GDPR Code of Conduct for True Influence Group
PART A: General
This Document is the current operational version of the GDPR Compliance policy effective from 25th May 2018 and applies to activities of True Influence Group (TIG) that consists of the following three entities.
- True Influence LLC, Carnegie Center Drive, Suite 300, Princeton, NJ 08540 (USA)
- True Influence India, 43, 100 ft Road, Domalur, Bengaluru, 560071 (India)
- True Influence Ltd,54 Clarendon Road, Watford, London, UK, WD17 1DU 103
The Core activity of True Influence Group (TIG) is to provide support to its customers in marketing B2B products by generating effective leads from the target markets.
The Lead generation is done through intelligent market research collecting relevant data to identify reliable purchase intent of corporates through different channels including through business partners using relevant technology in web marketing, E mail marketing and Telemarketing.
In the process of these activities, TIG acts as an intermediary who adds value to the B2B marketing chain. The campaign information is provided by the Customers which are fine-tuned and converted into campaign materials for distribution to the potential market space.
The distribution to the end target customers by placement of the campaign materials in relevant media is done through external publishers who generate leads. A part of the leads are generated by in-house publishing activity and use of innovative corporate intent marketing tools developed by the R&D team of TIG.
The leads generated by the publishers are intelligently filtered to improve their quality and converted into actionable marketing targets before being passed on to the customers.
TIG has developed proprietary products, processes and information generation system which includes development of reliable vendors and trained manpower, which together reflect the value proposition that TIG brings to the B2B marketing eco system across the globe. Sustaining and nurturing this expertise and using it for harnessing commercial opportunities represents a legitimate interest of the True Influence Group.
This Code of GDPR Compliance adopted by TIG declares that TIG is committed to the concept of “Privacy as a fundamental right of a citizen of a democratic society” across the globe and in good faith shall implement all the Privacy principles mandated under GDPR where it is applicable.
TIG however discloses that it is its legitimate interest that it carries on a legitimate business operation across the globe as a B2B market intermediary and it is the democratic right of TIG to carry on its business in good faith without being in conflict with the rights of the individual natural persons whose Privacy is sought to be protected under GDPR.
TIG also discloses that its business model requires collection of only the Data of business entities which are outside the purview of GDPR and Business Contact data which is not personal data per-se but may include personally identifiable information in part but does not include personal data of children and Personal data that is classified as “Special categories” under GDPR.
3. GDPR Exposure
True Influence Group is basically a “B2B marketing intermediary” which operates across the globe generating marketing leads and servicing clients in many countries. TIG does not operate in the consumer market and hence does not either directly or indirectly collect personal information of EU data subjects. The data that TIG collects is generally in the category of Business Contact Data of corporate employees which inter-alia contains the name, the work e-mail and work phone number.
A part of B2B marketing leads are generated in the EU countries and in UK. Some of the Customers located in EU/UK may also avail the services of TIG. Currently a majority of interactions with Customers is in US and a majority of interactions with Lead Generating business partners are in India.
The GDPR exposure of TIG is therefore recognized when Business Contact Data is collected from business organizations operating in EU/UK regions.
4. Approach to GDPR Compliance
In order to enable application of as stringent a norm as feasible to the processing of Data which is exposed to GDPR Compliance Risk, TIG adopts a policy to treat GDPR Sensitive Data (GSD) as “Sensitive Data” flowing through the TIG’s resources by tagging the incoming data with a suitable tag to classify it as GSD where applicable.
ThePrivacy protection of data subjects and Security of information related to Privacy protection in respect of the GSD tagged data is factored into the design of the support structure.
Though data is processed in specific locations and the technical infrastructure for processing GSD are located in such specified locations, an enterprise level GDPR awareness has been created and will continue to be pursued so that the principles of this GDPR Code of Conduct percolates to the entire organization beyond GSD processing to include the Marketing, Financial, and Managerial functions which may be located in different locations with their own technical and administrative infrastructure.
In order to effectively implement the security for the entire data processing infrastructure, the Company has adopted a comprehensive information security policy which includes multiple sub policies regarding data access, processing storage, transmission etc.
5. Privacy Commitment
TIG recognizes that “Privacy” is an important democratic right in the civil society. As a responsible corporate entity, TIG is committed to protection of Privacy of all individual natural persons whose personal data comes into the corporate data repository for processing.
In view of the presence of Customers in EU/UK and the monitoring of activities of corporate employees residing in EU/UK, TIG has chosen to adopt GDPR Compliance standards towards protection of Privacy of all natural persons who may interact with the Group even where such interaction is only in their capacity as employees of different business entities pursuing the business objectives of their respective business organizations.
