GDPR: General Data Protection Regulation
PART A: General
This document is the current operational version of the GDPR Compliance policy effective from 25th May 2021 and applies to activities of Business Mediums that consists of the following entity.
8000 Towers Crescent Drive, 13th Floor, Vienna,VA 22182, USA
The core activity of Business Mediums is to provide support to its customers in marketing B2B products by generating effective leads from the target markets.
The lead generation is done through intelligent market research collecting relevant data to identify reliable purchase intent of corporates through different channels including through business partners using relevant technology in social media marketing, web marketing, e-mail marketing, and telemarketing.
In the process of these activities, Business Mediums acts as an intermediary who adds value to the B2B marketing chain. The campaign information is provided by the Customers which are fine-tuned and converted into campaign materials for distribution to the potential market space.
The distribution to the end target customers by the placement of the campaign materials in relevant media is done through external publishers who generate leads. A part of the leads is generated by in-house publishing activity and the use of innovative corporate intent marketing tools developed by the R&D team of Business Mediums.
The leads generated by the publishers are intelligently filtered to improve their quality and converted into actionable marketing targets before being passed on to the customers.
Business Mediums has developed proprietary products, processes, and information generation systems which includes the development of reliable vendors and trained manpower, which together reflect the value proposition that Business Mediums brings to the B2B marketing eco-system across the globe. Sustaining and nurturing this expertise and using it for harnessing commercial opportunities represents a legitimate interest of Business Mediums.
This Code of GDPR Compliance adopted by Business Mediums declares that Business Mediums is committed to the concept of “Privacy as a fundamental right of a citizen of a democratic society” across the globe and in good faith shall implement all the Privacy principles mandated under GDPR where it is applicable.
Business Mediums however discloses that it is its legitimate interest that it carries on a legitimate business operation across the globe as a B2B market intermediary and it is the democratic right of Business Mediums to carry on its business in good faith without being in conflict with the rights of the individual natural persons whose Privacy is sought to be protected under GDPR.
Business Mediums also discloses that its business model requires the collection of only the Data of business entities which are outside the purview of GDPR and Business Contact data which is not personal data but may include personally identifiable information in part but does not include personal data of children and Personal data that is classified as “Special categories” under GDPR.
Business Mediums Group is basically a “B2B marketing intermediary” which operates across the globe generating marketing leads and servicing clients in many countries. Business Mediums does not operate in the consumer market and hence does not either directly or indirectly collect personal information of EU data subjects. The data that Business Mediums collects is generally in the category of Business Contact Data of corporate employees which inter-alia contains the name, the work e-mail, and work phone number.
A part of B2B marketing leads is generated in the EU countries and in the UK. Some of the Customers located in EU/UK may also avail of the services of Business Mediums. Currently, a majority of interactions with Customers are in the US and a majority of interactions with Lead Generating business partners are in India.
The GDPR exposure of Business Mediums is therefore recognized when Business Contact Data is collected from business organizations operating in EU/UK regions.
Approach to GDPR Compliance
In order to enable the application of as stringent a norm as feasible to the processing of data which is exposed to GDPR Compliance Risk, Business Mediums adopts a policy to treat GDPR Sensitive Data (GSD) as “Sensitive Data” flowing through Business Mediums’s resources by tagging the incoming data with a suitable tag to classify it as GSD where applicable.
The Privacy protection of data subjects and Security of information related to Privacy protection in respect of the GSD tagged data is factored into the design of the support structure.
Though data is processed in specific locations and the technical infrastructure for processing GSD are located in such specified locations, an enterprise-level GDPR awareness has been created and will continue to be pursued so that the principles of this GDPR Code of Conduct percolates to the entire organization beyond GSD processing to include the Marketing, Financial, and Managerial functions which may be located in different locations with their own technical and administrative infrastructure.
In order to effectively implement the security for the entire data processing infrastructure, the Company has adopted a comprehensive information security policy that includes multiple sub-policies regarding data access, processing storage, transmission, etc.
Business Mediums recognizes that “Privacy” is an important democratic right in civil society. As a responsible corporate entity, Business Mediums is committed to the protection of privacy of all individual natural persons whose personal data comes into the corporate data repository for processing.
In view of the presence of Customers in the EU/UK and the monitoring of activities of corporate employees residing in EU/UK, Business Mediums has chosen to adopt GDPR Compliance standards towards the protection of the Privacy of all-natural persons who may interact with the group even where such interaction is only in their capacity as employees of different business entities pursuing the business objectives of their respective business organizations.
