Silent Sales Data Protection Policy

Purpose and Scope 

We realise that Data Protection isn’t exactly “first date material” but it is important to us. As we’re dealing with our own customer’s data and your customer’s data we take this dry topic very seriously and trust that our Data Protection Policy demonstrates this.

The purpose of this policy is to explain how Silent Sales processes personal data and complies with the Data Protection Act 2018 (DPA), the General Data Protection Regulation (GDPR) and the Privacy & Electronic Communications Regulations (PECR). It explains how Silent Sales acts as a data processor or data controller in different circumstances. 

Data processor 

Silent Sales processes personal data as a data processor acting on behalf of clients to source and generate sales leads, manage existing customer relationships and as required to update the client’s customer relationship management systems. That processing will be performed under contract as is in line with the requirements of the client who will be the data controller for that information and determine the manner in which and the purpose for which data is processed and instruct Silent Sales accordingly including when and how fair processing information will be provided. Silent Sales will ensure appropriate security is in place when acting on behalf of clients and will notify them without undue delay if there is a suspected data breach involving their data. 

Silent Sales standard operating procedure is to not hold the data on behalf of the client but rather work within their customer relationship management system (or in some cases using their online shared documents). In all cases Silent Sales will keep a reasonable record of the processing activity it carries out on behalf of it’s clients and make that available to the client (as relevant) and regulators on request. The Record of Processing will include: 

1. The organisation’s name and contact details. 

2. The name and contact details of each data controller/client on whose behalf Silent Sales are acting . 

3. If applicable, the name and contact details of each data controller’s representative or data protection officer. 

4. The categories of processing we carry out on behalf of each data controller – e.g. sales and marketing, training. 

5. The name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the EU. This includes storing data with cloud computing providers 

6. A general description of Silent Sales technical and organisational security measures. This includes encryption, access controls, training. 

In cases where data is being processed on behalf of clients in the EU or collected about individuals in the EU additional information will be recorded about the data controllers EU representative. 

Data controller 

Silent Sales will not collect or otherwise generate lead information for sale to other parties at a later date.

Silent Sales will act as a data controller in the following circumstances: 

1. Collecting contact details and generating leads to market it’s own products business to business products. 

2. For the administration of Silent Sales business including invoicing, tax and accounting, and debt recovery. 

3. For the organisation and delivery of training to individuals and for a limited period afterwards as a record of that activity. 

4. Disclosures legally required by law enforcement bodies and in connection with legal proceedings. 

6 principles of data processing 

When acting as data controller Silent Sales abide by the principles of the DAP/GDPR which demand that personal data is: 

1. processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’); 

2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’); 

3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); 

4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); 

5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’); 

6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” 

7. Accountability - Silent Sales will keep a record of the processing it undertakes and understand whether and how it complies with the DPA/GDPR. 

Lawful Processing 

Before collecting and using personal data Silent Sales will satisfy itself that it meets one of the following conditions for all personal data that it process: 

The individual has given consent.

It is required to fulfil or enter into a contract. 

It is necessary due to a legal obligation. 

It is necessary to protect someone’s vital interests (i.e. life or death situation). It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

It is necessary for the legitimate interests of the controller or a third party. 

Special categories of personal data are restricted by extra safeguards to give further protection to the privacy of data subjects. These categories cover information relating to an individual’s: 

racial or ethnic origin 

political opinions 

religious beliefs or other beliefs of a similar nature 

trade union membership 

physical or mental health or condition 

sex life and sexual orientation 

generic data and bio-metric data 

Where special category information is being processed, Silent Sales will satisfy itself that at least one of the following conditions must be met in addition to the condition above: 

The data subject has given explicit consent. 

The processing is necessary for the purposes of employment, social security and social protection law. 

The processing is necessary to protect someone’s vital interests. 

The processing is carried out by a not-for-profit body. 

The processing is manifestly made public by the data subject 

The processing is necessary for legal claims 

The processing is necessary for reasons of substantial public interest. The processing is necessary for the purposes of medicine, the provision of health or social care or treatment or the management of health or social care systems and services. 

The processing is necessary for public health 

The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to certain safeguards 

Fairness and transparency 

The Silent Sales privacy notice and a suitable cookies notice will be published on the Silent Sales website and reviewed periodically to ensure that it is accurate and up to date. 

Silent Sales will only process personal data where it is within the reasonable expectations of the individual. Where individuals have posted or taken steps to make their contact details available in the public domain, including online, Silent Sales makes the reasonable assumption that they will expect to be contacted and as such is in the legitimate interest of Silent Sales and the organisation being contacted who would benefit from the contact. Further to this Silent Sales will abide by the Privacy and Electronic Communications Regulations and screen against the Corporate Telephone Preference Service in respect of it’s business to business marketing to ensure there is no detriment to individuals who have expressed a wish not to receive marketing and or sales calls. 

Purpose limitation and data minimisation 

Silent Sales will only use the personal data it collects for the purposes specified above and communicated to the individuals and will not use it for any other purposes. 

Silent Sales will not collect any more information than is absolutely necessary to fulfil the specified purposes above. 

Accuracy 

Silent Sales will ensure that the personal data that it holds is accurate and will amend or annotate information where individuals request that it is updated. The exception to this is historical information for tax and accounting purposes that serves as an accurate record at a point in time. 

