Lockcode Limited Privacy Policy

Lockcode Limited Privacy Policy

Last Updated: 02 August 2019

This privacy policy explains how we use any personal information we collect about you when you use our websites.

Lockcode Limited includes:

Lockcode Cyber Security Consultancy

www.lockcodecybersecurity.com

ICO Registration Number: ZA063592

First Date Registered: 03 July 2014    

Data Controller: Lockcode Limited

How to contact us

Please contact us if you have any questions about our privacy policy or information we hold about you through our contact form here.

What information do we collect about you?

We collect information about you when you subscribe on our websites, complete a contact form on our websites, place an order for our products or services or sign up for one of our events.

 

We also collect information when you voluntarily complete customer surveys, provide feedback and participate in our competitions. Website usage information is collected using cookies.

Other websites

Our websites contain links to other websites. This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies.

 

Visitors to our websites

When someone visits our websites we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone.

 

Google Analytics

To provide website visitors the ability to prevent their data from being used by Google Analytics, Google has developed the Google Analytics opt-out browser add-on for the Google Analytics JavaScript (ga.js, analytics.js, dc.js).

If you want to opt out, download and install the add-on for your web browser. The Google Analytics opt-out add-on is designed to be compatible with Chrome, Internet Explorer 11, Safari, Firefox and Opera. In order to function, the opt-out add-on must be able to load and execute properly on your browser. For Internet Explorer, 3rd-party cookies must be enabled. Learn more about the opt-out and how to properly install the browser add-on here.

 

For more information, please see Google’s Privacy Policy

 

E-newsletter

We use a third party provider to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our newsletter. If you subscribe to our newsletter, you can cancel your subscription at any time using the unsubscribe button within the newsletter you’ve received. For more information, please see Mailchimp’s Privacy Policy.

 

Event Registration

We use a third party provider to enable easy registration for our events. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our event planning. For more information, please see Eventbrite’s privacy notice. For live events we may share registration details with our event sponsor for security reasons. 

 

Website Hosting

We use a third party web hosting service for:

www.lockcodecybersecurity.com

For more information, please see Wix’s Privacy Policy.

We currently use a third party Learning Management System. For more information please see HERE

 

Social Media

We use third party tools including Twitter, Crowdfire, Facebook (and Facebook Companies), YouTube (Google), LinkedIn and Instagram. Please refer their respective Privacy Notices on their websites:

Twitter Privacy Policy

Crowdfire Privacy Policy

Facebook Data Policy

YouTube Privacy Policy

LinkedIn Privacy Policy

Instagram Privacy Policy

Facebook Companies

 

Email

Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy.  Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

 

People who use our services

We have to hold details of people who have requested our services in order to provide them. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have subscribed to our newsletters or registered for an event to carry out a survey to find out if they are happy with the level of service they received.

 

Access to your information and correction

You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please email or write to us at the following address. We may make a small charge for this service. We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

Cookies

Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.

 

For further information visit

https://www.aboutcookies.org/or http://www.allaboutcookies.org/.

You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.

 

How will we use the information about you?

We collect information about you to process your order, send you information through our newsletter if you subscribed through our websites or registered for one of our events. We use your information collected from the website to personalise your repeat visits to our website. In processing your order, we may send your details to, and also use information from credit reference agencies and fraud prevention agencies.

 

Keeping your data secure and disclosing your information

Transmitting information over the internet is not completely secure, and we can’t guarantee the security of your data. Any data you transmit to us is at your own risk. We have procedures in place to try and keep your data secure once we receive it. We don’t share your information with any other organisations for marketing, market research or commercial purposes. We may pass on your personal information if we have a legal obligation to do so, or if we have to enforce or apply our terms of use and other agreements.

GDPR Compliance Extra Information

GDPR Principle (a): Lawfulness, fairness and transparency

Lawfulness

 

We have identified an appropriate lawful basis (or bases) for our processing.

If we are processing special category data or criminal offence data, we have identified a condition for processing this type of data.

We don’t do anything generally unlawful with personal data.

 

Fairness

We have considered how the processing may affect the individuals concerned and can justify any adverse impact.

We only handle people’s data in ways they would reasonably expect, or we can explain why any unexpected processing is justified.

We do not deceive or mislead people when we collect their personal data.

 

Transparency

We are open and honest, and comply with the transparency obligations of the right to be informed.

 

 

GDPR Principle (b): Purpose limitation

 

We have clearly identified our purpose or purposes for processing.

We have documented those purposes*.

We include details of our purposes in our privacy information for individuals.

We regularly review our processing and, where necessary, update our documentation and our privacy information for individuals.

If we plan to use personal data for a new purpose, we check that this is compatible with our original purpose or we get specific consent for the new purpose.

