Main Content Area

Main Articles

Main Top

GDPR Assessment

This document aims to explore the appropriateness of the legal basis of ‘Legitimate Interest’ for the processing of personal data by Mathewsons with respect to the GDPR and the rights of the individuals whose data is processed and stored by the Business. In this document, Mathewsons may be referred to as the Business.

1. About Mathewsons

Mathewsons is is an established business which has over nearly 50 years of trade, worked hard to establish a highly regarded and reputable business. Although dealing with other business to some extent, the prime market for Mathewsons is directly with the public.

The Business is determined to continue to build their business and would like to develop further quality employment in the future. Mathewsons aspires to be a fair, transparent and ethical business both towards its employees and towards it clients;

2. Why does Mathewsons need to process personal data?

There are three main areas of data processing that the Business undertake, these are:

  • Employment data processing (Data Controller)
  • Administrative and commercial data processing (Data Controller)
  • Business development and marketing data processing and (Data Controller)

Taking each of these areas in turn, this document aims to explore:

  1. The objectives of data processing
  2. The relevance and importance of data processing to the business
  3. The impact on the individuals whose data is processed
  4. The expectation of the individual that their data would be processed and
  5. The rights of the individual whose data is processed

3. Employment data processing (Data Controller)

Mathewsons process employees’ data for legitimate and common business purposes, in situations which are not necessary for the performance of employment contract, but are nevertheless customary, or necessary for operational, administrative, HR and recruitment purposes and to otherwise manage employment relationship and interaction between employees.

Specific examples are:

  1. Background checks and security vetting in recruitment and HR functions
  2. Office access and operations
  3. Disaster and emergency management tools and apps
  4. Internal directories and other business cooperation and sharing tools.
  5. Business conduct and ethics reporting lines
  6. Compliance with internal policies, accountability and governance requirements and corporate investigations
  7. Call recording and monitoring for call centre employees’ training and development purposes
  8. Employee retention programs
  9. Workforce and headcount management, forecasts and planning
  10. Professional learning and development administration
  11. Travel administration
  12. Time recording and reporting
  13. Processing of family members’ data in the context of HR records – next of kin, emergency contact, benefits and insurance, etc.
  14. Additional and specific background checks required by particular clients in respect of processors’ employees having access to clients’ systems and premises
  15. Defending claims - sharing CCTV images from premises with insurers when required for processing, investigating or defending claims due to incidents that have occurred on our premises
  16. Intra-corporations hiring for internal operations

The argument here is that the business has a legitimate reason for processing employees data to undertake its role as employer and to safeguard its clients during its role as a processor. The data processed is typical employee information and the employee would fully expect The Business to process this data.

4. Administrative and commercial data processing (Data Controller)

Mathewsons processes supplier and customer’ data for legitimate and common business purposes, in situations which are not necessary for the performance of the business, but are nevertheless customary, or necessary for operational and administrative purposes and to otherwise manage relationship and interaction between The Business and its suppliers and customers.

Specific examples are:

  1. Develop or operate financial/credit/conduct and risk records
  2. Internal analysis of customers – plan strategy and growth
  3. Reporting and management information
  4. Back-office operations
  5. Monitoring physical access to offices, visitors and CCTV operations in reception and any other restricted areas
  6. Corporate reorganisations
  7. Business intelligence
  8. Managing third party relationships (vendors, suppliers, media, business partners)
  9. Processing identifiable data for the sole purpose of anonymising/de-identifying/re-identifying it for the purposes of using the anonymised data for other purposes (product improvement, analytics, etc.)

The argument here is that the Business has a legitimate reason for processing supplier and customer data to undertake common business purposes. The data processed is not considered to be sensitive according to the guidelines of ‘Special Category Data’ and the supplier or customer would fully expect The Business to process their data.

5. Business development and marketing data processing (Data Controller)

Compliance with GDPR will work to enhance the reputation of Mathewsons. Mathewsons processes supplier and customer data for legitimate and common business purposes, including communications and marketing, processing certain ‘low risk’ personal data to gather market intelligence, promote products and services, communicate with and tailor offers to individual customers and contacts.

