Red Flag Alert Technology Group are:
- Processors for hosted and product data within the services B2B services offered.
- Controllers of our Client and supplier contact information, required to; manage and deliver services under contract; manage customer requests and incidents.
- Controllers for employee and worker information in relation to RFA employees and workers
If you have any questions about RFA’s data protection compliance activity, please contact Gary Davis at email@example.com
Our Commitment to Data Protection
We are dedicated to upholding the fundamental tenets of data protection, especially the ideas of consent, privacy by design, the right to be forgotten, and a risk-based approach. Additionally, we ensure:
- transparency on the use of data, ensuring that any processing is fair, legal, transparent, and required for a particular goal.
- that information is accurate, current, and discarded when no longer required; and that information is stored properly and securely.
We are accredited under IS027001, ISO9001 and Cyber Essentials Plus, and we store data on secure systems. Upon request, we can provide you our certification documentation. We have a dedicated information security office that manages our information security and integrity which are essential to our efficient and safe operation.
We will only store data if there is a legitimate basis that permits reasonable retention and we won't keep it for any longer than is necessary. If we do need to delete data from our possession, we do it in accordance with standards that have been established by the industry to ensure that the disposal or anonymisation is fully compliant.
We have enhanced our data security practises and procedures in light of DPIAs and internal audits. Based on the degree of sensitivity and the likelihood of threats, this also involves encrypting data when it is at rest. We have created internal technologies to improve data governance and discovery.
For further information regarding our commitment to our customers and partners, please refer to the RFA’s Data Processing Agreement which is fully compliant with the requirements of UKGDPR and available on our web page.
Information Security & Technical and Organisational Measures
RFA takes the privacy and security of individuals and their personal information very seriously and have taken every reasonable measure and precaution to protect and secure the personal data that we process. We have dedicated information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures, including (in no particular order) via Microsoft Defender / Azure:
- Hardware Firewalls
- Software Firewalls
- Web Applications Firewalls
- Intrusion Prevention and Detection Systems
- Data Encryption
- Two Factor Authentication
- Penetration Testing
- Password Protection
- Denial Of Service Protection
How we comply
RFA maintains a consistent level of data protection and security across our organisation through adherence to the following processes:
- Policies & Procedures - data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including: -
- Data Protection – our primary policy and procedure documents for data protection are reviewed yearly to ensure compliance with UKGDPR and Data Protection standards and obligations. With a specific focus on privacy by design and individual rights, accountability and governance procedures are in place to make sure that we comprehend, effectively communicate, and demonstrate our obligations and responsibilities.
- Data Retention & Erasure – we update our retention policy and schedule annually to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities.
- Data Breaches – our breach processes make sure that we have safeguards and procedures in place to quickly identify, evaluate, investigate, and report any compromise of personal data. Our protocols are thorough, and we've made sure that everyone on staff is aware of the reporting channels and next steps.
- Subject Access Request (SAR) – our SAR procedures accommodate the 30-day timeframe for providing the requested information and for making this provision free of charge. Our procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply and a suite of response templates to ensure that communications with data subjects are compliant, consistent and adequate.
- Legal Basis for Processing - we evaluate every processing activity yearly in accordance with our QMS to determine the legal justification for processing and make sure that each justification is appropriate for the activity it corresponds to. When necessary, we additionally keep track of our processing activities in order to fulfil our obligations under Schedule 1 of the Data Protection Bill and Article 30 of the GDPR.
- Obtaining Consent - we have updated our permission processes for collecting personal data to make sure that people are aware of what they are contributing, why and how we use it, and that there are simple, defined ways for them to provide their approval to our use of their information. We have established rigorous procedures for documenting consent, ensuring that we can provide proof of an affirmative opt-in, together with time and date records, and a simple method for withdrawing consent at any time.
- Direct Marketing – we have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials
- Processor Agreements – for the purpose of ensuring that any third parties we employ to handle personal information on our behalf recognise and uphold their/our data protection obligations, we have established compliance Processor Agreements and due diligence procedures. In addition to organisational and technical safeguards in place, these precautions also include initial and ongoing reviews of the service provided, assessments of the need for the processing activity, and compliance with applicable laws..
Data Subject Rights
In addition to the policies and procedures mentioned above that guarantee people can exercise their data protection rights, we also make information about a person's right to access any personal information RFA processes about them easily accessible via our website and through our Data Protection Officer. The information can be requested about: -
- What personal data we hold about them
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long we intend to store your personal data for
- If we did not collect the data directly from them, information about the source
- The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this.
- The right to object to any direct marketing from us, as well as the right to be informed about any automated decision-making that we employ, as well as the right to request the deletion of personal data (where applicable) or the restriction of processing in line with data protection legislation.
- The right to lodge a complaint or seek judicial remedy and who to contact in such instances
Changes to this Statement
To keep you updated on how we comply with legislation, we may update this statement from time to time, which will always be published here on our website.
Last updated July 2023