Data Processing Policy
Acceptable and lawful use of personal data.
We will identify a legal basis for all data processed by Loud Shirt. We will inform our customers, subscribers and event attendees how we store, process and share their data. We will also make them aware of their rights under the GDPR via a published Data Privacy Statement. Where we rely on consent as a basis for processing we only need to ask for this permission once but we will record this. It can be revoked by the subscriber at any time (see Data subject access request below)
The data entrusted to us is to be used for the purposes stated in our data privacy statement. All use of said data will be carried out within the aegis of UK law and accepted codes of practice as recommended by the UK information commissioner. Any change to the nature and use of the data we hold may necessitate gaining explicit permission from data subjects.
Sharing data with 3rd parties
Data will not be shared outside of the uses of data as defined in our privacy statement. And then It will only be shared with organisations who also comply with UK data protection law (or accepted data security equivalents such as the US privacy shield), or regulatory authorities as determined in UK law.
Sharing of data with 3rd party service providers will only be carried out after suitable enquiries as to their authenticity and compliance with UK law and ensuring that suitable reasonable safeguards are in place to prevent access or loss as well as taking steps to assure that we are only sharing that is needed to accomplish any stated aim.
Before beginning any relationship with a 3rd party service provider (and sharing any data) the data protection officer will carry out an analysis to ensure we are complying with UK law and our policies. This will include a risk assessment in relationship to any given purpose. Records of the investigations will be kept by the data protection officer in a supplier register.
Care will be taken in who we divulge data to. When dealing with enquiries from outside organisations or people we will take steps to ensure we are dealing with a bona-fide enquirer.
Loud Shirt operates a “need to know” approach to data security. In general access to data will only be shared with members of the organisation (partners or employees) and then only if there is a need identified by the partners.
All those granted access to the data of Loud Shirt will be required to undertake IT and Email security training (normally in the form of an internet based CBT course). The records of such training will be maintained by the data protection officer. The data protection officer may recommend refresher or new courses as threats evolve or in reaction to events local or global.
Loud Shirt operates a cloud based central data store, the access to which is controlled by the partners. Access will not be granted to persons without the express permission of a partner. If any person leaves the organisation or in any other way loses their justification to access Loud Shirt data, then access will be revoked.
All PCs and laptops used must be fully patched – i.e. all operating system and 3rd party software updates installed in order to counter virus and exploits. In addition a full anti-virus software must be installed and up to date with anti-virus definitions.
PCs and laptops operating systems must be in their support period (not end of life).
All PCs and laptops will have strong password protection (min 8 mixed case characters to include a number and a special character such as an exclamation mark) and passwords changed at least every 90 days.
PCs and laptops should be encrypted such as bitlocker, filevault (mac) or other reputable encryption software to a minimum specification of AES-256.
Any mobile data storage device such as memory sticks or mobile hard disks must have encryption to a minimum specification of AES-256bit with PIN or Password protection.
It should be borne in mind that normal email is not secure, and that data sent via email is not normally encrypted. Transfer of quantities of data should therefore be affected via the shared cloud based data store.
Public WiFi is unsecure and will only be used by employees on company devices or devices containing company data if a) personal firewalls are switched on and b) the traffic is encrypted using a personal VPN solution.
Office and home WiFi should be configured with strong passwords and access limited to only partners and employees. Guest access is permitted if no access to the office network is possible. WiFI firewall /router devices should be fully patched and configured to only use current security protocols such as WPA2 or WPA/WPA2. WEP and TKIP should not be used as it is a compromised protocol. Sometimes this is referred to as legacy support.
Steps will be taken to ensure that both ICT equipment and paper records are stored in a secure environment. Paper records are to be securely stored when not in use.
Care must be exercised when records are in transit. Recorded delivery post will be used if posting quantities of personal data.
Data retention and secure destruction of records
Data retention periods are recorded in the article 30 record of processing. Electronic records will be purged on an annual basis and paper records must be securely destroyed, either by incineration, cross-hatch shredding or via a certified secure destruction operator. Where paper records contain data of mixed retention periods it is permitted to keep data, but care must be exercised so as not to use this data post-retention date (unless redacted)
Data Subject Access request
Data subjects have the right to be informed, inspect, rectify, erase object to and restrict the processing of their data, subject to the legal basis of processing that data.
All requests for the above must be in writing (or email) and addressed to the data protection officer. Verbal requests should be recognised but a written request if preferable. We may not charge for this service unless the request is manifestly unfounded, repetitive or complex. We must reply within 1 month at the latest or risk being fined. All such requests will be directed at the data protection officer who will ensure that they are well founded and responded to appropriately. A request should ideally be directed at the data protection officer at firstname.lastname@example.org but other partners or employees should recognise a request if made and then pass this request to the data protection officer.
All known or suspected destruction, loss or unauthorised alteration, disclosure, access to data must be reported to the data protection officer. The data protection officer will assess whether the nature of the breach is credible and if possible, the extent of the data loss. The data protection officer will then make the decision how to respond to the event. This may range from taking no action to contacting our affected data subjects, making a public announcement or submitting a report to the Information Commissioner’s Office as demanded by EU/UK law. This must happen within 72Hrs of Loud Shirt becoming aware of the breach. The data protection officer will inform all partners of this. The data protection officer will maintain a log of all breaches regardless of any outcome
All queries surrounding the acceptable use, requests concerning data subjects’ rights and breaches must be directed at the data protection officer, who will be suitably qualified to answer questions of a technical or legal nature. The data protection officer may be reached at
Revisions to this document
This document should be reviewed annually or sooner if demanded or indicated by and change in legislation or as a result of outcomes of data events or guidance from the ICO.
V1.0 7th July 2019