6. Legitimate Interest
The Core activity of TIG involves processing of data related to purchase of different products for corporate use. The activity spectrum includes Collection, Aggregation, Analysis, Segmentation and intent monitoring. In the process of such processing, TIG adds value to the raw data that is collected from the business environment and converts it into value added business decision aiding information.
The Raw Data collected is recognized as data belonging to the data subject and to which the Data Subject’s rights under GDPR is applicable. The value addition to the data that occurs during the process arises out of the proprietary data processing capabilities of TIG on which TIG has a certain level of Intellectual Property Right claim.
If any data has been pseudonymized, the value added pseudonymized data shall be considered as data on which TIG has legitimate interest to use for further research. Non Pseudonymized data even in the value added state is subject to the exercise of Data Subject’s rights such as Access, Rectification, Restriction, Portability and Erasure. Pseudonymized data if any will not be classified as GDPR sensitive.
TIG possesses a legitimate business interest as recognized under Article 6(1)(f) of the EU GDPR regulations, in the collection and processing of Business related data such as firmographics and Business Contact data of decision making officials in the business entities
Also, the business of TIG involves operations within and outside EU countries and hence is exposed to statutory obligations of different countries related to Data Processing as well as other laws applicable to business in general and IT related activities in particular, as envisaged under Article 6(1)(c) of the EU GDPR regulations.
Further TIG has adopted business practices for lawful processing incorporating the principles of EU GDPR as enunciated under Article 6, including obtaining informed explicit consent where required and adhering to the requirements of contractual obligations with the data subjects if any.
The policies of TIG on Privacy and Data Protection are therefore structured with specific Privacy and Information Security controls that address the issue of identifying GDPR sensitive data at the stage of its origin and entry into the TIG system and tagging them throughout its life cycle of processing.
7. Expanding the Scope of Compliance to the Data Processing eco-system
Further, keeping the legislative intent of protecting the fundamental right to privacy of individuals, enunciated under EU GDPR, appropriate Technical and Organizational/Administrative controls are maintained to ensure that all down stream business associates who may have access to GDPR sensitive data for processing on behalf of TIG are also GDPR compliant.
TIG recognizes that in most part of its operations, it is not a “Data Controller” but is a “Data Processor” for the purpose of GDPR. It may assume the role of a “Joint Controller” when it uses the services of sub-contractors for any part of its processing.
Keeping these roles in view, TIG’s policies and controls are structured to ensure GDPR compliance, including maintenance of appropriate Technical and Organizational/Administrative controls to keep itself duly informed about the GDPR compliance activities of its business partners and also sharing with them TIG’s own GDPR Compliance measures as may be necessary.
8. Limitations of this Document
The Following paragraphs provides the umbrella policy of TIG for GDPR compliance at the Corporate level highlighting the approach of TIG on achieving a satisfactory level of compliance of GDPR principles in its operations.
This policy document is meant for limited sharing with stake holders including business entities outside the TIG and hence excludes proprietary information on the processing where it is essential to protect the Intellectual Property of the organization.
Any request for disclosure of information beyond what is stated here will be addressed under the Data Disclosure Policy of TIG and such requests may be directed to the Privacy Manager through a non repudiable authenticated e-mail.
Part B: Specific Policy Outlines
9. Assigned Responsibility
TIG has designated Privacy Manager who will be the contact person to handle all Data Subjects requests and complaints. Considering the current level of risk exposure to GDPR sensitive data in the TIG, it is considered that the core activity of TIG does not involve a large scale and systematic monitoring of EU data subjects nor offering of any services to individuals in EU and hence there is no requirement to designate a “Data Protection Officer” as envisaged under GDPR.
An Information Security Governance Committee (ISGC) will be overall in charge of Information Security including GDPR compliance. It will be the apex policy making body of the TIG group responsible for laying down all information security policies including GDPR policy and will monitor the need to designate any person or a consultant as Data Protection Officer in due course.
10. Data Classification
True Influence is not involved in marketing to any individual natural persons and hence does not normally collect personally identifiable data coming under the regulatory provisions of GDPR. However all potentially identifiable personal data such as e-mail address and phone number of an employee of an organization is classified as “GDPR Sensitive” if the business unit or the employee is known to be located in EU/UK.
Accordingly, the entire Business contact data set associated with a physical location address in EU/UK is identified as GDPR Sensitive Data (GSD) and tagged during further processing within the organization.