 

We are a micro company and according to the ICO:

“The GDPR provides a limited exemption for small and medium-sized organisations. If you employ fewer than 250 people, you need only document processing activities that: 

  • are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or

  • are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or

  • involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the GDPR).”

 

 

GDPR Principle (c): Data minimisation

We only collect personal data we actually need for our specified purposes.

We have sufficient personal data to properly fulfil those purposes.

We periodically review the data we hold, and delete anything we don’t need.

 

GDPR Principle (d): Accuracy

We ensure the accuracy of any personal data we create.

We have appropriate processes in place to check the accuracy of the data we collect, and we record the source of that data.

We have a process in place to identify when we need to keep the data updated to properly fulfil our purpose, and we update it as necessary.

If we need to keep a record of a mistake, we clearly identify it as a mistake.

Our records clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts.

We comply with the individual’s right to rectification and carefully consider any challenges to the accuracy of the personal data.

As a matter of good practice, we keep a note of any challenges to the accuracy of the personal data.

 

GDPR Principle (e): Storage limitation

We know what personal data we hold and why we need it.

We carefully consider and can justify how long we keep personal data.

We have a policy with standard retention periods where possible, in line with documentation obligations.

We regularly review our information and erase or anonymise personal data when we no longer need it.

We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’.

We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.

 

GDPR Lawful basis for processing

We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.

We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.

We have documented our decision on which lawful basis applies to help us demonstrate compliance.

We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.

 

 

 

Lawful bases for processing

 

Lawful bases for processing are set out in Article 6 of the GDPR. At least one of these applies whenever we process personal data:
 

(a) Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
 

(b) Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
 

(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
 

(d) Vital interests: the processing is necessary to protect someone’s life.
 

(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
 

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

 

Questions we consider when deciding which lawful basis applies

Who does the processing benefit?

Would individuals expect this processing to take place?

What is our relationship with the individual?

Are we in a position of power over them?

What is the impact of the processing on the individual?

Are they vulnerable?

Are some of the individuals concerned likely to object?

Are we able to stop the processing at any time on request?

 

 

 

 

Consent

Asking for consent

 

We have checked that consent is the most appropriate lawful basis for processing.

We have made the request for consent prominent and separate from our terms and conditions.

We ask people to positively opt in.

We don’t use pre-ticked boxes or any other type of default consent.

We use clear, plain language that is easy to understand.

We specify why we want the data and what we’re going to do with it.

We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.

We name our organisation and any third party controllers who will be relying on the consent.

We tell individuals they can withdraw their consent.

We ensure that individuals can refuse to consent without detriment.

We avoid making consent a precondition of a service.

 

Recording consent

We keep a record of when and how we got consent from the individual.

We keep a record of exactly what they were told at the time.

 

Managing consent

We regularly review consents to check that the relationship, the processing and the purposes have not changed.

We have processes in place to refresh consent at appropriate intervals, including any parental consents.

We consider using privacy dashboards or other preference-management tools as a matter of good practice.

We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.

We act on withdrawals of consent as soon as we can.

We don’t penalise individuals who wish to withdraw consent.

 

 

 

Legitimate interests

We have checked that legitimate interests is the most appropriate basis.

We understand our responsibility to protect the individual’s interests.

We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.

We have identified the relevant legitimate interests.

We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.

We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.

We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.

We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.

We have considered safeguards to reduce the impact where possible.

We have considered whether we can offer an opt out.

If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.

We keep our LIA under review, and repeat it if circumstances change.

We include information about our legitimate interests in our privacy information.

 

LIA

We follow the three-part test:

The purpose test (identify the legitimate interest);

The necessity test (consider if the processing is necessary); and

The balancing test (consider the individual’s interests)

The GDPR provides the following rights for individuals:

The right to be informed

The right of access

The right to rectification

The right to erasure

The right to restrict processing

The right to data portability

The right to object

Rights in relation to automated decision making and profiling

 

  • You have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the GDPR.

  • We will provide you with information including: our purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with. This is called ‘privacy information’.

  • We will provide privacy information to you at the time we collect your personal data from you.

  • If we obtain personal data from other sources, we will provide you with privacy information within a reasonable period of obtaining the data and no later than one month.

  • There are a few circumstances when we do not need to provide you with privacy information, such as if you already have the information or if it would involve a disproportionate effort to provide it to you.

  • The information we provide to you aims to be concise, transparent, intelligible, easily accessible, using clear and plain language.

  • We try to provide privacy information to you using a combination of different techniques including layering, dashboards, and just-in-time notices.

  • We regularly review, and where necessary, update privacy information. We will bring any new uses of your personal data to your attention before we start the processing.