Specific examples are:

  1. Discretionary service interactions - customers are identified in order for them to receive communications relating to how they use and operate the data controllers’ product
  2. Personalised service and communications
  3. Direct marketing – of the same, or similar, or related products and services; including also sharing and marketing within a unified corporate group and brand;
  4. Targeted advertising
  5. Analytics and profiling for business intelligence – to create aggregate trend reports; find out how customers arrive at a website; how they use apps; the responses to a marketing campaign; what are the most effective marketing channels and messages; etc.
  6. Ad performance and conversion tracking after a click
  7. Audience measurement – measuring audiovisual audiences for specific markets
  8. Mapping of publicly available information of professional nature to develop database of qualified professionals/experts in relevant field for the purpose of joining advisory boards, speaking engagement and otherwise engaging with the Business
  9. B2B & B2C marketing, event planning and interaction

The argument here is that any business or individual that has filled in a ‘Sign up for our News’ mailshot would naturally expect Mathewsons to store their data, and to make use of it in order to fulfil their request - these data subjects are naturally a ‘legitimate interest’ to Mathewsons. The data processed is not considered to be sensitive according to the guidelines of ‘Special Category Data’ and the data subject would fully expect The Business to process their data.

6. The rights of the individual whose data is processed

As alluded to above, Mathewsons is a Business that has worked hard to establish itself as a technically skillful business, with a strong reputation. The Business is fortunate to work with many excellent and well established businesses; these businesses take their own reputations very seriously and the GDPR will have a significant impact on them all. Due to the nature of our service relationship with these businesses, Mathewsons is poignantly placed to establish a compliant methodology with respect to the GDPR, data capture, processing, security and the rights of the individual. Mathewsons has a very clear ambition to be compliant by 25th of May 2018.

Mathewsons own website will capture data with consent permissions in accordance with the GDPR. The Business will process non sensitive data such as contact name and email address and business phone number of contacts. Email marketing will be the preferred approach as this is particularly cost effective, and any data processed will not be sensitive, as such will not require special protection under the GDPR.

7. Minimal intrusion

Following any email marketing correspondence, the data subject will be encouraged to view the Business’s Privacy Policy, where they will be able to see the legal basis on which the Business relies on for gathering data. In the event that an individual feels that their data is unconnected to the Business or that they do not expect their information to be used for purposes connected to the product or service of Mathewsons, they will be able to manage their subscription via the Mathewsons website Subscription Management page (accessible via the unsubscribe link on an email or via the Business’s Privacy Policy page).

The Subscription Management page is intended to provide a minimal intrusion experience for the data subject. Should the data subject wish to see their data stored in the Mathewsons master database, they will receive a link to their own Subscription Management web page, from which they will be able to unsubscribe from a mailing list or update their data. In the event that an individual would like to exercise their right to erasure, they will be provided with an email address on Mathewsons Privacy Policy (This email address is being protected from spambots. You need JavaScript enabled to view it.) and their request will be considered with reflection upon the criteria prescribed by the GDPR.

8. Sharing data

Mathewsons will not share its database with any other business. Mathewsons may need to make use of third party data processors in order to fulfil their marketing challenge; on these occasions, a contract will be in place between Mathewsons (the data controller) and the third party data processor - only GDPR compliant third party data processors will be used to provide these services. The contract, which is a requirement of GDPR will ensure that both parties understand their responsibilities and liabilities.

Data may need to be shared with the authorities such as the ICO during an IT or Cyber security investigation. This may be required under the GDPR following a breach of security. Another example of data sharing may be if the authorities need to investigate a subscribers details during an anti-fraud or criminal investigation.

9. Security measures and online safeguards

This section will focus on the security measures that Mathewsons has in place for the hosting and administration of its own website The website uses a Content Management System and is able to collect and organise data into lists (these lists identify the origin of the data, so, subject data from an enquiry via the website, subject data from a ‘Latest News’ signup form via the website). The data is contained in a main database, which is hosted online.

Mathewsons website utilises a vast array of security measures from server through to website. The website is hosted by a GDPR compliant hosting services provider on a Virtual Private Server (VPS).

9.1. VPS Server (more secure than shared hosting)

  • The server uses Linux operating systems (arguably less vulnerable than Windows)
  • The server is kept up to date with the latest software

9.2. VPS Server Access

  • No FTP provision - connections can only be made via SSH. This means that only a select number of certified machines can access the server
  • Linux firewall enabled
  • Server Side monitoring alerts us to any DDoS or similar attacks

9.3. Website

  • The website is built on a popular (actively developed) content management systems with a proven track record
  • The website utilises a secure certificate meaning that all communication between the website and the user is encrypted (form information)
  • The Content Management System and extensions are kept up to date with the latest security patches
  • Use of server access files to limit direct access to certain file types and to block malicious bots
  • Backups held offsite on secure Amazon S3 servers
  • User passwords are encrypted and registration is disabled
  • Random 20+ digit passwords generated for all Super Admin accounts

10. Privacy impact & risk mitigation

Mathewsons has, and will always look to secure its hard earned reputation throughout any marketing campaign - consequently it is very careful to consider the relevance of its marketing to a data subject. Mathewsons takes the position that the quality and relevance of a data subject is crucial, but equally the Business feels that every effort should be made to allow the data subject to easily act to assert their right to privacy.

