Data Protection Policy

1 Accountability & Governance

1.1 Data Controller.

1.1.1 Applikation Ltd is the Data Controller of all Applikations data processing activities. This means that the organisation is responsible for deciding how personal data is processed, for what purposes and for implementing appropriate technical and organisational controls to protect their client’s personal data.

1.2 Nominated Supervisory Authority.

1.2.1 Applikation are registered with the Isle of Man Supervisory Authority: The Information Commissioner’s Office for our processing activities.

1.3 Responsibility.

"We take responsibility for complying with the GDPR, at the highest management level and throughout our organisation."

1.3.1 Applikation takes their responsibilities for complying with the GDPR extremely seriously and at the highest management levels across the organisation. Applikation is committed to establishing a culture of data protection within the organisation.

1.3.2 The Data Governance Manager is accountable to the Applikation Board for Data Protection.

1.3.3 Data protection is a standing agenda item in all Board Meetings. The following management information is tracked:

1.4 Data Protection Officer.

"We have appointed a data protection officer."

1.4.1 Applikation have nominated a Data Protection Officer. The position has been outsourced to CSS Platinum.

1.5 GDPR Evidence.

"We ensure appropriate technical and organisational measures, by keeping evidence of the steps we take to comply with the GDPR."

1.5.1 All Data Protection compliance decisions, agreements and events are documented in the Data Governance Register. The Data Governance Manager is responsible for maintaining and updating the register. The register is subject to an annual review by the Board.

1.6 Data Protection Policies.

"We ensure appropriate technical and organisational measures, by adopting and implementing a data protection policy."

1.6.1 In order to ensure appropriate “technical and organisational measures” Applikation has produced this data protection policy to document and direct how the organisation approaches data protection and achieves its compliance obligations. All staff are expected to read this policy as part of their onboarding into the company, understand its content’s and their obligations and review annually thereafter.

1.7 Data protection by design and default.

"We ensure appropriate technical and organisational measures, by taking a ‘data protection by design and default’ approach."

1.7.1 Applikation take a data protection by design and default approach and seeks to implement appropriate data protection measures in place throughout the entire lifecycle of our processing operations. Applikation achieves this by adhering to the data protection principles of

1.8 Governance Documentation.

1.8.1 Applikation maintain the following documents to manage their data protection governance and accountability obligations:

1.8.2 Governance Register. The Governance Register is a chronological log that captures all key data protection decisions and actions. It is used to demonstrate Applikation’s active development of and compliance with data protection accountability obligations.

1.8.3 Data Protection Risk Register. The Data Protection Risk Register is a live document that is used to record Applikation’s information security risks and contribute to the wider enterprise's risk management regime. The register is used to assist the identification, documentation and management of risk so that appropriate technical and organisational security mitigation measures can be implemented, and the business can demonstrate their decision-making process. The risk register is reviewed at minimum quarterly.

1.8.4 Record of Processing Activity. In observance of Article 30(1) of the GDPR and as detailed in paragraph 1.6.1, Applikation is required to document a "Record of Processing Activity (RoPA)." A business should not process any data in a way which is not included in the document. The document should be reviewed as required and at minimum annually.

1.8.5 Data Protection Impact Assessment (DPIA) Register. The DPIA register documents what DPIAs Applikation has conducted and are currently live within the business. It also acts as a crib for ensuring that DPIAs are conducted correctly, logically and in a comprehensive manner.

1.8.6 Consent Statement Register. This document acts as a register of all consent statements in use by the business and controls the active version and valid from date. This assists a business in governing and proving what version of a consent statement were in place at a particular time.

1.8.7 Privacy Notice Change Register. The Privacy Notice Change Register documents the evolution of Applikation’s Privacy Notice. It controls the active version and valid from date of the Privacy Notice and assists in governing and proving what version of a consent statement was in place at a particular time.

1.8.8 Subject Access Request (SAR) Register. The Subject Access Request Register is used to document all Subject Access Requests and assist the effective management of response. It should be used in conjunction with the Subject Access Request Management Process.

1.8.9 Individual Rights Register. The Individual Rights Register is used to document all Individual Rights Requests and assist the effective management of response. It should be used in conjunction with the relevant each Individual Rights Request Management Process.

1.8.10 Contracts Register. The Contract Register records all Applikation’s contract relationships where personal data is shared. It acts as a crib for ensuring that the necessary data sharing obligations are passed onto any Joint Controller or Data Processor.

1.8.11 Data Breach Register. The Data Breach Register enables a business to manage their GDPR Article 33 obligations - notification of a Data Breach to the Supervising Authority (IoM Information Commissioner). While not all breaches require to be reported, depending on the severity, a business has an obligation to record and document all data breaches: reportable and non-reportable.

1.8.12 International Transfer Register. The International Transfer register documents where Applikation may be sharing information internationally and where appropriate what safeguard condition has been implemented to ensure that any customer data shall be managed appropriately and diligently.

1.9 Documenting Our Processing Activities.

Article 30(1) & 30(2)

"We ensure appropriate technical and organisational measures, by maintaining documentation of our processing activities."

