an adequate level of compliance is achieved by all Data Processors in relation to this policy, the Data Protection Champion will carry out an annual Data Protection compliance audit. Each audit will assess Compliance with Policy in relation to; the protection of Personal Data, assignment of responsibilities, employee training, effectiveness of Data Protection operational practices and the adequacy of procedures for redressing poor compliance and Personal Data breaches.
2.4 Data Protection Principles
Principle 1: Lawfulness, Fairness and Transparency.
Personal Data will only be collected for one of the purposed specified in the applicable Data Protection regulation and the method of processing that will occur will be thoroughly explained to the Data Subject.
Principle 2: Purpose Limitation.
Personal Data shall be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes.
Principle 3: Data Minimisation.
Personal Data shall be adequate, relevant and limited to hat is necessary in relation to the purposes for which they are Processed.
Principle 4: Storage Limitation.
In line with Principle 3, Personal Data shall be kept in a form which permits identification of a Subject for no longer than necessary for the purposes outlined to the Subject.
Principle 5: Accuracy.
Personal Data which needs to be stored for a defined period of time must be kept accurate and up to date, thus adhering to specified processes for identifying and addressing out of date and redundant Personal Data. House of Experience employees will adopt all necessary measures to ensure that Personal Data collected and processed is complete and accurate and reflects the current situation of the Data Subject.
Principle 6: Integrity & Confidentiality.
Personal Data shall be processed and stored in a manner that ensures appropriate security of said Data, including protection against unauthorised processing and accidental loss, destruction or damage.
Principle 7: Accountability.
The Data Controller shall be responsible for and be able to demonstrate compliance in accordance to the six previous Data Protection Principles.
2.5 Data Subject Informed Consent
Each House of Experience Employee will only obtain Personal Data by lawful and fair means and with the knowledge and consent of the individual concerned. Where a need exists to request and receive the consent of an individual prior to collection or use of their Personal Data, House of Experience is committed to seeking such consent.
The term Informed Consent suggests that when applicable or reasonably appropriate to do so, the House of Experience Employee will provide Data Subjects with information as to the purpose of the processing of their Personal Data. Consent should be given in writing and retained.
3.0 Data Processing
House of Experience uses Personal Data for the purposes of; general running and business administration of House of Experience employees, providing services to House of Experience clients and ongoing administration and management of customer services.
House of Experience employees will process Personal Data in accordance with all applicable laws and contractual obligations and Data will only be processed once Informed Consent is given (see 2.5). Data will be stored and processed via Force24. To view their privacy notice and GDPR policy please visit: https://www.force24.co.uk/privacy/.
3.1 Data Retention
To ensure fair processing, Personal Data will not be retailed by House of Experience for longer than necessary in relation to the purposes for which it was originally collected. All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a reason to retain it.
3.2 Data Protection
House of Experience employees will adopt technical and organisational measures to ensure the security of Personal Data. Blue Wren Ltd (the Supplier and main Data Processor) provides bespoke software solutions and websites to House of Experience. Their policy (outlined below) covers all software designed and built by them as well as this website.
For further information regarding the Supplier’s GDPR policy please visit: https://www.bluewren.co.uk/
3.2.1 Development Phase
During the development of the Services, the development team at the Supplier will have full access to the database as required for the purpose of the development of the Services. The databases will be populated with fictional data for the purpose of testing the Services prior to going live
3.2.2 Go Live
In some cases, the Supplier at the request of the Client may pre-populate the databases with live/actual data which may or may not include personally identifiable information (PII). During the go-live phase and support phase that follows shortly after, the development team at the Supplier will have access to the databases for the purpose of resolving any technical issue with the Services.
3.2.3 Post Go Live
Once the Services are fully operational, access to databases for the development team will be revoked to ensure nobody has unnecessary access to the information contained within. Only the Operations Director, Head of Software and the Infrastructure Manager will retain access to the databases for the purpose of granting access to the development and/or support team as required
3.2.4 Further Development and/or Support
The Client may request from the Supplier further development of the Services or to have an issue resolved. In this instance and only when the request has come from a trusted source, access to the databases will be granted to a specific member of the support or development team by either the Operations Director, Head of Software or Infrastructure Manager. Access will be revoked once the support request or development has been delivered
Data is stored on servers provided by Amazon Web Services in the EU. The data is encrypted when stored at rest using the industry standard AES-256 encryption algorithm. Access to the databases via the Services can only be can only be gained by the embedded secret key. Access to the Services is controlled by the Client
The staff at the Supplier are aware of the importance of keeping PII safe and secure. They are regularly briefed and updated with data protection practices. Data will not be accessed without a legitimate reason.
3.3 Law Enforcement Requests & Disclosures
In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of a Data Subject. Cases where disclosure of Personal Data is necessary include; prevention and detection of crime, prosecution of offenders and by the order of a court or by any rule of law. If an House of Experience Employee receives a request from any regulatory or law enforcement authority for information, they must immediately notify the Data Protection Champion who will provide guidance.
3.4 Data Transfers
In order for House of Experience to carry out its operations effectively, there may be occasions where is necessary to transfer Personal Data. Should this occur, the House of Experience Employee sending the Data remains responsible for ensuring protection for that Data. The Personal Data will be sent via encrypted email or via Slack. Slack is fully GDPR compliant, to find out more visit: https://slack.com/gdpr
4.0 Breach Reporting
Any individual who suspects that a Personal Data Breach has occurred must immediately notify the Data Protection Champion and their line manager, providing a description of what occurred. Once confirmed that a Breach has occurred, the Data Protection Champion and/or relevant line manager will follow the relevant procedure based on the criticality and quantity of Personal Data involved.
5.0 Policy Maintenance
This policy shall be available to all House of Experience Employees through the People HR portal. People HR is GDPR compliant. You can find their GDPR policy here: https://www.peoplehr.com/gdpr.html . This policy is effective as of 20/01/2018. House of Experience’s Data Protection Champion is responsible for maintenance and accuracy of this policy. Notification of revisions shall be provide to House of Experience Employees through the Human Resources Department. Changes to this policy will come into force when published on the People HR portal.
© House of Experience 2018