This document is to clarify and confirm our commitment to the latest General Data Protection Regulation (GDRP) which comes into effect on 25th May 2018.

  1. The type of information we store – We only store business related information relevant to the services we provide. This will include (but is not limited to) business contact name, business landline number, business mobile number and business email address
  2. Where this information came from – The information stored has come from four sources; from a contract you have signed with us, from communication with your business to ascertain the relevant person within your organisation to discuss communication provision, LinkedIn and other social media and occasionally from paid-for business listings. As from 25th May any information we purchase will only come from companies fully compliant with the GDPR regulations.
  3. Where this information is stored – Your information is stored in a number of places.
  • ACT CRM System – The data contained within our CRM system is stored both locally on an on-site server and on Swiftpage ACT cloud-based platform. Our onsite servers are only accessible from a site-based PC via an individual’s specific username and password. These passwords are changed on a regular basis and regular security reviews take place. The cloud-based platform is only accessible via a specific username and password. The platform itself is highly secure (more information can be found at https://www.act.com/en-uk).
  • Freshteam Ticket System – This is a cloud-based helpdesk ticketing platform. It is only accessible by an individual’s specific username and password. Passwords are regularly changed and regular security reviews take place.
  • Office 365 – Email correspondence is stored by Microsoft although more recent data is also cached locally on the users PC. Again, access to this information requires a username and password to log onto the PC and another username and password to log on to Outlook. Information stored by Microsoft is stored in a highly secure environment (more information can be found at https://docs.microsoft.com/en-us/office365/enterprise/office-365-infoprotection-for-gdpr-overview).
  • Contract Information – Information on our customer contracts is stored on our site-based server. The server itself is only accessible by our designated IT support person and our IT support company from our office location only. External access is not allowed. Access to the data itself is only possible by a BSAS employee logging on to their PC with the correct individual username and password.
  • Mobile devices – Devices such as laptops and mobile phones have access to, and store, some of the information above. All mobile devices are password access only with laptops requiring username and password. Passwords are regularly changed and security reviews carried out on a regular basis.
  • Paper correspondence – All paper correspondence (including contracts) are stored on-site in a secure facility which is kept locked at all times. The keyholder (Office Manager) does not allow unaccompanied access to ensure the highest level of security.
  1. Privacy Notice – We do not share your information with third-parties unless it is a requirement to facilitate either an order you have placed or an issue you have raised. For existing customers this does mean that your details may also be held by our suppliers. Should you require details of which suppliers are likely to hold this information please contact sean.bamford@bsas.co.uk. Our lawful basis for processing your data is “Legitimate Interest”. In the case of existing customers, the data we hold is necessary for us to be able to communicate with your organisation for issues relating to fault resolution, order processing, billing, and general account management. In the case of prospects, as the person responsible within your organisation for the provision of IT and Telecommunications, we may send you information about our services which may be of interest. All our communications are sent with a GDPR statement stating that if you do not have a “Legitimate Interest” in the products and services we supply then we will delete your information and no longer contact you unless you opt in (ie “Consent”). Our data retention period is seven years unless otherwise instructed by an individual. If you have an issue relating to our Privacy Notice please feel free to contact us in writing or failing that complaints can be made to the ICO – https://ico.org.uk/for-organisations/
  2. Individuals rights – The GDPR includes the following rights for individuals:
  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

Should you wish to access the information we store, which directly relates to you personally, please contact us in writing detailing your preferred method of communication for our response. We will then respond within ten working days providing you with full details of the information stored, the location (s) where this information is stored, who has access to this information and whether it has been shared with a supplier.

  1. Data Protection – We have conducted a full review of the security surrounding the protection of the personal information we have stored, both on-site and off-site and are satisfied it is fit-for-purpose. In the unlikely event of a data breach we will inform you as soon as reasonably possible and detail fully the extent of the breach and fully disclose the information at risk.
  2. Data Protection Officer (DPO) – As the amount of personal information we hold is minimal and the amount of processing of that data is also minimal, regulation does not require us to appoint a dedicated DPO. However, if you have any queries or issues relating to this statement please contact sean.bamford@bsas.co.uk.