In the absence of the physical location information of the data subject, the physical location of the associated business organization would be considered relevant.
11. Data Audit
Once before 25th May 2018 and thereafter at monthly intervals or as otherwise determined by the ISGC, stored data sets will be verified to locate any GSD and verify the compliance requirements associated with it such as whether the data needs to be archived, deleted or otherwise specially secured.
Any GSD data set not accompanied by an appropriate “Consent” or “Legitimate Interest Note” will be recommended for deletion.
On confirmation, such data will be forensically deleted.
12. GDPR Impact Assessment
A GDPR Gap assessment has been undertaken and corrective action has been implemented as required before 25th May 2018. After 25th May 2018, a Data Protection Impact Assessment ( DPIA) will be undertaken whenever a significant new project is undertaken as and when the ISGC identifies the necessity.
13. New Business Acceptance Policy
On or after 25th May 2018 all new business commitments involving processing of data will be subject to the approval of the ISGC with a specific GDPR Impact Assessment note submitted from DPO in consultation with the Technical team in charge of the processing.
14. GSD Data Storage Policy
GSD shall be stored in systems which are accessed only by designated persons on a strict “Need To Know Basis”.
Every GSD set shall be tagged with the Data Controller from whom it was sourced and who is responsible for the collection of the data under a consent or contract.
Any specific restrictions associated with such data set shall also be tagged with the data set.
The Data storage shall enable individual data set to be located and processed for execution of any Data Subject’s rights such as request for data rectification, data portability, data erasure or data access at any time during its life cycle.
15. GSD Data Access Policy
GSD shall be accessed as per the Access Control policy which ensures that each GSD data set shall have specific access parameters which defines who can access the data and how they access the data.
Only those who are designated as GSD work force shall be allowed access to the GSD data set.
Use of access parameters such as Passwords shall be defined with a degree of complexity and uniqueness as may be required and supplemented with Encryption and Machine ID tags so that GSD data may be accessed only from specific hardware which are assigned to authorized GSD work force.
Where data storage is on the cloud, only GDPR compliant cloud services shall be used along with additional controls as may be required in ensuring that data at storage and transit shall be protected from unauthorized access.
Project specific GSD shall be stored in such a manner that only employees associated with a given project get access to the data. Cross project access shall be regulated on a need basis.
16.GSD Data Retention Policy
GSD shall be retained in active process environment only for the minimal period for which it is required for processing.
Thereafter, the data shall be archived securely as per the requirement identified under legitimate interest for example until the project billing cycle is complete.
Subsequently, data shall be continued in secure archiving or destroyed as per the identified legitimate interest requirements of the Company.
A monthly review of archived data shall be undertaken to identify data that is no longer required which shall be referred to ISGC for disposal instructions.
Legal obligations on data retention which may arise due to any overlapping legislations shall be factored into the legitimate interest assessment.
17. GSD Data Disclosure Policy
Any request for disclosure of GSD shall ordinarily be received only from the source Data Controller.
It is recognized that requests received directly from the data subjects are subject to phishing risk and such requests if any shall be referred to the corresponding Data Controller who collected the data from the data subject under a consent or contract that may exist between them.
The data to be disclosed shall be sent only to the Data Controller for onward transmission to the Data subject after properly authenticating the identity of the representative of the Data Controller who makes the request.
In exceptional circumstances where data needs to be disclosed directly either to a data subject or his authorized representative or a law enforcement authority, adequate authentication of the identity of the person making the request shall be ensured.
All data disclosure requests are to be approved by the ISGC before release of the data and the request as well as the assessment documents shall be considered as required GDPR compliance documentation.
18. GSD Data Incident Management Policy
An “Incident” under this code shall be any observation that has the potential to indicate that GSD compliance code or any policies or procedures there under has been violated whether or not any data is suspected to have been compromised.
A whistleblower’s policy may be used to ensure that incidents are reported promptly by any observer either within the Company or outside.
Any such incident which comes to the knowledge of TIG shall be logged in a GSD Incident Management Register and referred to the DPO for immediate action.
The DPO shall review the incident report and take immediate steps to resolve the incident and also to report the incident to the ISGC.
The ISGC will convene a meeting expeditiously and evaluate the incident to identify if it involves any suspected data breach.
Where necessary, ISGC may order an immediate techno legal audit of for a risk assessment of the incident. Based on the risk assessment ISGC shall decide the need for further action including sending a data breach notification to the Data Controller associated with the Data.
