GDPR – PIA – Privacy Impact Assessment Statement
Data collection and retention
- What personal data is processed?
Aerial Cornwall collects only the minimum amount of personal information in order to handle business enquiries regarding our services. This includes full name, phone, email, and message. If the enquiry involves Aerial Cornwall visiting a personal or business address then this information is also stored as a reference for travel directions.
Through our website we also implement tracking ‘cookies’ to provide the best user experience for our visitors. Information gathered through ‘cookies’ includes: visitor numbers, page views, country of origin, time on site, device used. This information is not connected in any way to personal contact information received either through the contact form, direct emails or phone calls. The Aerial Cornwall website also uses third party ‘Business to Business’ tracking software which references a visitor’s IP address again a database of international businesses. The third party software provider is GDPR compliant and data about a business visiting our website is not connected to personal information and the the individual user, and does not identify any personal IP addresses, mobile devices or any other data than that associated with the business.
You can learn more about ‘cookies’ here: https://ico.org.uk/your-data-matters/online/cookies/
- How is that data collected and retained?
Personal data is collected through the contact forms within our website, direct emails and direct phone calls. The majority of information remains within our email system. For private customers the contact details provided by the individual are also added into our CRM and billing software.
- Is the data stored locally, on our servers, or both?
Personal data is collected and stored locally within our email client software, but that data is also referenced from an external email server via IMAP (Internet Message Access Protocol). Contact details for private customers are also added into a cloud based CRM and billing software which uses an external server.
- For how long is data stored, and when is the data deleted?
We implement a process of auditing and deleting data for private individuals after a period of two years. Individuals can request at any time during the two year period a copy of what data we hold in relation to themselves, as well as request that the data is deleted immediately. For any information or deletion requests we can provide and/or delete the data within two working days (Monday – Friday) of the initial request.
- Is the data collection and processing specified, explicit, and legitimate?
- Our data collection and processing is specified both on the contact page of our website, contact form confirmation agreement (checkbox) as well as within this PIA (Privacy Impact Assessment).
- The types of data collected, as well as how it is used are defined explicitly within this PIA.
- Aerial Cornwall only collect in the minimum amount of information in order to conduct our business operations. We only collect and use data that customers provide to us in agreement with our PIA. We never purchase personal contact information where the individual has not agreed to the data being used explicitly by Aerial Cornwall.
- What is the process for granting consent for the data processing, and is consent explicit and verifiable?
- What is the basis of the consent for the data processing?
Personal and business data collected via contact forms, direct emails and direct phone calls is only stored explicitly for internal use only within Aerial Cornwall. Data is only collected where it is required and essential for our business operations and there is no other reasonable way to achieve that purpose.
- If not based on consent, what is the legal basis for the data processing?
The legal basis for storing any person information where we have not been explicitly given consent is in the event of legal or civil proceedings; where we need to prove communications with the private individual or business in order to collect payment or liability in relation to work undertaken by Aerial Cornwall.
- Is the data minimized to what is explicitly required?
- Is the data accurate and kept up to date?
The accuracy of the data is checked at the point where its is received by Aerial Cornwall. If for any reason incorrect contact information is received where by it does not relate to the individual making the enquiry, then the data will the deleted and we will request the person submit a new enquiry. Business to business data is updated periodically to ensure we maintain the correct contact details with our existing clients. Contact details for individuals is not updated unless requested by the individual, but otherwise delete after two years of the initial enquiry.
- How are users informed about the data processing?
Users are informed about how their data will be processed at the point of contact. This is either via confirmation and agreement by the individual using the contact form, or via the footer of our email communications.
- What controls do users have over the data collection and retention?
By entering into communication with Aerial Cornwall via the contact form, direct emails or direct phone calls users agree that we can store their contact information data for business operations. At any time users, clients and private individuals can request a copy of what personal information we store and also request that it is deleted from all our internal systems.
Technical and security measures
- Is the data encrypted, anonymised or pseudonymized.
Aerial Cornwall only collect the minimum data required for contacting private individuals and businesses. As this data is not stored within a single database or format where it can easily be extracted, at present we do not encrypt, anonymise or pseudonymise the data locally. However, data stored within third party hosting providers has encrypted access. By contacting Aerial Cornwall the user enters into an agreement that they are satisfied with our level of protection of their data. At any point a user can request their personal data be removed from our systems if they are not happy with the level of data security we use.
- Is the data backed up?
Communications via email are backed up periodically (daily) via remote backups of our website hosting server. Contact and billing information for clients and private individuals is stored within a third party cloud based CRM and accounting software, which will also be backed up via the third party on a daily basis. Any data stored locally on computers within the office are backed up via third party cloud based data storage systems. We check that any third party software providers are GDPR compliant and offer a suitable level of security in order to best protect the contact information we store.
- What are the technical and security measures at the host location?
Aerial Cornwall’s third-party email and website hosting provider offers:
- 100% PCI-DSS scan compliant hosting.
- 1,000Gbps of DDOS protection.
- Secure SSH/SFTP access.
- Advanced firewall rules ensuring a high-level of security.
- 256-bit SSL certificates.
- Weekly Security Scans.
- Weekly/real time file scanning for malicious files.
- Apache mod_security.
- Encrypted cPanel & email access.
- Restrict access by IP.
