TeamLytica Data Protection Policy
Introduction
TeamLytica has developed an information security strategy to protect the availability, integrity, security and confidentiality of the data we hold, and to ensure that personal data is held and processed securely and in compliance with the data protection principles set out in applicable data protection legislation.
It is important to note that establishing and verifying information security is not a one-off event, but an ongoing venture that follows a cyclical process. The implementation cycle involves establishing information security requirements, educating people about their responsibilities under those requirements, building governance structures to ensure compliance, and monitoring and reporting of progress and incidents. This cycle should be repeated at regular intervals and whenever changes are made to relevant data protection legislation.
The following goals are designed to establish formal information security management and governance processes.
Goal 1: Audit the use and storage of personal data.
Initiate a data inventory process to identify personal data and ensure it is appropriately protected. This process is to apply to data already held by TeamLytica, as well as data that TeamLytica proposes to collect in future. TeamLytica holds personal data for two primary purposes. Firstly, data is held for the production and delivery of TeamLytica reports, and for research related to TeamLytica development. Under GDPR legislation, our lawful basis for processing this data is ‘legitimate interests’ – the data is required to produce the TeamLytica report purchased by the customer. Secondly, data may be held for business marketing purposes. This data is collected by explicit consent and is held separately to the data used to produce TeamLytica reports.
Goal 2: Update and maintain all relevant information security policies.
In collaboration with third party providers, TeamLytica will endeavour to develop, approve, and launch a suite of information security policies, based on the GDPR recommendations for information security. These policies will set forth employee and provider responsibility for information protection and will be shared with customers where relevant. Our SLA with our server provider stipulates that we can expect 99.8% availability of the web application which is responsible for collecting data and produces TeamLytica reports and dashboard. The confidentiality and integrity of the data supplied for this purpose is also assured by comprehensive monitoring of application and firewall logs which triggers instant alerts to relevant members of staff.
TeamLytica has initiated a review process to test, assess and evaluate our policies on an annual basis, or whenever significant changes in applicable legislation prompt a review. This review will include an evaluation of how to minimise the data we hold and ensure that it is not held for any longer than necessary. The review will apprise employees, agents and subcontractors of any changes which may affect working practices.
Goal 3: Implement changes to in-house applications.
TeamLytica will modify our processes, systems and applications in order to ensure compliance with the data protection principles under GDPR guidelines, including revision of privacy policies, addition of a ‘just in time’ privacy notice and adoption of a double opt-in confirmation process for marketing communications. TeamLytica intends to embed ‘data protection by design’ when designing and developing new projects and systems, including encryption of personal data to be included in a new version of the TeamLytica application to be launched in 2019.
Goal 4: Ensure all employees are aware of their information security responsibilities.
Require all employees, agents and subcontractors to read and sign relevant information security policies and documents, which serve to inform employees of their responsibilities for protecting the information in their care and offer protocols for certain situations (e.g. data breaches, information access requests, deletion requests etc).