The Core activity of Business Mediums involves the processing of data related to the purchase of different products for corporate use. The activity spectrum includes Collection, Aggregation, Analysis, Segmentation, and intent monitoring. In the process of such processing, Business Mediums adds value to the raw data that is collected from the business environment and converts it into value-added business decision aiding information.
The Raw Data collected is recognized as data belonging to the data subject and to which the Data Subject’s rights under GDPR are applicable. The value added to the data that occurs during the process arises out of the proprietary data processing capabilities of Business Mediums on which Business Mediums has a certain level of intellectual property rights claim.
If any data has been pseudonymized, the value-added pseudonymized data shall be considered as data on which Business Mediums has a legitimate interest to use for further research. Non-Pseudonymized data even in the value-added state is subject to the exercise of Data Subject’s rights such as Access, Rectification, Restriction, Portability, and Erasure. Pseudonymized data if any will not be classified as GDPR sensitive.
Business Mediums possesses a legitimate business interest as recognized under Article 6(1)(f) of the EU GDPR regulations, in the collection and processing of Business related data such as firmographics and Business Contact data of decision-making officials in the business entities
Also, the business of Business Mediums involves operations within and outside EU countries and hence is exposed to statutory obligations of different countries related to Data Processing as well as other laws applicable to business in general and IT-related activities in particular, as envisaged under Article 6(1)(c) of the EU GDPR regulations.
Further, Business Mediums has adopted business practices for lawful processing incorporating the principles of EU GDPR as enunciated under Article 6, including obtaining informed explicit consent where required and adhering to the requirements of contractual obligations with the data subjects if any.
The policies of Business Mediums on Privacy and Data Protection are therefore structured with specific Privacy and Information Security controls that address the issue of identifying GDPR sensitive data at the stage of its origin and entry into Business Mediums system and tagging them throughout its life cycle of processing.
Expanding the Scope of Compliance to the Data Processing Eco-system
Further, keeping the legislative intent of protecting the fundamental right to privacy of individuals, enunciated under EU GDPR, appropriate Technical and Organizational/Administrative controls are maintained to ensure that all downstream business associates who may have access to GDPR sensitive data for processing on behalf of Business Mediums are also GDPR compliant.
Business Mediums recognizes that in most parts of its operations, it is not a “Data Controller” but is a “Data Processor” for the purpose of GDPR. It may assume the role of a “Joint Controller” when it uses the services of sub-contractors for any part of its processing.
Keeping these roles in view, Business Mediums’s policies and controls are structured to ensure GDPR compliance, including maintenance of appropriate Technical and Organizational/Administrative controls to keep itself duly informed about the GDPR compliance activities of its business partners and also sharing with them Business Mediums’s own GDPR Compliance measures as may be necessary.
Limitations of This Document
The following paragraphs provide the umbrella policy of Business Mediums for GDPR compliance at the Corporate level highlighting the approach of Business Mediums on achieving a satisfactory level of compliance of GDPR principles in its operations.
This policy document is meant for limited sharing with stakeholders including business entities outside Business Mediums and hence excludes proprietary information on the processing where it is essential to protect the Intellectual Property of the organization.
Any request for disclosure of information beyond what is stated here will be addressed under the Data Disclosure Policy of Business Mediums and such requests may be directed to the Privacy Manager through a non-reputable authenticated e-mail.
Part B: Specific Policy Outlines
1. Assigned Responsibility
Business Mediums has designated a Privacy Manager who will be the contact person to handle all data subject requests and complaints. Considering the current level of risk exposure to GDPR sensitive data in Business Mediums, it is considered that the core activity of Business Mediums does not involve a large scale and systematic monitoring of EU data subjects nor offering of any services to individuals in the EU and hence there is no requirement to designate a “Data Protection Officer” as envisaged under GDPR.
An Information Security Governance Committee (ISGC) will be overall in charge of Information Security including GDPR compliance. It will be the apex policy-making body of Business Mediums responsible for laying down all information security policies including GDPR policy and will monitor the need to designate any person or a consultant as Data Protection Officer in due course.
2. Data Classification
Business Mediums is not involved in marketing to any individual natural persons and hence does not normally collect personally identifiable data coming under the regulatory provisions of GDPR. However, all potentially identifiable personal data such as e-mail address and phone number of an employee of an organization is classified as “GDPR Sensitive” if the business unit or the employee is knthe own to be located in EU/UK.
Accordingly, the entire Business contact data set associated with a physical location address in EU/UK is identified as GDPR Sensitive Data (GSD) and tagged during further processing within the organization.
