This privacy policy (together with our Terms of Use and any other documents referred to in it) sets out the basis on which we collect personal data from our website. We need to provide this information to make sure you know how we process any information collected by us and is in accordance with the Data Protection Act 1998, the General Data Protection Regulation 2017 (GDPR) and ICO (Information Commissioners Office) guidance.

The information we collect applies to:

  • Visitors to our website
  • Information provided through filling in forms on www.evolvebranding.com (our site)

We use this:

  • To provide you with a log-in to our website so that you can create quotes, orders and have access to your historic information
  • To send you information regarding products, offers and important updates

Your consent
Your use of this website signifies your consent to us collecting and using personal data about you as specified below in accordance with this policy statement. Should we choose to change these terms for any reason, the changes will be posted here so that you are always kept informed about the collection and use of your personal information, and when we disclose it.

How do we collect personal information about you and how is it used?
You may provide personal information when communicating with us.
You may give your name and e-mail address to make a comment about our services or website.
We will collect information about your tastes and preferences, both when you tell us and by analysis of customer traffic, including using “cookies”.

It may be that some of the personal information you give us is sensitive personal data within the meaning of the Data Protection Act 1998. Such information (“sensitive information”) will only be disclosed with your express consent.

It may be that you provide us details of credit or debit cards or bank accounts in making payment to us. Any such information (confidential financial information) will be disclosed only in accordance with the disclosure policy below.

We may use personal information collected about you to help us develop the layout of our website to ensure that our site is as useful and enjoyable as possible.
We may use personal information collected about you to let you know about functions on our website or changes to our terms and conditions of use.

Traffic data
We may provide aggregate statistics about sales, customers, traffic patterns and information to third parties, but these statistics will not include any information that identifies you.

Disclosure policy
We reserve the right to access and disclose individually identifiable information to enable us to comply with applicable laws and lawful government requests to operate its systems and to protect itself or its users.

How do we protect your information?
We have strict security procedures covering the storage of your information in order to prevent unauthorised access and to comply with the terms of the Data Protection Act 1998. This means that sometimes we may ask you for proof of identity or for other personal information before we can process your call or enquiry further.

What are cookies and how do we deal with them?
A cookie is a piece of information that is stored on your computer’s hard drive. It is normally sent by a web server to you and enables the server to collect information back from your site visit.

Questions about the policy
If you have any questions or concerns about this policy, please contact sales@evolvebranding.com

The GDPR in summary

Here are the key areas of the GDPR, with particular reference to the EU Directive 95/46 data protection directive.

Individual rights – and informing people about them

The current EU data protection legislation (Directive 95/46) gives individuals rights over their personal data and describes what information individuals have to be provided with by business, including information about what that business was going to do with that personal data. Often this was done via privacy statements or notifications provided on a website.

The GDPR extends this significantly, providing additional rights that must again be communicated to individuals. In particular individuals must be informed that they have the following (non-exhaustive) rights:

  1. to complain to supervisory authorities, such as the ICO in the UK;
  2. to withdraw their consent to processing of their personal data (see below);
  3. to access their personal data and have it rectified or erased (the ‘right to be forgotten’) by the business and also any third-parties that have accessed it;
  4. to be informed of the existence of any automated personal data processing (including profiling);
  5. to object to certain types of processing, e.g direct marketing and decisions based solely on automated processing;
  6. to be told how long their personal data will be held for;
  7. to be provided with details of any appointment Data Protection Officer (see Below).

In addition, individuals have the right to ask non-profit organisations to exercise rights and bring claims on their behalf, similar to a US style class action.

Consent

If you are collection data based on the consent of individuals, while EU data protection legislation has always required such consent to be freely-given specific and informed, with the GDPR this has to be confirmed by a statement or other clear affirmative action. In words, pre-ticked consent boxes on websites, or silence/inactivity on behalf of the individual after reviewing a privacy statement, will not constitute consent.

Additionally, consent cannot be one-size-fits-all, so business can’t be use and individuals single consent at one stage in their business dealings a consent for other kinds of personal data processing. Separate consents are required for different personal data processing operations.

Finally, individuals must not only be informed they have the right to withdraw consent at any time but it must be easy for them to withdraw consent as it was to give it.

