LeftBrain provides technology services to businesses. Although we don’t have a commercial relationship directly with individuals, we do hold what could be considered “personally identifiable information” about the employees of our clients, and that data is within the scope of the GDPR. This article details the data we hold, who has access, the measures we take to protect it, and how we get rid of it when it’s no longer of use.
For clients on our ongoing support plans (those detailed at http://leftbrain.it/plans) we hold data about each named employee on the account, in addition to any other people involved in the provision of the service (for example, an account management contact who works in a remote office and is not covered under the support plan).
For all the other services we provide (including SaaS subscriptions, Enterprise services, projects, event support) we only hold data for the people involved in the service provision.
We also hold data on people who’ve contacted our new business team with an interest in our services.
The people we hold data on are the “Data Subjects”, using the terminology of the GDPR. In our relationship with our clients we act as “Data Processors” and the client is the “Data Controller”.
At a minimum, we hold the following data about a person (we call this “Default Information”):
These data are necessary for effectively providing our service: we can’t provide support to a person if we don’t know their name, if we can’t get in touch with them and we don’t know which company they’re from.
In addition, we may store the following data, if a person or their company choose to share it with us (we call this “Additional Information”:
At any time, a particular person can log on to our Dashboard and view all the data we hold about them, and permanently remove any Additional Data they don’t feel comfortable with us holding.
Using terminology from the GDPR, we use “Legitimate Interests” as our lawful basis for processing the information we store.
We group the people about whom we hold data by their company, and by their job function (specifically we categorise people as “Tech Contacts” and/or “Operational Contacts” and/or “Accounts Contacts” and/or “New Business Contacts”). As detailed above, for each person we mark data “Default” (name and email) and “Additional” and handle each differently.
By default, our Operations, Infrastructure and Senior Management teams have access to the information about all people across clients.
Individual members of our support, enterprise and projects teams (which may include freelancers and contractors) have access granted to each client (and by extension all their employees) when they are onboarded on to that client’s support team, or when they start a project for them.
Our Accounts team has access to all people categorised as “Accounts Contacts”.
Our New Business and marketing teams only have access to “New Business” Contacts.
In the event a client cancels their service with us, we offer to provide a copy of the data we hold to them, in a format of their choice (typically as a JSON file, or PDF). This data is provided using a secure link, and upon confirmation that the data has been received, it is deleted permanently from our systems. In doing so all centrally held personal data is removed.
In the event a person leaves a client of ours, any “Additional Information” we hold on that person is permanently deleted within 24 hours of their last day (this process happens automatically).
We retain the “Basic Information” we hold on a previous employee for up to 7 years after their last day (this process happens automatically), since having records of previous employees can be necessary in continuing to provide our service effectively. Some examples include:
In both of these cases, despite our best efforts to remove everything, the nature of certain systems make it unfeasible or impossible to remove every trace of personal data. As such there may be personal data that remains on our systems which may include:
The data we hold as “Data Processors” is made available to each person via our Dashboard, so that a live copy of their data can be accessed (and revoked) at any time. This data is also made available to nominated people at our client allowing them to fulfil data access requests for their current and past employees. We do not fulfil access requests from previous employees of clients (or previous clients) directly, since we have no means of verifying whether John Smith is indeed John Smith from Example Company. Regardless, we make the address firstname.lastname@example.org available for anyone to ask questions about their data, and processes in place to handle each type of request.
We take a number of steps to ensure personal data is kept secure.
Our incident management procedure includes notifying the tech and operational contacts at our clients within 72 hours of a breach, and its potential impact.