Storage Limitation 

Silent Sales will not keep personal data for longer than necessary for the purposes for which it was obtained and at that point it will be securely destroyed or fully anonymised to remove any ability to link it to a living individual. The Silent Sales retention schedule is as follows: 

1. Names and contact details of prospects - 1 year from the point at which they are no longer a live prospect. 

2. Contact details and records of services requested and provided and associated payments - 7 years from the date of payment for tax and accounting purposes and to defend Silent Sales in the event of any legal action brought against it. 

3. Names, contact details and course details of individuals training has been delivered to - 1 year from the date of the course. 

4. Any information provided to law enforcement bodies or regulators - 7 years from the date of disclosure to defend Silent Sales in the event of any legal action brought against it. 

Integrity and confidentiality 

Silent Sales will use modern equipment and software which is kept up to date with regular patching, has up to date anti virus software and is maintained to the manufacturer and software provider’s instructions.

Where personal data is processed in the cloud or at rest on Silent Sales equipment it will be encrypted. 

Silent Sales utilises a secure Google For Business (G Suite) email and document system with the highest levels of data security which can be viewed here: https://gsuite.google.co.uk/intl/en_uk/security/?secure-by-design_activeEl=data-centers

Access to personal data will be on a need to know basis and security must be in place to avoid unauthorised access such as complex passwords of 12 character length, and a mixture of all of the following, upper and lower case letters, numbers and a special character. Passwords will be changed regularly.

When a decision is made to delete personal data this must be done with appropriate security to ensure the information can not be recovered. 

Appropriate back-up and recovery systems will be put in place. 

Where suppliers are used to process personal data on behalf of Silent Sales due diligence will be carried out to ensure that they can secure the information and suitable contracts will be put in place. 

Silent Sales utilises Hubspot CRM for storing customer information, a system which holds SOC 2 Type II and ISO 27001 certifications.  More information about this system’s high levels of security can be found here: https://www.hubspot.com/security

All individuals working for Silent Sales will be aware of their security and data protection requirements as detailed in this policy. 

PECR

As part of Silent Sales’ service offering we manage outreach campaigns on behalf of our customers. This often includes electronic mail being sent on behalf of clients. In these cases Silent Sales are acting as data processors for the client under contract.

When asked to procure B2B prospect data, Silent Sales will always use reputable data suppliers and request data to be screened for CTPS and TPS compliance where possible. We will also always look to advise clients to only use data which avoids the inclusion of sole traders and partnerships.

When using “scraping tools” such as Apollo.io we are using B2B information which has been taken from online data sources.

We will take reasonable care to advise on and follow a workflow to comply with PECR regulations. This will include opt-out options on all prospecting emails and a note on the data source in line with the prospects “Right to be informed”.

More information on PECR can be found at https://icosearch.ico.org.uk/ and we encourage clients to familiarise themselves with the relevant sections.

Breaches 

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Silent Sales will promptly investigate and assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office within the required 72 hour deadline and individuals where they are put at high risk. 

Personal data breaches could occur through: 

Loss or theft of data or equipment 

Ineffective access controls allowing unauthorised use 

Equipment failure 

Unauthorised disclosure (e.g. email sent to the incorrect recipient) 

Human error 

Hacking attack 

Anyone who is aware of, or suspects, a breach must report this to simon@silentsales.co.uk

Accountability 

Silent Sales will maintain an up to date Data Protection Policy that explains how it complies with the DPA/GDPR. Responsibility for compliance rests with Simon Lunt, Owner of Silent Sales.

Silent Sales will maintain a register of their processing activity where acting as a data controller, this will include: 

● Organisation name and contact details. 

● If applicable, the name and contact details of your data protection officer. At the time of writing it has been assessed that it is not necessary to have a data protection officer. 

● If applicable, the name and contact details of any joint controllers – any other organisations that decide jointly with you why and how personal data is processed. At the time of writing there are no joint controllers. 

● If applicable, the name and contact details of your representative – another organisation that represents you if you are based outside the EU, but you monitor or offer services to people in the EU. At the time of writing there is no need for an EU representative. 

● The purposes of the processing – why Silent Sales use personal data, e.g. customer management, marketing, recruitment. 

● The categories of individuals – the different types of people whose personal data is processed, e.g. employees, customers, members. 

● The categories of personal data you process – the different types of information Silent Sales process about people, e.g. contact details, financial information, health data. 

● The categories of recipients of personal data – anyone Silent Sales share personal data with, e.g. suppliers, credit reference agencies, government departments.

● If applicable, the name of any third countries or international organisations that Silent Sales transfer personal data to – any country or organisation outside the EU including where super staff in those locations can access data stored in the EU.

● If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations. At the time of writing no exceptional transfers are undertaken or expected. 

● If possible, the retention schedules for the different categories of personal data – as desired in the retention schedule above. 

● A general description of Silent Sales technical and organisational security measures – e.g. encryption, access controls, training. 

Individual’s Data Protection Rights 

Individuals have the following rights under the DPA/GDPR that apply in some or all circumstances: 

To receive copies of the data that relates to them and to be informed about the processing of their data 

To port their data to another data controller 

To object to the processing of their data, including automated decision making to restrict the processing of their data or that it is rectified or erased 

To complain about the processing of their personal data

Requests can be made verbally or in writing and in all cases Silent Sales will respond in full to these requests or complaints within 30 calendar days and will maintain a record of the requests and how they are handled for provision to the Information Commissioner’s Office on request. 

Silent Sales ICO reference number: ZB395343

Requests should be made to simon@silentsales.co.uk

Updated September 28th 2022