GDPR Data Security Policy

Respect and Protect

Sapphire ltd. is committed to respect and protect the data it uses on behalf of clients for Direct Mail purposes. We take Data security seriously, and are registered as a Bureau with the ICO. As such we already had many responsibilities when handling and processing clients’ data. We insist that each client has complied with GDPR regulations in obtaining and updating the data supplied to us, but respect a clients internal systems so must rely on Client assurances that their data is correctly collected and stored.

1. Awareness
All staff involved in data processing are aware of the new and existing obligations and have discussed the impact that GDPR is likely to have on our systems.
2. Information we hold
We have detailed lists of all data we hold for clients. In general we hold the data from the previous mailing done for a particular client, unless they have specifically asked us either to hold it for longer or delete it sooner. Data is only ever name and address data, no personal data is held for mailing purposes.
3. Communicating Privacy
We will continue to review privacy notices and make any necessary changes as the impact of GDPR becomes more apparent.
4. Individuals Rights
If an individual indicates to us that they would like their data deleting, then we pass this on to the client for them to amend their database for the next mailing.
5. Subject access requests
Subject access requests will also be immediately passed to the client for reply to the customer within appropriate timescales.
6. Lawful basis for processing
We process data on the basis of “Legitimate Interest”. The legitimate interest is for mailing
for the client, and the only data used is name and address. This is to increase or maintain the
client’s customer base, and increase their/our revenue as a marketing business.
7. Consent
We rely on our clients to have obtained suitable consent for he data they supply to us at any
time. We will use the data only as instructed by the client, and will delete it as outlined
above.
8. Children
Data for mailing is usually for a householder, so will not include data on children, and would
certainly never contain details of that persons age or gender.
9. Data Breaches
Our data is stored on a secure server, password protected and virus protected. It is
transmitted using secure methods and passwords, or third party transfer protocols. Any
breach would be immediately reported to the relevant client and the ICO.
10. Data Protection Impact Assessment
We have familiarised ourselves with the ICOs code of practice on Privacy Assessments and
the latest guidance from the Article 29 Working Party.
11. Data Protection Officer
The Data Protection Officer for Sapphire is Julian Ward who is responsible for compliance
and protection.
12. International.
We rarely mail overseas, but if there are occasional overseas items, then the designated lead
data supervisory authority is the United Kingdom