Our Commitment
We are committed to ensuring protection of all personal information that we hold, and to provide and to protect all such data. We recognise our obligations in updating and continually improving this program to meet the requirements of the GDPR and DPA.
What We Have Done
We have a consistent level of data protection and security across our business, but we have introduced new measures to ensure compliancy…
Personal data audit
We carried out an audit of personal data held at Sipsynergy and documented this with a data inventory. This highlighted what data we hold, how it is stored, how it is made secure, who has access to the data and who is responsible for it. Out HR consultant has also carried out a similar exercise for all employee personal data held. Both data inventories are reviewed regularly.
Policies and Procedures
We have revised our data protection policies and procedures to meet the requirements and standards of the GDPR legislation. These include:
- Data Protection: our policy has been revised to meet the standards and requirements for GDPR. We have detailed the measures we have taken to become more compliant; focussing on the privacy and rights of our employees.
- Privacy Policy: we have revised our Privacy policy to comply with GDPR, ensuring that all individuals whose personal information we process are informed of the reason why we need it, how it is used, what their rights are and what safe guarding measures are in place to protect their information. This policy can be found on our website
- Supplier agreements: where we use any third-party supplier to process any personal information on our behalf (HR or Payroll) or to complete a contracted service (telecoms supplier, courier service etc.), we issued a Supplier Data Protection addendum, highlighting ours and their responsibilities to meet the GDPR obligations.
Subject Access Request
We have upgraded the storage location of any personal data that we hold (now with Amazon SW3) making it easier for us to accommodate the revised 30-day timeframe for providing the requested information, and in most reasonable cases, this provision will be free of charge.
Obtaining Consent
We have revised our consent mechanisms for obtaining personal data, ensuring that individuals are aware that personal data is only collected to supply the contracted service, and this is stated in our privacy policy.
Data Retention and Erasure
After completing our data inventory, we have updated our data retention and erasure schedule document to ensure that we meet the ‘data minimisation and storage limitation’ principles stated in the new GDPR law and that any personal data is stored, archived and, in some cases, destroyed in accordance with our obligations.
Data Accuracy
We ensure the accuracy of any data we hold or process and can check the accuracy and record the source of data, complying with the individual’s right to rectification, when asked.
Lawful Basis for Processing
Following the new legislation businesses must have a legitimate basis for processing any personal data that is collected. The government have defined six legitimate reasons to select, and your choice must be based upon your purpose and the relationship you have with the individual. Sipsynergy have selected ‘contract’ as our lawful basis for collecting personal data. This means that processing personal data is necessary for the contract of service provision that we hold with individuals.
Information Security and Technical and Organisational Measures
Sipsynergy takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction, and this is down to our continual improvement programme within our ISMS and ISO 27001 accreditation, which as a company we have held successfully since 2016.
GDPR Roles and Employees
We have appointed Amelia Wright as the person with responsibility for data protection compliance within Sipsynergy. She can be contacted at info@sipsynergy.co.uk
Along with the SMT, Amelia is responsible for promoting the awareness of GDPR across the company, assessing our compliance, identifying any gaps areas and implementing any new policies, procedures, measures and training.
Sipsynergy understands that continuous employee awareness and understanding is vital to the continued compliance of GDPR and are committed to ongoing training for all of our staff.
If you have any questions about our GDPR compliance, would like any more information or have a request, please contact Amelia Wright at info@sipsynergy.co.uk or call Sipsynergy’s main number.