"We document our processing activities in electronic form so we can add, remove and amend information easily."

1.9.1 Record of Processing Activity (RoPA). As the Data Controller, Applikation maintains a RoPA for all the organisation’s data processing activities. The record is an electronic and live document and subject to update and review. The document records:

1.9.2 If the processing activity is not recorded in the RoPA, the processing is unlawful and should not take place. All Applikation staff have a responsibility to check that the processing activity is recorded prior to processing any data. Should a processing activity need to occur, and the process is not recorded in the processing register, authorisation by an Applikation Director and confirmation from the Data Governance Manager that the processing purpose has been recorded is required prior to processing commencing. If a member of staff identifies a processing activity taking place which is not recorded or an inaccuracy in the RoPA the Data Governance Manager should be informed immediately and the RoPA updated.

1.9.3 RoPA Review. The register is reviewed at minimum annually, as part of the Annual Accountability Review Regime detailed at paragraph 1.9.

1.9.4 Special Category Data. Where Applikation processes special category or criminal conviction and offence data, the following additional information is recorded in the RoPA:

1.10 Annual Accountability Review Regime.

"We review and update our accountability measures at appropriate intervals."

"We conduct regular reviews of the personal data we process and update our documentation accordingly."

"We review our policies, procedures, contracts and agreements to address areas such as retention, security and data sharing."

1.10.1 To meet their accountability obligations, Applikation conducts a formal internal audit of all governance documentation at minimum annually. This includes reviews of:

1.11 Contracts and Data Sharing Agreements.

"We ensure appropriate technical and organisational measures, by putting written contracts in place with organisations that process personal data on our behalf."

1.11.1 Where Applikation shares data with a 3rd Party, a contract and/or data sharing agreement is established that mandates that the partners use and protect the personal data we share with them and ensure they:

1.11.2 All contracts are to be logged in the Contract Management Register and are reviewed annually as part of the annual accountability review process as detailed at paragraph 1.9. Reviews are to be logged in the Governance Register.

1.11.3 Applikation use contract clauses and data sharing agreements to ensure that organisations with whom data is shared manage data in accordance with Isle of Man Data Protection Regulation. All Applikation contracts include the following compulsory details:

1.11.4 As a matter of good practice, all Applikation contracts and data sharing agreements:

1.12 Security measures.

"We Implement appropriate security measures."

1.12.1 Full details of the measures that we use to secure our information is included within our Information Security Policy.

1.13 Codes of Conduct and Certification Schemes.

"We adhering to relevant codes of conduct and signing up to certification schemes (where possible)."

1.13.1 The Isle of Man’s Information Commissioner’s Office is yet to endorse any relevant codes of conduct and/or certification schemes.

1.14 Data Protection Training

1.14.1 Annual Awareness Training. All Applikation staff will conduct mandatory data protection awareness training as part of their induction training and annually thereafter. The training year aligns with the financial year and training is expected to be completed by the end of quarter one. Training is conducted using an online digital training package. Completion of training is a mandatory requirement of all staff’s terms and conditions. The percentage of staff that have conducted training is tracked as management information using the learning management system report function and is part of the data protection agenda item at board meetings.

1.14.2 Quarterly Training. To compliment data protection awareness training an ongoing programme of training workshops is conducted to develop and maintain an understanding of key data protection areas. This includes:

1.14.3 Training Records. For any training workshop conducted, a nominal role of attendance is taken and filed for accountability purposes.

1.14.4 Training in the event of a breach. In the event that a member of the Applikation team causes a data protection breach, or near miss event occurs, the individual is required to retake the data protection awareness training within 5 business days of the event.

2 Personal Data Breaches

"We record and, where necessary, reporting personal data breaches."

2.1 Data Breach Recognition.

"We know how to recognise a personal data breach. We understand that a personal data breach isn’t only about loss or theft of personal data."

2.1.1 Application recognises that data breaches can occur in numerous ways. These include:

and can take the form of Personal Data that is:

2.2 Data Breach Response Plan.

"We have prepared a response plan for addressing any personal data breaches that occur."

2.2.1 Applikation have implemented a robust data breach response plan to address any personal data breach that may occur. A copy is included as an enclosure to this document.

2.3 Data Breach Management.

"We have allocated responsibility for managing breaches to a dedicated person or team."

2.3.1 The Data Governance Manager is responsibility for managing data breaches with support from the Data Protection Officer.

2.4 Data Breach Escalation.

"Our staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred."

2.4.1 All staff have conduct data protection training as part of induction and annually thereafter. The training includes how to recognise a data breach and the importance of swift escalation to the Data Governance Manager when it is believed that a breach has occurred.

2.5 Data Breach - Subject Notification.

"We have in place a process to assess the likely risk to individuals as a result of a breach."

"We have a process to inform affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms."

"We know what information about a breach we must provide to individuals, and that we should provide advice to help them protect themselves from its effects."

"We know we must inform affected individuals without undue delay."