An incident where GSD has been accessed by another employee of the organization is considered as a Security Incident and not necessarily a “Breach”. However such incidents shall be investigated as to the cause of unauthorized access and if it is an unintentional accidental access it may be resolved with a suitable internal disciplinary action as per the HR policy.
If data has not moved out or accessed by an outsider, the incident may be classified as an internal data accident not amounting to a breach.
In the event the access or data moved out is known to be in encrypted form and was in a state in which it was undecipherable by the recipient, subject to suitable internal investigation as to the security of the associated decryption key, the access may be classified as an internal data accident not amounting to a breach.
19. GSD Data breach Notification Policy
A “Data Breach” incident is an incident in which TIG has after necessary investigation, come to the knowledge that access to any specific data set under GSD has been compromised and an external entity has come to access or send out a GSD set.
Such data breach incident shall be immediately reported to the ISGC which shall without further delay notify the Data Controller associated with the data set along with relevant details of the incident.
Such report shall specify the nature and extent of the breach, time and data of the breach, the details of the affected data subjects, action taken on the noticing of the breach etc.
Where necessary the data breach may be also reported to a supervisory authority.
20. GSD Data Subject’s Rights Management policy
The TIG data processing system has incorporated “Privacy and Security by design” so as to enable compliance of GDPR requirements particularly in respect of the Rights of the Data Subject provided under GDPR.
In order to meet these rights of the data subject such as “Access”, “Rectification”, “Erasure”, “Portability” and Right to impose “Restrictions”, TIG has enabled its GSD storage and access systems in such a manner that a data set belonging to a specified data subject may be extracted separately and processed.
The system has therefore been designed to be compliant to the most stringent requirements of GDPR.
Whenever a request for exercising of such rights is received from a Data Subject, as per the Data disclosure policy, the request is first validated and then in case the data has been received from a Data Controller, the data controller would be requested to confirm the data disclosure.
Ordinarily the request is processed in communication with the data controller and if it is to be ported, it is returned back to the data controller.
In exceptional circumstances where TIG has to handle the request of a data subject without the cooperation of the data controller, appropriate precautions will be taken to prevent a wrongful disclosure since it would be in the legitimate interest of TIG to be indemnified against any possible wrongful disclosure.
21. GSD Data Transmission Policy
GSD data may ordinarily flow into the system through an application interface (API). The access to the interface is through secure password access system augmented with a suitable second factor authentication where significant GSD risk is identified.
The data transmission is on an encryption basis subject to management of transmission security covering known vulnerabilities.
The application itself along with its inherent storage and processing elements and the API are secured against unauthorized access and malicious attacks by an appropriate malware and secured access management system
Where GSD set is transmitted to the Customer or Sub contractor also, the transmission is managed through encrypted communication channels either through an API or an encrypted e-Mail.
22. GSD Marketing use Policy
When TIG uses GSD for any marketing purpose either through E Mail or Telecalling or otherwise, care is taken to ensure that there is an appropriate consent or contract to enable such communication.
TIG also insists that its partners both the lead generators, sub contracting processors and customers donot use the GSD except as per the available permissions.
Where an unambiguous consent is not available, no business contact data is collected from the lead generators or passed onto the customers or processed through the sub contractors.
Such data is killed at the first instance when it enters the TIG system and identified as a “GSD without proper processing consent”.
23. GSD Consent Policy
All information classified as GSD by virtue of the data subject being located in EU/UK or his/her employer being located in EU/UK shall be accepted only if the data subject has provided an explicit consent based on the format as required under GDPR.
In the pre-GDPR scenario, such consents had been generally collected under the principles of Personal data processing which included a Privacy Notice. Such Privacy Notice indicated what information was being collected, the purpose of collection, the time for which it would be retained, how it would be secured, whether the information was accurate, whether it would be transferred out of EU for processing etc., Some of the consents were based on the “Opt-in” principle as a default setting.
Under GDPR, it is essential that personal data is collected only on the basis of an Explicit Consent where “Opt-Out” is the default option and only on the basis of an affirmative action indicating acceptance, the consent would be accepted.
Additionally, the Privacy notice should also indicate that the Data subject has certain rights such as “Right to be informed of the identity of downstream processors”, “Right to access and rectification”, “Right to Portability and Erasure”.
In view of the new requirements, all consents obtained in the pre-GDPR format shall be considered as invalid and such data would be discarded by TIG.
External Publishers who generate Leads for TIG shall confirm through their contracts that they would provide only leads generated with the new form of consent in case the data subject is located in EU/UK.
24. GSD Stakeholder Communication Policy
TIG operates through many external organizations who are stake holders in TIG GDPR compliance program. Such organizations includes its Customers, Lead Generators, Sub-Contractors etc.
