Data Protection Policy
Introduction
Ready to Send (“Ready to Send”) provides bulk emailing, mail and social media marketing services (“the services”). Inherent in the provision of these services to its customers, as well as the management of its employment relationships with its own employees, affiliates and other third parties, Ready to Send continually has access to and needs to process personal information relating to individuals and entities. This policy sets out how such personal information shall be processed, handled and stored to meet the data protection standards of Ready to Send and ensure compliance within the parameters of the Protection of Personal Information Act, 2 of 2013 (“POPI”).
This Data Protection Policy, to be read together with Ready to Send’s Privacy Policy available on its website, seeks to ensure that Ready to Send:
- Complies with international legal standards and best practice for the receipt, importing, processing, handling and storing of personal data of individuals and entities (“data subjects”);
- Protects the rights of its data subjects;
- Transparently renders how it process, handles and stores personal information; and
- Protects itself from the risks of a data breach.
Scope
Ready to Send recognises that protecting the confidentiality and integrity of personal information is not only a statutory requirement but it is vital to the business ethos of Ready to Send.
In doing so, it is acknowledged that Ready to Send collects data from its customers, suppliers and affiliates to enable Ready to Send to provide the services and run its business. Ready to Send collects data from its own employees for various purposes related to human resources and employment benefit administration.
Ready to Send warrants that all departments and managers are responsible for ensuring that all personnel comply with this Data Protection Policy and implements appropriate processes, control and training.
Application
This Data Protection Policy applies to all personal information that Ready to Send processes regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject as defined in POPI.
It further applies to all personal information that it holds relating to identifiable individuals and entities, including, but not limited to the following: names of individuals and entities; physical addresses; postal addresses; email details; all telephone and mobile phone numbers; all social media tags and identifiers; absolutely all data and information relating to an individual received from a client in the course of providing services to such customer, and/or all data of a data subject sought to be protected by POPI.
General rules relating to Personal Information
Personal Information shall at all times be:
- processed fairly and lawfully;
- obtained only for specific lawful purposes;
- adequate, relevant and not excessive;
- accurate, and kept up to date;
- held for no longer than necessary for the purpose it was obtained for;
- processed in accordance with the rights of data subjects;
- be protected in appropriate ways, methodologies and procedures and according to suitable methods, both organisationally and technologically;
- not be disclosed or transferred or exported illegally.
Principle 1: Accountability
Ready to Send has appointed an Information Officer, also known as a Data Protection Officer (“DPO”) who is responsible for ensuring that the information protection principles within POPI and the controls that are in place to enforce them are complied with.
Principle 2: Processing Limitation
Ready to Send provides a strict context for processing personal information. It is minimal and proportionate for its purpose of delivering the services, the lawfulness of processing, minimality of information collected, consent, justification and objection, and the collection of personal information directly from the data subject.
Principle 3: Purpose Specification
Ready to Send only collects personal information for a lawful and specific purpose. Record retention is no longer than 5 years after the purpose for which the personal information was collected is complete unless required otherwise by law. The personal information is thereafter destroyed, deleted or de-identified as soon as reasonably practical.
Principle 4: Further processing limitation
Ready to Send does not further process personal information unless such processing is compatible with the purpose for which the information was collected in principle 3 or the data subject, or the responsible party, has consented or has warranted that it obtained adequate consent.
Principle 5: Information quality
Ready to Send takes reasonable practical steps to ensure that the personal information that has been collected is complete, accurate, not misleading and up to date, where necessary.
Principle 6: Openness
Ready to Send is open about the collection of personal information and takes reasonably practicable steps to ensure that the data subject has been made aware that his or her or its personal information is going to be collected.
Principle 7: Security Safeguards
Ready to Send ensures that the integrity of the personal information in its control is secured through technical and organisational measures.
Principle 8: Data Subject Participation
Ready to Send, as a responsible party, has implemented a system whereby data subjects may a report confirming whether it holds personal information about the data subject, and he or she may also request a description of such information.
The Information Officer
The Information Officer of Ready to Send is:
Gavin Hendry
Tel: 011 869 8782
Email: info@readytosend.com
The Information Officer shall:
- in time be registered as the responsible officer under POPI;
- execute, and bear responsibility for reporting to executive management about compliance with all technological and operational data protection standards and protocols, and advise of any risk of breach at the earliest opportunity with a view to avoiding any risk or breach, or limiting any damage resulting from it.