 

 

When to Provide It

We provide individuals with privacy information at the time we collect their personal data from them.

 

If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:

 

within a reasonable of period of obtaining the personal data and no later than one month;

if we plan to communicate with the individual, at the latest, when the first communication takes place; or

if we plan to disclose the data to someone else, at the latest, when the data is disclosed.

 

 

How to provide it

We provide the information in a way that is: 

concise;

transparent;

intelligible;

easily accessible; and

uses clear and plain language

 

Changes to the information

We regularly review and, where necessary, update our privacy information.

If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
 

Best practice – drafting the information

We undertake an information audit to find out what personal data we hold and what we do with it.

We put ourselves in the position of the people we’re collecting information about.

 

Best practice – delivering the information

When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:

a layered approach;

just-in-time notices; or

icons.

 

 

 

Right of Access

Preparing for subject access requests

We know how to recognise a subject access request and we understand when the right of access applies.

We have a policy for how to record requests we receive verbally.

We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

We understand the nature of the supplementary information we need to provide in response to a subject access request.

 

Complying with subject access requests

We have processes in place to ensure that we respond to a subject access request without undue delay and within one month of receipt.

We are aware of the circumstances when we can extend the time limit to respond to a request.

We understand that there is a particular emphasis on using clear and plain language if we are disclosing information to a child.

We understand what we need to consider if a request includes information about others.

 

Right to rectification

Preparing for requests for rectification

We know how to recognise a request for rectification and we understand when this right applies.

We have a policy for how to record requests we receive verbally.

We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

Complying with requests for rectification

We have processes in place to ensure that we respond to a request for rectification without undue delay and within one month of receipt.

We are aware of the circumstances when we can extend the time limit to respond to a request.

We have appropriate systems to rectify or complete information, or provide a supplementary statement.

We have procedures in place to inform any recipients if we rectify any data we have shared with them.

 

 

 

Right to erasure

Preparing for requests for erasure

We know how to recognise a request for erasure and we understand when the right applies.

We have a policy for how to record requests we receive verbally.

We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

Complying with requests for erasure

We have processes in place to ensure that we respond to a request for erasure without undue delay and within one month of receipt.

We are aware of the circumstances when we can extend the time limit to respond to a request.

We have procedures in place to inform any recipients if we erase any data we have shared with them.

We have appropriate methods in place to erase information. 

 

Right to restrict processing

Preparing for requests for restriction

We know how to recognise a request for restriction and we understand when the right applies.

We have a policy in place for how to record requests we receive verbally.

We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

Complying with requests for restriction

We have processes in place to ensure that we respond to a request for restriction without undue delay and within one month of receipt.

We are aware of the circumstances when we can extend the time limit to respond to a request.

We have appropriate methods in place to restrict the processing of personal data on our systems.

We have appropriate methods in place to indicate on our systems that further processing has been restricted.

We understand the circumstances when we can process personal data that has been restricted.

We have procedures in place to inform any recipients if we restrict any data we have shared with them.

We understand that we need to tell individuals before we lift a restriction on processing.

 

 

 

 

 

 

 

Right to data portability

Preparing for requests for data portability

We know how to recognise a request for data portability and we understand when the right applies.

We have a policy for how to record requests we receive verbally.

We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
 

Complying with requests for data portability

We can transmit personal data in structured, commonly used and machine readable formats.

We use secure methods to transmit personal data.

We have processes in place to ensure that we respond to a request for data portability without undue delay and within one month of receipt.

We are aware of the circumstances when we can extend the time limit to respond to a request.

 

Right to object

Preparing for objections to processing

We know how to recognise an objection and we understand when the right applies.

We have a policy in place for how to record objections we receive verbally.

We understand when we can refuse an objection and are aware of the information we need to provide to individuals when we do so.

We have clear information in our privacy notice about individuals’ right to object, which is presented separately from other information on their rights.

We understand when we need to inform individuals of their right to object in addition to including it in our privacy notice.

Complying with requests which object to processing 

We have processes in place to ensure that we respond to an objection without undue delay and within one month of receipt.

We are aware of the circumstances when we can extend the time limit to respond to an objection.

We have appropriate methods in place to erase, suppress or otherwise cease processing personal data.

 

 

Accountability and governance

We take responsibility for complying with the GDPR, at the highest management level and throughout our organisation.

We keep evidence of the steps we take to comply with the GDPR.