In the absence of the physical location information of the data subject, the physical location of the associated business organization would be considered relevant.
3. Data Audit
Once before 25th May 2018 and thereafter at monthly intervals or as otherwise determined by the ISGC, stored data sets will be verified to locate any GSD and verify the compliance requirements associated with it such as whether the data needs to be archived, deleted, or otherwise specially secured.
Any GSD data set not accompanied by an appropriate “Consent” or “Legitimate Interest Note” will be recommended for deletion.
On confirmation, such data will be forensically deleted.
4. GDPR Impact Assessment
A GDPR Gap assessment has been undertaken and corrective action has been implemented as required before 25th May 2018. After 25th May 2018, a Data Protection Impact Assessment (DPIA) will be undertaken whenever a significant new project is undertaken as and when the ISGC identifies the necessity.
5. New Business Acceptance Policy
On or after 25th May 2018 all-new business commitments involving the processing of data will be subject to the approval of the ISGC with a specific GDPR Impact Assessment note submitted from DPO in consultation with the Technical team in charge of the processing.
6. GSD Data Storage Policy
GSD shall be stored in systems that are accessed only by designated persons on a strict “Need To Know Basis”.
Every GSD set shall be tagged with the Data Controller from whom it was sourced and who is responsible for the collection of the data under consent or contract.
Any specific restrictions associated with such data set shall also be tagged with the data set.
The Data storage shall enable individual data set to be located and processed for the execution of any Data Subject’s rights such as request for data rectification, data portability, data erasure, or data access at any time during its life cycle.
7. GSD Data Access Policy
GSD shall be accessed as per the Access Control policy which ensures that each GSD data set shall have specific access parameters this defines who can access the data and how they access the data. Only those who are designated as GSD workforce shall be allowed access to the GSD data set.
Use of access parameters such as Passwords shall be defined with a degree of complexity and uniqueness as may be required and supplemented with Encryption and Machine ID tags so that GSD data may be accessed only from specific hardware which is assigned to the authorized GSD workforce.
Where data storage is on the cloud, only GDPR compliant cloud services shall be used along with additional controls as may be required in ensuring that data at storage and transit shall be protected from unauthorized access.
Project-specific GSD shall be stored in such a manner that only employees associated with a given project get access to the data. Cross-project access shall be regulated on a need basis.
8. GSD Data Retention Policy
GSD shall be retained in an active process environment only for the minimum period for which it is required for processing. Thereafter, the data shall be archived securely as per the requirement identified under legitimate interest for example until the project billing cycle is complete.
Subsequently, data shall be continued in secure archiving or destroyed as per the identified legitimate interest requirements of the Company.
A monthly review of archived data shall be undertaken to identify data that is no longer required which shall be referred to ISGC for disposal instructions.
Legal obligations on data retention which may arise due to any overlapping legislations shall be factored into the legitimate interest assessment.
9. GSD Data Disclosure Policy
Any request for disclosure of GSD shall ordinarily be received only from the source Data Controller.
It is recognized that requests received directly from the data subjects are subject to phishing risk and such requests if any shall be referred to the corresponding Data Controller who collected the data from the data subject under consent or contract that may exist between them.
The data to be disclosed shall be sent only to the Data Controller for onward transmission to the Data subject after properly authenticating the identity of the representative of the Data Controller who makes the request.
In exceptional circumstances where data needs to be disclosed directly either to a data subject or his authorized representative or a law enforcement authority, adequate authentication of the identity of the person making the request shall be ensured.
All data disclosure requests are to be approved by the ISGC before the release of the data and the request as well as the assessment documents shall be considered as required GDPR compliance documentation.
10. GSD Data Incident Management Policy
An “Incident” under this code shall be any observation that has the potential to indicate that GSD compliance code or any policies or procedures thereunder has been violated whether or not any data is suspected to have been compromised.
A whistleblower’s policy may be used to ensure that incidents are reported promptly by any observer either within the Company or outside.
Any such incident which comes to the knowledge of Business Mediums shall be logged in a GSD Incident Management Register and referred to the DPO for immediate action.
The DPO shall review the incident report and take immediate steps to resolve the incident and also to report the incident to the ISGC.
The ISGC will convene a meeting expeditiously and evaluate the incident to identify if it involves any suspected data breach. Where necessary, ISGC may order an immediate techno legal audit for a risk assessment of the incident. Based on the risk assessment ISGC shall decide the need for further action including sending a data breach notification to the Data Controller associated with the Data.
