ShieldRisk Privacy Policy
Introduction
ShieldRisk platform by Shieldbyte Infosec Inc (“ShieldRisk”) collect and use information about individuals (‘personal data’) in the course of business. Data protection legislation gives individuals the right to know what information is held about them and it provides a framework to ensure that personal information is handled properly. This policy sets out our expectations regarding the control of personal data handled by ShieldRisk. This includes employee, contractor, applicant, customer, prospective customer, and claimant data.
It is important that data is processed in a fair and lawful manner to:
- Protect individuals’ fundamental rights and freedoms, notably privacy rights; and
- Enable organisations to process personal information in the course of their legitimate business.
Scope
This policy covers ShieldRisk. Any Data that is processed there is covered by the relevant data protection legislation from the home jurisdiction of the Data Controller.
All employees of ShieldRisk, its agents and contractors who work on behalf of ShieldRisk must adhere to this policy.
Definitions
For the purpose of clarity, the definitions of some common data protection terms referred to in this policy are set out below:
To access the Software, you will have a username and password. This will be set up by us and sent to you within five working days from the date of your acceptance of this Licence
Personal Data
Any information that an organisation holds and / or uses on living individuals, including name, address, date of birth, telephone numbers etc.
Processing
Any use to which personal data is put, including obtaining, retrieving, holding, storing or disposal. Examples of processing include:
- Administering or setting up client accounts
- Using data for marketing purposes
- Administering and maintaining employee records.
Cookie
A small file of letters or numbers downloaded onto a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device. In this policy, ‘cookie’ refers to all technologies that perform a similar function.
Strictly necessary cookie
A cookie whose function is explicitly requested by and therefore specifically related to the service requested by the user.
Data Controller
A person who determines the purposes for which, and the manner in which, any Personal Data are, or are to be Processed.
Data Processor
Any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
General Principles
ShieldRisk requires that all personal data is treated in an appropriate manner. This means that:
- We are clear and open with individuals about how their information will be used
- We only use information about individuals in line with their reasonable expectations
- The information we hold about an individual is relevant and sufficient, but not excessive
- We take reasonable steps to ensure that the information held is accurate and is kept up to date
- We do not keep personal data for longer than is necessary
- We respect an individual’s right of access to a copy of the information we hold about them, and their right to object or prevent our processing of information in certain circumstances
- We keep all personal data secure
- We do not transfer personal data to a country outside the EEA that does not have adequate data protection laws or processes in place.
- It is therefore important that ShieldRisk complies with the eight Data Protection Principles as failure to comply can result in a criminal offence.
ShieldRisk is primarily Data Processor. Data Controllers have a higher degree of responsibility than Data Processors. A Data Controller remains fully responsible for its actions and the security of the Personal Data and is subject to all the requirements of the data protection legislation. A Data Controller is also responsible for Data that is transferred to the Data Processor that processes that Personal Data.
Approach
ShieldRisk has established policies (including this policy) and procedures, and allocated responsibilities, to manage the risk that information about individuals is inappropriately collected, used, disclosed, retained or disposed of, and that our statutory and regulatory obligations are complied with, including those under
- The Data Protection Act 1998, and
- The Privacy and Electronic Communication Regulations (2011).
These processes and procedures include:
Ensuring that we have the appropriate permissions to market to customers via electronic and non-electronic means, including Consent to the Use of Cookies where these are not ‘strictly necessary’, and that a suppression process is in place to prevent marketing to customers where we do not have the required permission, or where permission has been withdrawn.
Data retention standards and the use of data retention schedules to record retention periods, to ensure that we do not retain personal data longer than is necessary, that data retention is in line with statutory and regulatory requirements, and that data is destroyed appropriately when no longer required.
Data security standards to protect data from unauthorised access, alteration or destruction. Controls include physical controls, such as building access controls and confidential waste bins; IT controls such as data encryption, back up and system access controls. Employees are subject to vetting to assess fitness and properness, and staff are not permitted to store customer data on laptops or take customer data out of company premises (physically or electronically) without the appropriate controls in place (including prior permission).
Data sharing protocols, to ensure that data is shared (within or outside of ShieldRisk) only where appropriate controls have been established, and the data to be shared is limited to that which is necessary, and is shared via secure methods. This includes written data sharing agreements where routine sharing of data takes place to define the responsibilities and liabilities in respect of the data disclosed or received.
In the event that there is an unfortunate data loss incident, an investigation into this shall be co-ordinated by the Chief Executive, the result of which will be that controls be put in place to mitigate the risk of any similar data loss. Any serious data protection breaches should be logged and procedural changes made when non-compliant trends occur.
Defined processes for dealing with subject access and other third party requests for their personal information.
Staff training to ensure all staff are aware of their responsibilities in relation to the use of information concerning individuals, together with monitoring processes to ensure that these are being adhered to in practice.
Governance
Roles and responsibilities
Each of ShieldRisk’s Directors bears the ultimate responsibility for management of data protection within the business. Specifically, the Directors should ensure sound governance arrangements are in place to manage, monitor and control data protection issues.
All directors are responsible for ensuring compliance with this Policy within their area of accountability.
All employees have a responsibility to treat all personal data in an appropriate manner, in accordance with this Policy and associated guidelines and processes. Employees are required to complete training and awareness on policies, procedures and internal controls and ensure they understand their responsibilities in relation to the use of personal data.
The Chief Executive is the appointed Data Protection Officer and is responsible for ensuring appropriate controls are in place to minimise the risk of a breach.
SHIELDRISK must ensure that when entering into a new business arrangement that the appropriate data protection clauses are included within contract documentation wherever relevant, including consideration of both the purposes for which ShieldRisk may wish to use data, and the controls over the use of data by our third-party partners.
Review ownership and regularity
This policy will be reviewed at least annually. Any proposed variations or amendments to this Policy must be approved by the Chief Executive.
Non-adherence with this Policy
Non adherence with this Policy will be dealt with through the normal company disciplinary procedures.
Reporting an Incident
To report any suspected serious misconduct or any breach or suspected breach of law or regulation, please mail to reachus@shieldrisk.ai
Connect With Us
+91-8779784050 | +1-551-307-7576
Assess Third-Party Vendor
Plan vendor audit for Cyber Security , Data Privacy And Information Security