We put in place appropriate technical and organisational measures, such as:

  • adopting and implementing data protection policies (where proportionate);

  • taking a ‘data protection by design and default’ approach - putting appropriate data protection measures in place throughout the entire lifecycle of our processing operations;

  • putting written contracts in place with organisations that process personal data on our behalf;

  • maintaining documentation of our processing activities;

  • implementing appropriate security measures;

  • recording and, where necessary, reporting personal data breaches;

  • carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests;

  • appointing a data protection officer (where necessary); and

  • adhering to relevant codes of conduct and signing up to certification schemes (where possible).

We review and update our accountability measures at appropriate intervals
 

Security

We undertake an analysis of the risks presented by our processing, and use this to assess the appropriate level of security we need to put in place.

When deciding what measures to implement, we take account of the state of the art and costs of implementation.

We have an information security policy (or equivalent) and take steps to make sure the policy is implemented.

Where necessary, we have additional policies and ensure that controls are in place to enforce them.

We make sure that we regularly review our information security policies and measures and, where necessary, improve them.

We have put in place basic technical controls such as those specified by established frameworks like Cyber Essentials.

We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal data we process.

We use encryption and/or pseudonymisation where it is appropriate to do so.

We understand the requirements of confidentiality, integrity and availability for the personal data we process.

We make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.

We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.

Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism.

We ensure that any data processor we use also implements appropriate technical and organisational measures.

 

Encryption

We understand that encryption can be an appropriate technical measure to ensure that we process personal data securely.

We have an appropriate policy in place governing our use of encryption.

We ensure that we educate our staff on the use and importance of encryption.

We have assessed the nature and scope of our processing activities and have implemented encryption solution(s) to protect the personal data we store and/or transmit.

We understand the residual risks that remain, even after we have implemented our encryption solution(s).

Our encryption solution(s) meet current standards such as FIPS 140-2 and FIPS 197.

We ensure that we keep our encryption solution(s) under review in the light of technological developments.

We have considered the types of processing we undertake, and whether encryption can be used in this processing

 

Personal data breaches

Preparing for a personal data breach

We know how to recognise a personal data breach.

We understand that a personal data breach isn’t only about loss or theft of personal data.

We have prepared a response plan for addressing any personal data breaches that occur.

We have allocated responsibility for managing breaches to a dedicated person or team.

Our staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.

 

Responding to a personal data breach

We have in place a process to assess the likely risk to individuals as a result of a breach.

We know who is the relevant supervisory authority for our processing activities.

We have a process to notify the ICO of a breach within 72 hours of becoming aware of it, even if we do not have all the details yet.

We know what information we must give the ICO about a breach.

We have a process to inform affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.

We know we must inform affected individuals without undue delay.

We know what information about a breach we must provide to individuals, and that we should provide advice to help them protect themselves from its effects.

We document all breaches, even if they don’t all need to be reported.

 

 

 

International transfers

Restricted Transfers

We use TalentLMS for our online training.

 

GDPR information for TalentLMS (Epignosis LLC) :

https://www.talentlms.com/gdpr

https://www.epignosishq.com/privacy-notice/

https://www.epignosishq.com/gdpr-%e2%80%a8compliance-statement/

 

https://www.privacyshield.gov/participant?id=a2zt0000000TNv5AAG&status=Active

 

With reference to the ICO’s guidance (Feb 2019):

USA

The adequacy finding for the USA is only for personal data transfers covered by the EU-US Privacy Shield framework. The Privacy Shield places requirements on US companies certified by the scheme to protect personal data and provides for redress mechanisms for individuals. US Government departments such as the Department of Commerce oversee certification under the scheme.

If you want to transfer personal data to a US organisation under the Privacy Shield, you need to:

check on the Privacy Shield list to see whether the organisation has a current certification; and

make sure the certification covers the type of data you want to transfer.

 

Privacy Shield

https://www.privacyshield.gov/list

 

Mailchimp GDPR

https://mailchimp.com/gdpr/

 

 

Eventbrite GDPR

https://www.eventbrite.com/support/articles/en_US/Troubleshooting/eventbrite-eu-data-protection

 

Facebook GDPR

https://www.facebook.com/business/gdpr

 

Facebook Data Policy

https://www.facebook.com/about/privacy

 

Twitter GDPR

https://gdpr.twitter.com/

 

Twitter Privacy Policy

https://twitter.com/en/privacy

 

Wix GDPR

https://support.wix.com/en/article/general-data-protection-regulation-gdpr

 

Google GDPR

https://privacy.google.com/businesses/compliance/#!?modal_active=none

Changes to our privacy policy

We keep our privacy policy under regular review and we will place any updates on this web page. 

 

Complaints or Queries

Lockcode tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We welcome any suggestions for improving our procedures.

 

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Lockcode’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent using the contact form here.

Copyright © Lockcode Limited 2018

Registered in England 2004

Company No. 05078345

CCS_2935_Supplier_AW_300dpi.jpg