Step 1: CANDDi Data Audit

Our first step towards GDPR compliance was to perform a data-audit to understand the different types of data held within the Company and this data is located. As a template we started with the Direct Marketing Association's guide

CANDDi holds (controls) five different "types" of data

We started by looking at the different types of data CANDDi holds, then identifying our Lawful Basis for holding and processing that data, where we store it and how we control it

We identified five different types of data

  1. Anonymous Website Visitor Data
  2. Prospect Data
  3. Client Data
  4. CANDDi Technology Generated Data
  5. Employee Data
Note - in addition to this we process large amounts of data on behalf of our clients. This data is not included in the analysis since it's not data which CANDDi controls.

1. Anonymous Website Visitor Data

Data description

CANDDi uses the CANDDi website tracking technology to track individual website visitors.

Lawful basis for processing

TODO

Data storage and retention

TODO

Data controls

TODO

Actions to be taken

None required

2. Prospect Data

Data description

CANDDi holds and processes data about potential prospects. Prospects are defined as individuals working for a corporate entity in a Sales, Marketing, Senior Management capacity.

This data has been built up by CANDDi over the duration of the company's life span. The majority of this data-set has been purchased from reputable data-brokers and is used and retained within the individual terms of the data licenses

Lawful basis for processing

CANDDi is using this data for Direct Marketing purposes and have selected Legitimate Interests as our basis for processing this data. Our GDPR Legitimate Interests Assesment can be viewed here. In order to stay compliant with this Assessment we perform data-audits every six months which can be viewed here

In addition to GDPR, CANDDi is fully PECR compliant too. For the purposes of email marketing we limit our communications to individuals with a corporate email address, and we send to licensed data according to the wishes of the relevant data-broker

Data storage and retention

The "raw" data is all stored in our Salesforce CRM database. When relevant this data is segmented (typically by sector / business size) and a sub-section is imported into our e-Shot email marketing platform. In addition this data may be found in the GMail archives of our sales-team, our outbound phone logs (and back-ups there of) and within our CANDDi tracking database.

This data can be retained indefiniately, however it will be audited every 6 months to ensure continued validity and refreshed according to the license terms


We store a record of our client's

We keep an PECR compliant email marketing opt-out list witin eShot

We regularly check this database against CTPS (Corporate Telephone Preference Service) and purge any blocked numbers / firms

We keep a GDPR compliant Right to be Forgotten list within Salesforce recording SAR's and Rights to be Forgotten

Data controls

Access to our Salesforce Database and CANDDi database is restricted to Authorised members of Sales / Support staff

Access to our Email Marketing platform is restricted to specially trained Authorised members of our Marketing team

Actions to be taken
  1. Data Audit for March 2018 to be performed - any invalid data to be purged
  2. Data Processing Contract between CANDDi and Salesforce to be obtained
  3. Data Processing Contract between CANDDi and Forfront (eShot) to be obtained

3. Client Data

Data description

CANDDi holds and processes data about

Lawful basis for processing

We choose the following Lawful basises for processing this data: Contract, and Legitimate Interest

We retain details about our client's businesses, contact information, contract information etc... in order that we can perform the Contracted service to them. We proccess this under the Contractual basis.

We retain details about our clients's engagement with our Support staff and usage of CANDDi. We process this data under the Legitimate Interests basis

NOTE we also store large amounts of our client's data within their CANDDi database. This data belongs to our client and CANDDi simply processes under their Contractual instructions

Data storage

The "raw" data is all stored in our Salesforce CRM database. When relevant this data is segmented (typically by sector / business size) and a sub-section is imported into our e-Shot email marketing platform. In addition this data may be found in the GMail archives of our sales-team, our outbound phone logs (and back-ups there of) and within our CANDDi tracking database.