For effective compliance, no GSD data should be exchanged in any communication with the stake holders except through secure transmission and to authorized representatives only.
While the communication through API is controlled by the access policy, any other communication through e-mail should be controlled with an E Mail Communication policy.
Essentially an E Mail Communication policy shall define that sharing of any GSD or GDPR compliance information with a stake holder shall be only through a notified contact e-mail address who will be in most cases the DPO of the other organization,
Where necessary the E Mail communication may be encrypted and authenticated with a digital signature.
25. GSD Legitimate Interest identification Policy
TIG recognizes that certain rights of the data subjects such as Data Erasure or Data Rectification could be in conflict with the legitimate interest requirements of TIG or may be in conflict with the data retention laws which may be otherwise applicable for the data in view of other legislatory obligations.
In call cases of Data Subject’s Rights being implemented, TIG would evaluate the request before taking further action. In the event TIG recognizes a need to refuse the request or modify it for acceptance, the reasons would be documented and a GSD Legitimate interest note would be developed by the ISGC.
Where the data is not required to be active, it may be archived securely until the legitimate interest expires.
The reasons for exercising legitimate interest argument for processing the data subject’s request shall be conveyed to the Data Controller who is responsible for the Data Subject for onward transmission to the data subject.
26. GSD People Management Policy
GSD will be considered as a data set that requires exclusive and special attention in terms of information security while it is in the custody of TIG.
Hence, GSD would be suitably tagged and processed on a need to know basis by a specially trained set of employees.
These employees and the systems in which GSD would be stored, accessed and processed would be managed securely considering the level of risk that is associated with GSD.
Assignment of people to this GSD processing and their removal shall be managed with the appropriate security measures including a higher level of back ground verification, training, physical access identities, sanction policies etc.
The HR policies need to be appropriately upgraded for the GSD workforce as may be required.
27. GSD Pseudonymization Policy
It is recognized that Pseudonymization is a strategy to reduce the risks in the processing of GSD.
Pseudonymized personal data is not considered as “Personal Data” for the purpose of GDPR regulation provided the Pseudonymization process is adequately structured.
In view of the current level of exposure of its operations to the GDPR Risks TIG has not considered it necessary at present to use Pseudonymization as a strategy for risk mitigation.
28. GSD DRP-BCP Policy
TIG recognizes the importance of an effective Disaster Recovery and Business Continuity plan for its operations including the operations involving GSD processing.
TIG will maintain adequate back up of GSD data and reasonable ability to maintain Business Continuity in case of any contingency.
29. GSD Compliance Documentation Policy
The measures of GDPR compliance shall be documented so that they would be available for review.
The Compliance documentation shall be retained for a minimum period of 6 years since its creation.
In the event any document is a potential evidence for law enforcement requirements or for defending the legitimate interest of TIG, such document would be retained as long as the requirement persists.
30. GSD Audit policy
An Internal Security audit team of TIG shall audit the information assets of TIG at least once in an year to assess the level of security and compliance to GDPR and other regulatory requirements.
External audits may be considered on the basis of an assessment by the ISGC whenever a substantial change in business profile occurs.
TIG reserves the right to conduct an audit of the facilities of any of its sub-contractors to ensure compliance as per the contractual obligations.
TIG however recognizes that the empowerment to audit a sub contractor’s facilities is an enablement and shall be used only under exceptional circumstances. This does not reduce the responsibility of the sub contractor to meet the compliance requirements at their end as per the contractual assurances provided.
31. GSD Grievance Redressal Policy
TIG will provide a multi level Grievance redressal policy to redress disputes if any with any data subject. Such grievances will be addressed by the DPO at the first level, the ISGC at the second level and an Online Dispute Resolution Committee set up for the purpose by the Board at the third level.
Any queries from a GDPR supervisory authority shall be handled by the DPO and escalated to the ISGC where required.
Any disputes with the Customers, Publishers or Sub Contractors shall be handled as per the respective contractual agreements.
32.. Network Security Policy
In order to ensure that the IT infrastructure used by the Company is secure, TIG shall adopt a robust information security policy inclusive of Firewalls, Intrusion Detection Systems, Malware Prevention system and System Patching etc as required.
A designated Information Security Manager shall be responsible for maintenance of Network security.
Until further notice, Mr Tim Hepburn, located at the True Influence LLP, US office, is the designated Privacy Manager and he would be available at firstname.lastname@example.org
P.S: This Code is subject to revision from time to time.