Data Protection Policy
This policy will come into effect on May 25, 2018.
LeftBrain provides technology services to businesses. Although we don’t have a commercial relationship directly with individuals, we do hold what could be considered “personally identifiable information” about the employees of our clients, and that data is within the scope of the GDPR. This article details the data we hold, who has access, the measures we take to protect it, and how we get rid of it when it’s no longer of use.
Who do we keep data on?
For clients on our ongoing support plans (those detailed at http://leftbrain.it/plans) we hold data about each named employee on the account, in addition to any other people involved in the provision of the service (for example, an account management contact who works in a remote office and is not covered under the support plan).
For all the other services we provide (including SaaS subscriptions, Enterprise services, projects, event support) we only hold data for the people involved in the service provision.
We also hold data on people who’ve contacted our new business team with an interest in our services.
The people we hold data on are the “Data Subjects”, using the terminology of the GDPR. In our relationship with our clients we act as “Data Processors” and the client is the “Data Controller”.
What data we hold and why
At a minimum, we hold the following data about a person (we call this “Default Information”):
- Full name
- Company email address
These data are necessary for effectively providing our service: we can’t provide support to a person if we don’t know their name, if we can’t get in touch with them and we don’t know which company they’re from.
In addition, we may store the following data, if a person or their company choose to share it with us (we call this “Additional Information”:
- Job title and department: helps us provide our service effectively, for example, being able to find all the users in the design department, and message them about an update to a particular piece of design software
- Gender: aids in addressing our messages accurately and respectfully when the person’s gender isn’t clear from their name
- Photo: this helps in picking out a particular person in an office when one of our team may not have visited before
- Personal phone number: may be provided to us in cases where a person does not have a company issued phone, or if they do not have access to it (for example, when travelling)
- Personal email address: may be provided in cases where a company email address is not working.
- Personal physical address: may be provided in the event a visit to their home is necessary (for example, in troubleshooting a home office setup).
At any time, a particular person can log on to our Dashboard and view all the data we hold about them, and permanently remove any Additional Data they don’t feel comfortable with us holding.
Lawful Basis For Processing
Using terminology from the GDPR, we use “Legitimate Interests” as our lawful basis for processing the information we store.
We group the people about whom we hold data by their company, and by their job function (specifically we categorise people as “Tech Contacts” and/or “Operational Contacts” and/or “Accounts Contacts” and/or “New Business Contacts”). As detailed above, for each person we mark data “Default” (name and email) and “Additional” and handle each differently.
Who Has Access
By default, our Operations, Infrastructure and Senior Management teams have access to the information about all people across clients.
Individual members of our support, enterprise and projects teams (which may include freelancers and contractors) have access granted to each client (and by extension all their employees) when they are onboarded on to that client’s support team, or when they start a project for them.
Our Accounts team has access to all people categorised as “Accounts Contacts”.
Our New Business and marketing teams only have access to “New Business” Contacts.
In the event a client cancels their service with us, we offer to provide a copy of the data we hold to them, in a format of their choice (typically as a JSON file, or PDF). This data is provided using a secure link, and upon confirmation that the data has been received, it is deleted permanently from our systems. In doing so all centrally held personal data is removed.
In the event a person leaves a client of ours, any “Additional Information” we hold on that person is permanently deleted within 24 hours of their last day (this process happens automatically).
We retain the “Basic Information” we hold on a previous employee for up to 7 years after their last day (this process happens automatically), since having records of previous employees can be necessary in continuing to provide our service effectively. Some examples include:
- A request by a current employee to “Forward John’s emails to me”. To do this we must know John’s email address (and confirm that John is indeed a previous employee). (Obviously whether or not we would fulfil this request would be down to the company’s IT policy, and outside the scope of this document).
- Updating a company IT policy that references “John Smith” as a contact - it’d help to know John’s job title and department in order to find the person who has taken over John’s role.
- When wiping an old computer for disposal, and we may find a user profile for John Smith. Knowing he is a previous employee and what department he was in can help in determining what should be done with that data.
In both of these cases, despite our best efforts to remove everything, the nature of certain systems make it unfeasible or impossible to remove every trace of personal data. As such there may be personal data that remains on our systems which may include:
- Email/support ticket correspondence between a person and our support team will show a persons name and company email. We do not send personal data over email, however people may include personal information when contacting us (for example, including their personal phone number in an email signature).
- Historic invoices and billing statements may display the name of the person they were sent to. These are immutable and must be retained for tax purpose.
- Internal chat logs may reference a person’s name. There is no way to redact names from these logs.
- Copies of deleted data may exist on backups. Backups are maintained of our entire system: encrypted and stored as single files. Removing one person’s data is not possible.
Right To Access
The data we hold as “Data Processors” is made available to each person via our Dashboard, so that a live copy of their data can be accessed (and revoked) at any time. This data is also made available to nominated people at our client allowing them to fulfil data access requests for their current and past employees. We do not fulfil access requests from previous employees of clients (or previous clients) directly, since we have no means of verifying whether John Smith is indeed John Smith from Example Company. Regardless, we make the address firstname.lastname@example.org available for anyone to ask questions about their data, and processes in place to handle each type of request.
We take a number of steps to ensure personal data is kept secure.
- All systems we use use data encryption at rest and in transit.
- All endpoints used by our team are encrypted, require complex passwords, auto lock, have firewall and other malware protection enabled
- All critical business systems are protected by a central single sign on solution, with multi factor authentication enabled
- Our production database utilises strict access controls to ensure users (and LeftBrain staff) are only able to access the data they’re authorised to access
- Intrusion detection systems active on all production servers We maintain a permanent audit trail showing who has been granted access to each client, when the access was granted, and by whom. In addition, we keep logs when “Additional Data” about people is accessed, and by whom.
Our incident management procedure includes notifying the tech and operational contacts at our clients within 72 hours of a breach, and its potential impact.