An incident where GSD has been accessed by another employee of the organization is considered as a Security Incident and not necessarily a “Breach”. However, such incidents shall be investigated as to the cause of unauthorized access and if it is unintentional accidental access it may be resolved with a suitable internal disciplinary action as per the HR policy. If data has not moved out or accessed by an outsider, the incident may be classified as an internal data accident not amounting to a breach.
In the event the access or data moved out is known to be in encrypted form and was in a state in which it was undecipherable by the recipient, subject to suitable internal investigation as to the security of the associated decryption key, the access may be classified as an internal data accident not amounting to a breach.
11. GSD Data Breach Notification Policy
A “Data Breach” incident is an incident in which Business Mediums has after necessary investigation, come to the knowledge that access to any specific data set under GSD has been compromised and an external entity has come to access or send out a GSD set.
Such data breach incident shall be immediately reported to the ISGC which shall without further delay notifies the Data Controller associated with the data set along with relevant details of the incident.
Such a report shall specify the nature and extent of the breach, time and date of the breach, the details of the affected data subjects, action taken on the noticing of the breach, etc. Where necessary the data breach may be also reported to a supervisory authority.
12. GSD Data Subject’s Rights Management policy
Business Mediums data processing system has incorporated “Privacy and Security by design” so as to enable compliance of GDPR requirements particularly in respect of the Rights of the Data Subject provided under GDPR.
In order to meet these rights of the data subject such as “Access”, “Rectification”, “Erasure”, “Portability” and Right to impose “Restrictions”, Business Mediums has enabled its GSD storage and access systems in such a manner that a data set belonging to a specified data subject may be extracted separately and processed.
The system has therefore been designed to be compliant to the most stringent requirements of GDPR.
Whenever a request for exercising of such rights is received from a Data Subject, as per the Data disclosure policy, the request is first validated and then in case the data has been received from a Data Controller, the data controller would be requested to confirm the data disclosure.
Ordinarily, the request is processed in communication with the data controller and if it is to be ported, it is returned back to the data controller.
In exceptional circumstances where Business Mediums has to handle the request of a data subject without the cooperation of the data controller, appropriate precautions will be taken to prevent a wrongful disclosure since it would be in the legitimate interest of Business Mediums to be indemnified against any possible wrongful disclosure.
13. GSD Data Transmission Policy
GSD data may ordinarily flow into the system through an application interface (API). The access to the interface is through a secure password access system augmented with a suitable second-factor authentication where significant GSD risk is identified.
The data transmission is on an encryption basis subject to the management of transmission security covering known vulnerabilities.
The application itself along with its inherent storage and processing elements and the API are secured against unauthorized access and malicious attacks by an appropriate malware and secured access management system
Where GSD set is transmitted to the Customer or Subcontractor also, the transmission is managed through encrypted communication channels either through an API or an encrypted e-Mail.
14. GSD Marketing Use Policy
When Business Mediums uses GSD for any marketing purpose either through Email or Telecalling or otherwise, care is taken to ensure that there is an appropriate consent or contract to enable such communication.
Business Mediums also insists that its partners both the lead generators, subcontracting processors, and customers do not use the GSD except as per the available permissions.
Where an unambiguous consent is not available, no business contact data is collected from the lead generators or passed onto the customers, or processed through the subcontractors.
Such data is killed in the first instance when it enters Business Mediums system and identified as a “GSD without proper processing consent”.
15. GSD Consent Policy
All information classified as GSD by virtue of the data subject being located in EU/UK or his/her employer being located in EU/UK shall be accepted only if the data subject has provided an explicit consent based on the format as required under GDPR.
In the pre-GDPR scenario, such consents had been generally collected under the principles of Personal data processing which included a Privacy Notice. Such Privacy Notice indicated what information was being collected, the purpose of collection, the time for which it would be retained, how it would be secured, whether the information was accurate, whether it would be transferred out of EU for processing, etc., Some of the consents were based on the “Opt-in” principle as a default setting.
Under GDPR, it is essential that personal data is collected only on the basis of an Explicit Consent where “Opt-Out” is the default option and only on the basis of an affirmative action indicating acceptance, the consent would be accepted.
Additionally, the Privacy notice should also indicate that the Data subject has certain rights such as “Right to be informed of the identity of downstream processors”, “Right to access and rectification”, “Right to Portability and Erasure”.
In view of the new requirements, all consents obtained in the pre-GDPR format shall be considered as invalid and such data would be discarded by Business Mediums.
External Publishers who generate Leads for Business Mediums shall confirm through their contracts that they would provide only leads generated with the new form of consent in case the data subject is located in EU/UK.