This data can be retained indefiniately, however it will be audited every 6 months to ensure continued validity and refreshed according to the license terms


We store financial information in the following systems: Xero (Invoice records), Braintree (Credit Card details), GoCardless (Direct Debit details), Barclays Bank (BACS details)

We use the following Salesforce, eShot, Delighted, Zendesk, CANDDi, Xero TODO HERE Data controls

Access to our Salesforce Database and our CANDDi database is restricted to Authorised members of Sales / Support staff

Access to our Email Marketing platform is restricted to specially trained Authorised members of our Marketing team

Access to our Xero finance platform is restricted to specially trained Authorised members of our Finance team

Access to our client's CANDDi database is restricted to specifically trained Authorised members of our Support team

Actions to be taken
  1. Data Audit for March 2018 to be performed - any invalid data to be purged
  2. Data Processing Contract between CANDDi and Salesforce to be obtained
  3. Data Processing Contract between CANDDi and Forfront (eShot) to be obtained
  4. Data Processing Contract between CANDDi and Xero to be obtained
  5. Data Processing Contract between CANDDi and Delighted to be obtained
  6. Data Processing Contract between CANDDi and Zendesk to be obtained
  7. Data Processing Contract between Clients and CANDDi to be created and published

4. CANDDi Technology Generated Data

Data description

In order to perform our service to our clients, CANDDi has constructed two comprehensive data sets

  1. IP Database - we have the best global IP database - linking static IP addresses to their corporate owners
  2. Email Database - we have a comprehensive database linking Email Addresses to publically available social media information
Lawful basis for processing

The IP Database dosen't contain any information which uniquely identifies an individual (it tracks companies not individuals) - hence it's not with in the scope of GDPR (Please note - we treat this data exactly the same as any other data with regard to security / privacy). The IP Database is refreshed every 30 days to ensure that the data is accurate and relevant.

The Email Database only contains data which is publically available on Social Networks / the Internet. The ICO is clear that if "the individual has deliberately made the information public" then this data is acceptable for processing. The Email Database is refreshed every 60 days to ensure that the data is accurate and relevant.

Data storage

All this data is held in a MySQL database in the AWS EU-West-1 data centre (Ireland)

The data (and backups) are encrypted at rest

Data controls

Access to this data is either via internal API Gateways - which require an API key to access or via direct MySQL database access

Access is restricted to Authorized employees in the development team

5. Employee Data

Data description

Employment records and Payroll records for current and previous employees.

  • Address and Contact details for Employee and Emergency Contact
  • Salary and Bank account details
  • Performance reviews and disciplinary records

The data has been reviewed and there is NO Special Category data held in these records

We also hold historic data about unsuccessful job applicants.

  • CV Data
  • Write-ups about Interview Performance
Lawful basis for processing

* For current employee data we have a Contractural obligation to process and hold this data

* For historic employee data - TODO - see below - how long do we need to Contractually hold this etc...

* For unsuccessful job applications we have a Ligitimate Interest to hold this data (and mostly this is information which the individual has made public themselves), however we have no need to hold this data for longer than necessary. Hence all records for unsuccessful applicants over 3 months old will be anonymised and/or purged. Note we will be continuing to hold anonymous applicant data for statistical purposes

Data storage

This data is held in the following places

* Xero [Acccounts package]

* Tim Langley's (Founder) laptop [HR records]

* Google Drive records [Performance Review HR records]

* GMail [Email platform] - CV's etc...

* Paper records in Tim Langley's office

Data controls

* Only Authorized Staff members and Authorized Accounting Staff (Pomegranate Consulting) have access into Xero.

* All data held on Tim's computer is stored on an encrypted partition with strong password security

Actions to be taken
  1. All historic job applicant data over 3 months old to be anonymised / purged
  2. Employees to be educated about their rights (and responsabilities)s
  3. Data processing agreement between CANDDi and Xero to be obtained
  4. Data processing agreement between CANDDi and Pomegranate Consulting to be obtained
  5. Advice to be sought regarding historic Employee data