2.5.1 Where a data breach represents a high risk to individuals, the data breach processes prompts an assessment of the risk to rights and freedoms of affected individuals so that they may be informed.

2.5.2 Applikation consider high risk to rights and freedoms to include personal data of a financial and/or special category nature. Where a high-risk breach has occurred notification of the individuals concerned may pre-date notification of the ICO.

2.5.3 While all Applikation staff are expected to escalate swiftly any potential data breach, a breach involving financial data and/or special category data must be escalated as quickly as possible to ensure that action can be taken to mitigate any risk to the rights and freedoms of the individual.

2.5.4 A pre-prepared email template has been established as a crib to ensure that the requisite information is gather and notification can occur swiftly, along with details of further support.

2.6 Nominated Supervisory Authority.

"We know who the relevant supervisory authority for our processing activities is."

2.6.1 Should Applikation experience a data breach, where required the breach will be reported to the Isle of Man Supervisory Authority.

2.7 ICO Notification Process.

"We have a process to notify the ICO of a breach within 72 hours of becoming aware of it, even if we do not have all the details yet."

2.7.1 The Applikation Data Breach Process takes into account the need to notify the IoM Information Commissioner of a suspected data breach within 72hrs of becoming aware of it, even if all details are not yet complete.

2.8 ICO Information Requirements.

"We know what information we must give the ICO about a breach."

2.8.1 A data breach template form online within the data breach management folder. Should the breach involve a Ransomware attack an off-network device will be used to download a template from the Information Commissioners website.

2.9 Breach Documentation.

"We document all breaches, even if they don’t all need to be reported."

2.9.1 All reportable breaches and non-reportable breaches are recorded in the Data Breach Register.

3 International Personal Data Transfer.

3.1.1 Individuals risk losing the protection of the General Data Protection Regulation and/or Data Protection Act 2018 if their personal data is transferred outside of the EEA. The GDPR restricts transfers of personal data outside the EEA, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way.

3.1.2 Applikation does not presently transfer personal data to any countries outside of the EU or international organisation. If in the future data is transferred internationally, and the country to which we transfer your personal data does not have a recognised EU or UK Adequacy Agreement, we shall ensure that the endorsed ICO Safeguard contract is in place with the Data Controller or Data Processor within the Country which contractually obliges them to protect your information to the same standard required by the General Data Protection Regulation.

All members of the Applikation Team have a responsibility to assist with the identification of instances where data may be transferred internationally or where a project may require international transfer and should inform the Data Governance Manager of any processing needs identified.

4 Data Protection Impact Assessments.

4.1 Overview.

4.1.1 A Data Protection Impact Assessment (DPIA) is a process that helps to identify and minimise the data protection risks of a project. Applikation staff must carry out a DPIA for processing that is likely to result in a high risk to individuals.

4.1.2 The DPIA process is owned by the Data Protection Officer but carried out by the Data Governance Manager. All members of the Applikation Team have a responsibility to assist with the identification of processing activities that may require a DPIA. If there is any doubt whether a DPIA should be conducted, guidance must be sought from the Data Governance Management.

4.2 DPIA Management Process.

"We have created and documented a DPIA process."

4.2.1 See enclosures at the end of the document.

4.3 DPIA Training.

"We provide training so that our staff understand the need to consider a DPIA at the early stages of any plan involving personal data."

"We provide training for relevant staff on how to carry out a DPIA."

4.3.1 Applikation use an online Data Protection Awareness Training package which includes details on when a DPIA should be conducted. Training on how to carry out a DPIA is covered as part of the quarterly training workshop programme.

4.4 DPIA Conduct.

4.4.1 Applikation will consider conducting a DPIA if any processing or development projects include the following:

4.4.2 If following consideration, the decision not to conduct the a DPIA is taken, the decision and justification is documented in the DPIA Register - see enclosures at the end of the document.

4.4.3 Applikation will always carry out a DPIA if any processing or development projects:

4.5 DPIA Checklist.

4.5.1 When Applikation conduct a DPIA, we:

5 Individual Rights

5.1 Right to be Informed.

5.1.1 Privacy Notice. Applikation has implemented a GDPR and DPA 2018 compliant Privacy Notice.The Privacy Notice is located at the following link: https://www.picklz.co.uk/privacy-policy. In observance of the Information Commissioners direction, the Privacy Notice includes the following detail:

5.1.2 Privacy Notice – When we provide it. Applikation provides a master copy of their Privacy Notice on their website. Whenever personal data is collected from a customer/client or Data Subject we ensure that we provide an opportunity to review the Privacy Notice or we signpost the web link so that the data subject can review the Privacy Notice. In circumstances where we are unable to provide details of, or a link to, the Privacy Notice we send out a hard copy.

5.1.3 Privacy Notice Management. The Applikation Privacy Notice is version and date controlled to ensure that it is clear what Privacy Notice is extant or was in place at any given time. Applikation maintain a Privacy Notice Change Register to keep track of the extant Privacy Notice and any changes that have been made. The Privacy Notice is reviewed as required and at minimum annually. Reviews are recorded in the Privacy Notice Change Register.