Existing consents given by individuals should be revisited to make sure that they comply with the requirements of the GDPR. If there are conflicts or ambiguities then companies will need to either establish a new lawful basis for processing the data (e.g it’s necessary for the performance of a contact), get a new consent, or cease processing that personal data.

Right to move or transfer personal data (data portability)

Individuals now have the right to move, copy or transfer their personal data from one place to another, even to a competitor. For example, a playlist might be generated for a user by a music service, and should they switch to a new provider then they can take this with them. As such, the personal data needs to be in a structured, commonly-used and machine-readable format so it can easily be utilised and shared.

The requirement to make data truly portable and easy-to-use by others is likely to incur significant IT adjustments and therefore costs.

Much wider scope

Put simply, the GDPR makes liable for breaches not just the business that collects the personal data, but also any third-party that processes the personal data on behalf of that business, whether that’s another business, organisation, or individual. However, this does not mean a business can simply hand the personal data to a third-party and then cast a blind eye. The business must ensure the third-party supplier is also compliant with the GDPR.

Additionally, the potential geographical scope is extended beyond just the EU to any business—or again to any third-party processing personal data on its behalf—who offers goods or services to individuals in the EU, or who monitors the behaviour of individuals in the EU. Notably, it doesn’t matter whether or not payment is required for the goods or services, so the likes of charities and NGOs fall under the GDPR.

Because the EU is a trading partner of most countries, the GDPR’s wider scope means it has implications for many businesses worldwide, and will effectively require them to be compliant if they wish to operate in EU member states either directly or as a third-party for others.

Proof of compliance

It’s not enough to merely comply with the GDPR. A business needs to prove it’s doing so under the GDPR’s requirement for “accountability”, and this means complying with some rather onerous record-keeping requirements. In particular, records should be maintained that detail processing activities*, subject access requests, breaches, how consents are obtained, and Privacy Impact Assessments (see below).

This requirement again also affects those third-parties processing personal data on a business’ behalf, although the requirements are not as detailed.

* Applies to companies employing more than 250 people, or companies employing fewer people where the processing carried out is likely to result in a risk to the rights and freedoms of individuals, is not occasional, or includes Special Categories of Data, such as information on health, religion or sexual orientation.

Privacy from start to finish

Technical and organisational measures need to be in place throughout the lifetime of the personal data to match the privacy expectations of the individual—from inception through to execution and finally cessation of that activity. This is referred to as “Privacy by Design”, meaning that privacy considerations must be built into every aspect of that processing by design.

Additionally, only the personal data strictly required for that purpose should be actually processed— something referred to as data minimisation or “Privacy by Default”.

In reality, implementing Privacy by Design and Privacy by Default will involve continuous training, undertaking regular audits, minimising the data collected, restricting access to personal data to a need to know basis, and implementing appropriate technical and organisational security measures such as pseudonymisation and encryption.

General Data Protection Regulation (GDPR): The Sage quick start guide for businesses 6

Mandatory breach reporting

In the event of a breach of the GDPR, companies collecting personal data must tell supervisory authorities—such as the ICO in the UK—within 72 hours of becoming aware. Third- parties processing the personal data on behalf of those companies must tell that business without undue delay.

If the breach poses a high risk to the individuals concerned, companies must also notify the affected individuals without undue delay.

Data Protection Officer (DPO)

Under the GDPR companies and any third-parties that process personal data on their behalf will need to appoint a Data Protection Officer (“DPO”) if: (i) they are a public body; (ii) if
the core activities of the business or third-parties involve monitoring of individuals on a large scale; or if the core activities consist of processing on a large scale of special categories of personal data, including data relating to criminal convictions and offences. The DPO needs to have expert knowledge of data protection law, although doesn’t necessarily need to be an employee and could instead be employed on a service contact to fulfil the role. Details of the DPO will need to be communicated to the supervisory authority, such as the ICO in the UK.

Penalties

The penalties for non-compliance with the GDPR are tough and could be up to 4% of annual global turnover, or €20m, whichever is greater. You might be fined even if there is no actual loss of data. One thing to note is that there are no exclusions or exceptions for small businesses. Additionally, there is the ability for individuals to file a class action lawsuit requesting a formal regulatory investigation if a business does not comply with the GDPR.