Data Controllers have obligations under GDPR to keep good records of personal data and processing activities. With this in mind, Mathewsons have implemented processes, which work to establish transparency as well as to protect the data subjects rights according to GDPR guidance; these processes include the following:

  1. Routine data consent refresh every 6 months - All data subjects will be emailed to confirm that they are happy to remain subscribed to the Business’s News & Events list - the email will provide clear access to:
    1. Details relating to the data controller (Mathewsons)
    2. The legal basis used by the Business for processing data
    3. How the Business may use the data
    4. What data is processed by Mathewsons (non sensitive)
    5. Mathewsons Privacy Policy
    6. A Subscription Management page
      1. Right to withdraw consent
      2. Unsubscribing from all lists
      3. Contact details about the controller’s Data Protection Officer
      4. Link to a supervisory authority to lodge a complaint against Mathewsons
    7. Information relating to 3rd party data processors
    8. Information relating to sharing of data
    9. Information relating to security of and storage of data
    10. Information relating to retention of data
    11. Information relating to the right to erasure
  2. Record keeping of the activities relating to the way that the Business processes an individual’s data
    1. How and when data was collected
    2. How and when data was used
    3. When the data subjects’ consent was refreshed - consequence of the refresh
  3. Record keeping of any actions taken by the subject following any communication from the Business
    1. Opens, clicks, unsubscribes
    2. Correspondence with the This email address is being protected from spambots. You need JavaScript enabled to view it.
    3. How and when does a contact unsubscribe
      1. Unsubscribe link from Marketing email
      2. Subscriptions Management page unsubscribes (directly via
      3. Verbal notice
    4. Responses to any complaint relating to information/rights that we receive, clearly stating how we have processed the individual’s personal information and explaining how the Business will put right anything that's gone wrong
  4. Most of the record keeping referred to above is carried out automatically. Subscription and marketing activities are handled by the website, so access to records is relatively straightforward - this also means that the Business’s master database is dynamic - as individuals subscribe or unsubscribe or as data is added manually, the master database is always up to date. The beauty of this approach is that version control is always accurate, minimising irritation of data subjects once unsubscribed.

11. Contact Form data

Normal use of the website will often lead to the user making an enquiry, during the submission of the enquiry, the website will ask the user if they would like to subscribe to the News & Events list - if they do then the user is positively opting in to receive the News & Events emails. If the user prefers not to subscribe, their data will be captured by the website (as a standard business process), however, the user will be notified by the website during the enquiry, that if they do not wish for the website to capture their data, then tick this box.

Any data captured or recorded is kept to a minimum, ie. name, email and telephone number, this information is not sensitive and is necessary to conduct initial enquiry business. Following an enquiry, the data subject will only receive the News & Events email, if they have opted in. The Business does make it very easy for a data subject to manage their data via a Data Management web page and any inconvenience felt by the data subject following a marketing communication (email) is easily avoided in the future simply by following the unsubscribe link.

Once again, if the data subject does feel that the Business’s use of their data is intrusive, it is very easy for the data subject to unsubscribe from the Business’s marketing.

12. Summary of the Business’s reliance on the ‘Legitimate Interest’ legal basis

Mathewsons is a well established business that takes its reputation very seriously. The Business is respected and wishes to embrace the ethos of GDPR, further establishing its credibility with compliance and transparency. The Business does need to be progressive and email marketing is seen as a cost effective form of profile raising. On balance our judgement is that the Business takes its data responsibilities very seriously and markets its services sensitively to an audience that has shown to be of Legitimate Interest. The business’s website uses an approach which records data in a compliant manner and only if consent is provided. Data subjects have good access to their subscription data - making the removal of their data from a marketing list very straightforward. All data subjects will be asked periodically to unsubscribe if they feel that the Mathewsons News & Events notifications are no longer appropriate.