- Hotlink/Leech protection.
- “SpamExperts” email antivirus filter.
- Two-Factor Authentication (TFA/2FA).
The CRM that Aerial Cornwall uses has top-tier, third-party services located in the US to host their online and mobile services. This means that personal information is transferred to servers in the US. To satisfy the requirements relating to the transfer of data from the EU to the US, they have agreements in place with each of their hosting providers that use European Commission model contract clauses. Data is encrypted using industry-standard data encryption, multiple layers of firewalls are in place, all access to data centres and servers used by the CRM is controlled and monitored 24/7, and they perform regular security audits.
- Who has access to the data?
Access to data within Aerial Cornwall is restricted to relevant staff members who require the information in order to complete their assigned role within the business. This comprises of up to four staff members, but in the majority of cases data is only passed between two individuals. Access to master control panels of third party software CRM and hosting software is restricted to one director. This access is through secure strong encrypted passwords and limited only to certain devices relevant to business operations.
- What data protection training have those individuals received?
Aerial Cornwall have trained all staff members in how to handle personal data which is provided to them as part of their role within the company, as well as their responsibilities for protecting information pertaining to personal contact details within devices (computers, phones) that they use on a daily basis.
- What security measures do those individuals work with?
Employees are instructed to only use strong passwords for securing devices as well as accessing local and cloud based software. They are also instructed to periodically change passwords at least once every two months. All computers within the company have antivirus and malware software installed to reduce the risk of malicious attacks and external parties accessing the devices/data.
- What data breach notification and alert procedures are in place?
Both our third-party CRM and email hosting client have data breach and malicious attack notification services in place. In the event of this, or breach of Aerial Cornwall’s internal systems we have an automatic notification system setup inform all our clients via email. If we believe any specific individuals or businesses data has been compromised we will begin a process of informing them as soon as possible by direct phone calls.
- What procedures are in place for government requests?
In the event of a data breach and government request to inspect our data, we can provide the relevant information within two working days. The majority of data can be provided in spreadsheet or database format, along with supporting documents.
Subject access rights
- How can an individual see a copy of the data Aerial Cornwall holds on them?
Inline with GDPR, any individual or business can exercise their rights to access what data we hold on them. They can do this via contacting us directly by email or phone.
- How does the data subject exercise their right to data portability?
The data we hold on individual private clients is minimal (full name, email, phone, address). This can be provided in a variety of formats (CSV, PDF, DOCX, Email). The individual can request which is their preferred format when contacting Aerial Cornwall.
- How does the data subject exercise their rights to erasure and the right to be forgotten?
An individual can contact Aerial Cornwall to request their information is deleted from our systems. On request we will provide them with a copy of what data we hold, and also what systems the data has been removed from.
- How does the data subject exercise their right to restrict and object?
At any time an individual can contact Aerial Cornwall to object to their personal information being processed within our systems. On request we will provide them with a copy of what data we hold, and also what systems the data has been removed from. Aerial Cornwall shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Are the obligations of all data processors, including subcontractors, covered by a contract?
Aerial Cornwall, has entered into agreements with any/all subcontractors and third-party data processors to ensure we operate with only legitimate suppliers that comply with the GDPR guidelines and keep personal data protected throughout all our business operations.
- If the data is transferred outside the European Union, what are the protective measures and safeguards?
Due to the nature of website hosting servers and cloud based software systems such as our CRM, data is likely to move outside of the European Union during day to day operations. To ensure the security of our customer’s person data we only use reputable providers for web services and ensure they meet the GDPR guidelines. Access to online cloud based software systems is done through a limited number of logins which all use the maximum level of password strength. Passwords are also changed periodically to reduce the risk of access being gained by unwanted parties.
- What are the risks to the data subjects if the data is misused, mis-accessed, or breached?
Aerial Cornwall only store the minimal amounts of personal contact data required to complete our business operations. In most cases this is limited to full name, phone, email and address. The main risk would be identity theft, but as this is same data is often commonly available through other means, such as online searches, the risk to an individual in the event of a data breach would be very minimal.
- What are the risks to the data subjects if the data is modified?
The personal data that Aerial Cornwall store is only related to client contact information and does not form part of any online account, e-commerce system or otherwise. In the event of a data breach where personal data is modified within our systems, the risk to individuals is minimal and would not pose a threat to personal finances, privacy or identity theft.
- What are the risks to the data subjects if the data is lost?
Personal contact data for our clients is backed up regularly and encrypted by the third party software systems such as our CRM. The likelihood of the data being lost permanently would be very small, and would not directly affect the individual beyond a delay in communications from Aerial Cornwall.
What are the main sources of risk?
The main source of risk would be unwanted access to our CRM software, either through login details being obtained by a rogue party or data breach of the third party supplier. The result of which would at most be the data being harvested and sold on.
- What steps have been taken to mitigate those risks?
To minimise access to any of our systems, all staff are instructed to only use the strongest level of secure passwords, and to change these periodically (roughly every two months). Passwords are unique to each system and user, and in the case of client’s control panel’s for online hosting, these are always changed from the default passwords set at time of purchase. Access to the client’s hosting services are done (where possible) through SFTP and SSL certificates are used for all website’s we develop. Clients are also briefed in best practices for security in order to keep their clients data protected as well.