16. GSD Stakeholder Communication Policy
Business Mediums operates through many external organizations that are stakeholders in Business Mediums GDPR compliance program. Such organizations include its Customers, Lead Generators, Sub-Contractors, etc.
For effective compliance, no GSD data should be exchanged in any communication with the stakeholders except through secure transmission and to authorized representatives only.
While the communication through API is controlled by the access policy, any other communication through e-mail should be controlled with an Email Communication policy.
Essentially an Email Communication policy shall define that sharing of any GSD or GDPR compliance information with a stakeholder shall be only through a notified contact Email address who will be in most cases the DPO of the other organization, where necessary Email communication may be encrypted and authenticated with a digital signature.
17. GSD Legitimate Interest Identification Policy
Business Mediums recognizes that certain rights of the data subjects such as Data Erasure or Data Rectification could be in conflict with the legitimate interest requirements of Business Mediums or may be in conflict with the data retention laws which may be otherwise applicable for the data in view of other legislatory obligations.
In all cases of Data Subject’s Rights being implemented, Business Mediums would evaluate the request before taking further action. In the event Business Mediums recognizes a need to refuse the request or modify it for acceptance, the reasons would be documented and a GSD Legitimate interest note would be developed by the ISGC.
Where the data is not required to be active, it may be archived securely until the legitimate interest expires.
The reasons for exercising legitimate interest argument for processing the data subject’s request shall be conveyed to the Data Controller who is responsible for the Data Subject for onward transmission to the data subject.
18. GSD People Management Policy
GSD will be considered as a data set that requires exclusive and special attention in terms of information security while it is in the custody of Business Mediums.
Hence, GSD would be suitably tagged and processed on a need to know basis by a specially trained set of employees.
These employees and the systems in which GSD would be stored, accessed, and processed would be managed securely considering the level of risk that is associated with GSD.
Assignment of people to this GSD processing and their removal shall be managed with the appropriate security measures including a higher level of background verification, training, physical access identities, sanction policies, etc.
The HR policies need to be appropriately upgraded for the GSD workforce as may be required.
19. GSD Pseudonymization Policy
It is recognized that Pseudonymization is a strategy to reduce the risks in the processing of GSD.
Pseudonymized personal data is not considered as “Personal Data” for the purpose of GDPR regulation provided the Pseudonymization process is adequately structured.
In view of the current level of exposure of its operations to the GDPR Risks; Business Mediums has not considered it necessary at present to use Pseudonymization as a strategy for risk mitigation.
20. GSD DRP-BCP Policy
Business Mediums recognizes the importance of an effective Disaster Recovery and Business Continuity plan for its operations including the operations involving GSD processing.
Business Mediums will maintain adequate back up of GSD data and reasonable ability to maintain Business Continuity in case of any contingency.
21. GSD Compliance Documentation Policy
The measures of GDPR compliance shall be documented so that they would be available for review. The Compliance documentation shall be retained for a minimum period of 6 years since its creation.
In the event any document is potential evidence for law enforcement requirements or for defending the legitimate interest of Business Mediums, such a document would be retained as long as the requirement persists.
22. GSD Audit Policy
An Internal Security audit team of Business Mediums shall audit the information assets of Business Mediums at least once in a year to assess the level of security and compliance to GDPR and other regulatory requirements.
External audits may be considered on the basis of an assessment by the ISGC whenever a substantial change in business profile occurs.
Business Mediums reserves the right to conduct an audit of the facilities of any of its sub-contractors to ensure compliance as per the contractual obligations.
Business Mediums however recognizes that the empowerment to audit a sub contractor’s facilities is enablement and shall be used only under exceptional circumstances. This does not reduce the responsibility of the subcontractor to meet the compliance requirements at their end as per the contractual assurances provided.
23. GSD Grievance Redressal Policy
Business Mediums will provide a multi-level Grievance redressal policy to redress disputes if any with any data subject. Such grievances will be addressed by the DPO at the first level, the ISGC at the second level, and an Online Dispute Resolution Committee set up for the purpose by the Board at the third level.
Any queries from a GDPR supervisory authority shall be handled by the DPO and escalated to the ISGC where required.
Any disputes with the Customers, Publishers, or Sub Contractors shall be handled as per the respective contractual agreements.
24. Network Security Policy
In order to ensure that the IT infrastructure used by the Company is secure, Business Mediums shall adopt a robust information security policy inclusive of Firewalls, Intrusion Detection Systems, Malware Prevention System, and System Patching, etc. as required.
A designated Information Security Manager shall be responsible for the maintenance of Network security.
P.S: This Code is subject to revision from time to time.