- ensure that all operational and technological data protection standards are complied with;
- arrange data protection training and provide advice and guidance to all employees;
- be entitled and have authorisation to initiate disciplinary proceedings against any employee who at any time breaches any technological and/or organisational and/or operational data protection standard, rule, custom, instruction, policy, practice and/or protocol (verbal, in writing or otherwise) (“rule”) applicable in any department;
- review and approve any contracts or agreements with third parties to the extent that they may handle or process data subject information;
- attend to requests from individuals and entities to access data Ready to Send holds about them “data subject requests”).
The IT Manager
The IT Manager shall –
- ensure that all systems services and equipment used for processing and/or storing data adhere to internationally acceptable standards of security and data safeguarding, and is regularly updated to continue to comply with such standards;
- issue appropriate, clear, regular rules and directives, whether for the organisation as a whole or a particular part of it, department, person or level of person in relation to any aspect of the company’s work, including password protocols, data access protocols, levels of persons who enjoy access to certain data sign-on procedures, password safeguarding protocols, sign-on and sign-off procedures, log-on and log-off procedures; the description of accessories, applications and equipment that will or may be used, and/or that may not be used under any circumstances, and the like.
- evaluate any third-party services the company is considering or may acquire to process or store data, e.g. cloud computing services.
General Data Protection Rules
All personal data shall be deemed confidential information, and be handled as such.
The only person/s entitled to access data covered by this policy, will be those who need to access it for the execution of their direct work services or required outputs.
Under no circumstances will data or personal information be shared outside the scope of required work outputs, or informally. In the event of any doubt, an employee shall be entitled to access confidential information only after obtaining authorisation from their line manager or a senior manager, where any work output requiring access is unusual or out of the ordinary.
Employees will receive induction and on-the-job training in relation to all security standards applicable to such employee’s service delivery and work outputs involving personal information of data subjects.
Employees shall keep all data secure by taking sensible practical precautions and complying with all rules, practices and protocols:
- In particular, strong passwords shall be used at all times;
- Passwords shall not be shared under any circumstances.
Data Storage
Paper
Where data is stored on paper, it will always be kept in a secure place where an unauthorised person cannot access or see it. This also applies to data stored electronically which has been printed out for a specific reason.
Hard copies of documents containing personal information is kept in a locked drawer, safe or cabinet.
Employees ensure that paper and print outs are not left in places where unauthorised persons can see them, e.g. on a printer, and all unwanted paper must be shredded.
Electronic data
Where data is stored electronically, it is protected from unauthorised access, accidental deletion or any risk of exposure to malicious hacking attempts:
- Data is being stored in the AWS data centres located in South Africa;
- Data is protected by strong passwords that are changed regularly and never shared between employees; Passwords are encrypted using a salted hash.
- Data will be backed up frequently in accordance with backup protocols. Such backups will be tested regularly in line with the company’s standard backup procedures and protocols under the direction of the IT Manager;
The email service is built on the reliable and scalable infrastructure of AWS with a network architecture that is built to meet the requirements of the most security-sensitive organisations;
Data Accuracy
Employees shall take reasonable steps to comply with company rules and work practices to ensure data is kept accurate and up-to-date.
Data will always be held in as few places as necessary to ensure efficient service delivery and risk avoidance. Employees are not permitted to create any unnecessary additional data sets.
Data Subject Access Requests
Individuals and entities who are the subject of personal information held by Ready to Send are entitled to:
- enquire what information is held about them and the purpose for holding it;
- enquire how to gain access to their own personal data;
- be informed of any special measures the company uses to keep such data up to date.
Data subject requests shall be made by e-mail and addressed to the Information Officer.
The identity of a person making a data subject request will always be verified before handing over any information requested.
Providing Information
In certain circumstances, South African legislation will allow that personal information be disclosed to law enforcement or other agencies without the consent of the data subject. In such circumstance, Ready to Send may be obliged to disclose the requested data but will first ensure that the request is legitimate and will seek assistance beforehand from its legal advisers or other experts. Only the Information Officer will be authorised to furnish the requested data to the enquiring party.
Contact Us
Please contact the Information Officer with any questions or concerns about the operation of this Data Protection Policy.
Gavin Hendry
011 869 8782
info@readytosend.com
9 Jacqueline Ave, Alberante
Alberton, Gauteng, South Africa
1449
This policy was last updated on 2021-06-03