Go Internet regards the lawful and correct treatment of personal information as very important and is fully committed to the principles of data protection, as set out in the General Data Protection Regulation.
On 25 May 2018, the European General Data Protection Regulation (GDPR) will apply. And, as it is an EU regulation, the GDPR will automatically take effect without the need for it to be locally implemented by member states.
Designed to help safeguard data protection rights for individuals, the GDPR introduces a single set of rules across the EU when it comes to how organisations handle data relating to identifiable individuals.
Currently Go Internet will not have a designated Data Protection Officer as personal data is only processed on a small scale. If this changes an independent designated Data Protection Officer will be utilised.
We process personal data in connection with customer enquiries and to improve our marketing, by analysing how users browse our website. All data is collected to help our current and future customers.
Under GDPR, because the consent needs to be clear, specific and explicit we avoid relying on consent unless absolutely necessary. For this reason, we use ‘legitimate interests’ to process your data. This means the interests of our organisation in conducting and managing our activities to enable us to give you the best service. For example, we have an interest in making sure you receive only the emails that matter to you, so we may process your information to send you only the information you are interested in or need. You can inform us if you wish to be contacted differently, or not contacted at all – see number 9 in this document for information on how you can do this.
You may be asked for personal data if you want to make an enquiry through one of our contact/enquiry forms on the Go Internet website.
We will use the personal information you provide to administer our relationship with you and deliver the services you have told us you wish to use or to send you information that you have requested. We may also offer you the opportunity to receive additional information about our activities or those of our volunteers, supporters, service providers and partners. You may opt out of this at any time by firstname.lastname@example.org
Information that you supply will be treated in confidence and in accordance with the principles of the GDPR guidelines.
This information is kept as accurate as possible – all of our staff take responsibility for keeping this database up to date and have an awareness of data protection.
We store your personal data just for the intended purpose (e.g. we won’t sign you up to every mailing list we run unless you ask us to), and we take steps to collect only the minimum personal data necessary, that it’s accurate, and kept for only as long as necessary, after which it is deleted from our database.
We will amend your record when you tell us that your details have changed. If you leave an organisation and would like us to delete your record, we’ll do it straight away if you tell us. Otherwise we’ll keep it on file for 3 years, after which, if we still haven’t heard from you in another capacity, we’ll delete it on your behalf.
We use your information to provide you with a quotation or to improve our website’s user experience. Go Internet uses this information as reasonably necessary and in accordance with your instructions. We will not normally contact you by post, but there may be exemptions. You can opt out of these at any time.
Go Internet may also collect and receive:
Go Internet takes security seriously. We take various organisational and technical steps to protect information you provide to us from loss, misuse, and unauthorised access, alteration or disclosure.
Occasionally, we introduce changes or improvements to our systems. Any test data that may have been used in this connection are managed in a secure and confidential manner.
We will conduct due-diligence on our supply chain ensuring that all suppliers and contractors are GDPR-compliant. Go Internet will also include a contractual clause so suppliers will need to inform us of any data breach.
If you would prefer us to:
Please tell us. You can do so by emailing email@example.com
We will make any changes requested within 1 month.
You also have the right to ask us for a copy of the information we hold about you and to have any inaccuracies in your information corrected.
If you feel we haven’t handled your data properly, please do contact us and we will do everything we can to rectify the problem.
If you feel this doesn’t go far enough, or if you want to report your concern elsewhere, you can contact the Information Commissioner’s Office (ICO): https://ico.org.uk/concerns/
Go Internet encourages a culture where employees and volunteers feel comfortable in self-reporting when they have made innocent mistakes – the root cause of the vast majority of data breaches. Any breach should be reported immediately to the managing director: Trevor Cook on firstname.lastname@example.org
The GDPR describes a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This applies to data held in any form.
Go Internet will instigate an incident response plan (see appendix 1.), lead by the CEO to investigate any data breaches within 72 hours.
Breaches will be reported to the ICO unless they are “unlikely to result in a risk to the rights and freedoms of individuals.” Examples of ICO notable breaches are where it may “result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.”
Go Internet will only inform individuals concerned where there is a high risk of the above.
We may change this policy from time to time. If we do, we will post any changes on our website. If you continue to use the services after those changes are in effect, you agree to the revised policy.
Last revised: 13th September 2020
There are four key steps to consider when responding to a breach or suspected breach.
Move quickly to secure your systems and fix vulnerabilities that may have caused the breach.
Update credentials and passwords of authorized users. (If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you’ve removed the hacker’s tools).
If the data breach involved personal information improperly posted on Go Internet website, immediately remove it. Be aware that internet search engines store, or “cache,” information for a period of time. You can contact the search engines to ensure that they don’t archive personal information posted in error.
Other websites: Search for Go Internet exposed data to make sure that no other websites have saved a copy. If you find any, contact those sites and ask them to remove it.
Interview people who discovered the breach. Also, talk with anyone else who may know about it. Consider:
» how it happened
» what information was taken
» how the thieves have used the information (if you know)
Document the investigation.
When the breach was detected, by whom and what method
Scope of the incident/affected systems
Data that was put at-risk
How the breach was contained and eradicated?
Work performed or changes made to systems during recovery
Areas where the response plan was effective and what needs improvement
When reporting a breach, the GDPR says you must provide:
a description of the nature of the personal data breach.
the categories and approximate number of individuals concerned; and the categories and approximate number of personal data records concerned.
the name and contact details where more information can be obtained.
a description of the likely consequences of the personal data breach (Could there be media or stakeholder attention as a result of the breach or suspected breach?)
a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
The CEO of Go Internet will ensure that any data breach action plans are acted upon.
If service providers were involved, Go Internet will examine what personal information they can access and decide if you need to change their access privileges. Go Internet will also, ensure service providers are taking the necessary steps to avoid another breach. If service providers say they have remedied vulnerabilities, Go Internet will verify this.
Dear [Insert Name]:
We are contacting you about a data breach that has occurred at Go Internet.
[Describe how the data breach happened, the date of the breach, and how the stolen information has been misused (if you know)].
This incident involved your [describe the type of personal information that may have been exposed due to the breach].
[Describe how you are responding to the data breach, including: what actions you’ve taken to remedy the situation; what steps you are taking to protect individuals whose information has been breached; and what services you are offering
(like credit monitoring or identity theft restoration services).]
We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts.