Skip to main content

Data Protection Policy

Diego Caravana

Data Protection Policy

Element Human Limited, Element Human Research Ltd, and Crowd Emotion Limited take privacy and data protection very seriously. All three companies are committed to privacy by design and giving due consideration to data protection at every stage of the company’s development. In particular, the companies will:

  • ensure data protection is considered and supported at the highest levels of the organisation and, as part of this, ensure that the board is involved in data protection matters where appropriate;

  • consider data protection when designing, building, and introducing a new product or service;

  • carefully consider the partners and other organisations it works with before entering into a relationship with them; and

  • comply with the spirit as well as the letter of the law.

Element Human Ltd is the final authority for data protection. Our DPO is responsible for data protection and can be contacted by e-mail:

security@elementhuman.com

Data Retention

Data will be held for the shortest amount of time required and regular review is performed of the data held, to ensure this is complied with.

The data retention policy is available upon request by emailing: security@elementhuman.com

The data retention policy is kept under regular annual review.

Data breaches

While we take every care to avoid a data breach and protect the personal data we process, it is important to be prepared in the event that a data breach does unfortunately occur.

A data breach is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately and includes both actual and suspected data breaches. An incident includes, but is not limited to:

  • Loss or theft of data or equipment on which data is stored;

  • Unauthorised use of, access to or modification of data or information;

  • Attempts to gain unauthorised access to information or IT systems; and

  • Unauthorised disclosure of data.

Any individual who discovers a data breach, whether actual or suspected, is responsible for reporting it immediately to Element Human via security@elementhuman.com including full and accurate details of the incident.

Our security team will be responsible for:

  • Investigating any such breach;

  • Determining what actions should be taken to mitigate the impact of any such breach;

  • Determining the impact and risk level of such breach;

  • reviewing any applicable contracts and determining which partners need to be notified;

  • Deciding if such a breach needs to be reported to the ICO and the relevant data subject;

  • In every situation, recording the breach including, where it is not being reported to the ICO, and why the decision was made that it should not be reported to the ICO.

In reviewing the data breach and determining the above, the following shall be taken into account:

  • The type of data involved;

  • The sensitivity of the data;

  • The number of data subjects involved and the potential impact on them;

  • Any protection that is in place, for example, is it encrypted?

  • The type of breach that has occurred - for example, has the data been lost or stolen?

  • Whether the affected data could be used inappropriately; and

  • All other appropriate information including any wider consequences of the breach.

Reporting the breach to the ICO

Where the breach is a risk to people’s rights and freedoms, it should be immediately reported to the ICO and, in any event, within 72 hours. Where the breach is not being reported to the ICO, it should still be recorded in our record of data breaches and the reason why it is not being reported should be noted.

Client data

Where we are acting as a data controller, we have an obligation to inform the relevant controller about any breach. As such, as soon as a breach or suspected breach is discovered, the appropriate client involved should be identified, the contract with them reviewed and they should be provided with the relevant information as soon as possible.

Contractual obligations

Even where we are not acting as a data controller, our contractual agreements with third parties impose a number of obligations on us in relation to notification of data breaches. As such, all relevant contracts should be reviewed to ensure that these obligations are met.

For example, our agreement with third-party sample providers includes a number of provisions regarding data breaches.

Our record of data breaches can be requested by emailing security@elementhuman.com

Data subjects’ rights

It is important to ensure that the organisation is able to respond rapidly and appropriately when a data subject does wish to exercise their rights.

It is likely that any data subject request will come in through the privacy@elementhuman.com channel and this should be carefully monitored to ensure any requests are dealt with as soon as possible and in a timely manner.

Records

Records of processing - both where we are a controller and a processor - need to be updated for every additional processing we undertake. These documents can be made available at the sole discretion of Element Human upon request to: security@elementhuman.com

Our records of breaches and subject requests should also be kept updated.

Last updated: 24/10/2022

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk