Masthead

Hero

Legal Basis
Assessment

Main Content Area

Main Articles

Legal Basis Assessment

This document aims to explore the appropriateness of the legal basis of ‘Legitimate Interest’ for the processing of personal data by Betton Design Ltd. with respect to the GDPR and the rights of the individuals whose data is processed and stored by the company. In this document, Betton Design Ltd. may be referred to as the Company.

1. About Betton Design Ltd.

Betton Design Ltd. aspires to be a fair, transparent and ethical business both towards its employees and towards it clients -

it is a small company that has, over the past decade worked hard to establish a website development business, producing quality bespoke Content Management System (CMS) website. The Company has established itself as a very capable, thorough and technically skillful business, which is well integrated within the local business sector, primarily working with progressive, locally owned SME businesses, micro firms and also partnerships and sole traders. As a business, Betton Design is engaged with businesses rather than consumers.

The Company has a web bias, but does also have a graphic design function, and it is with this combination of skills that Betton Design aims to develop its business further by marketing a number of new and well considered products, which will hopefully appeal to a wider spectrum of business. The company currently employs 4 members of staff.

The main areas of business for Betton Design are:

  1. The design and development of sophisticated CMS websites
  2. The design and development of more accessible static websites *
  3. The provision of an entry level/budget website package (The Kickstart Bundle website) *
  4. Hosting services for all website options (mainly CMS Hosting & Maintenance)
  5. The provision of an email marketing service.
  6. Graphic design
  7. The Kickstart Bundle *
    1. The Kickstart Branding Pack
    2. The Kickstart Website Pack
    3. The Kickstart Social Media Pack
  8. Social media setup *
  9. Print - this service compliments graphic design

* These areas of business are the main focus of our current business development program.

The Company has recently developed a number of services which, are more accessible to younger businesses  - these products are listed above and marked with * . Developing a team to cater for the demand for these new products should be less challenging than recruiting for developers that are capable of working on our bespoke Content management systems. Our new products are ready to go to market, so we should be able to build sales, making use of of our own services to raise Betton Design’s profile.

2. Why does Betton Design Ltd. need to process personal data?

There are three main areas of data processing that the company undertake, these are:

  1. Employment data processing (Data Controller)
  2. Administrative and commercial data processing (Data Controller)
  3. Business development and marketing data processing and (Data Controller)

Taking each of these areas in turn, this document aims to explore:

  1. The objectives of data processing
  2. The relevance and importance of data processing to the business
  3. The impact on the individuals whose data is processed
  4. The expectation of the individual that their data would be processed and
  5. The rights of the individual whose data is processed

2.1. Employment data processing (Data Controller)

Betton Design process employees’ data for legitimate and common business purposes, in situations which are not necessary for the performance of employment contract, but are nevertheless customary, or necessary for operational, administrative, HR and recruitment purposes and to otherwise manage employment relationship and interaction between employees.

2.2. Administrative and commercial data processing (Data Controller)

Betton Design processes supplier and customer’ data for legitimate and common business purposes, in situations which are not necessary for the performance of the business, but are nevertheless customary, or necessary for operational and administrative purposes and to otherwise manage relationship and interaction between The Company and its suppliers and customers.

2.3. Business development and marketing data processing (Data Controller)

Betton Design processes supplier and customer data for legitimate and common business purposes, including communications and marketing, processing certain ‘low risk’ personal data to gather market intelligence, promote products and services, communicate with and tailored offers to individual customers and contacts.

Specific examples are:

    1. Discretionary service interactions - customers are identified in order for them to receive communications relating to service developments and product notifications relating to our products
    2. Direct marketing – of the same, or similar, or related products and services
    3. Targeted and speculative marketing of the Company’s products and services to appropriate local businesses
    4. Analysis and profiling for business intelligence - the responses to a marketing campaign; what are the most effective marketing channels and messages; etc.
    5. Ad performance and conversion tracking after a click
    6. Audience measurement – measuring audiovisual audiences for specific markets
    7. B2B marketing, event planning and interaction

Betton Design does intend to build its business and with this in mind it will need to reach out to the business community in particular to raise awareness of the Company’s services. The primary target audience of the Company is local SMEs and micro businesses 

Betton Design may obtain an individual’s information by various means. In some cases the data may be captured via the Company’s website or during networking events, exhibitions, or business intelligence gathering exercises.

The Company does look to secure its hard earned reputation throughout any marketing campaign - consequently it is very careful to consider the relevance of its products and services to a data subject. All marketing subject data will be contained within the online master database, the Company will categorise the origins of the data in a number of lists.

The lists contained within the master database could be: 

  1. Website enquiry data
  2. Website sign up to our news data
  3. Bought in data
  4. Telephone enquiry data or
  5. Manually inputted data

The argument here is that any business or individual that has used the Company’s services, has shown interest in our services or would naturally benefit from the services of Betton Design for their own marketing and promotions, is of a ‘Legitimate Interest’ to Betton Design Ltd. As such, but in compliance with the data protection and privacy structure provided by the GDPR,  Betton Design Ltd has a compelling and reasonable right to record their data in order to promote its services.​ The data processed is not considered to be sensitive according to the guidelines of ‘Special Category Data’ and the contact would fully expect a local B2B company to process their data, in order to provide information and suggest opportunities for the marketing of their business. Due to the nature of the Company’s services and products, and due to the non-sensitive nature of the B2B data collected by the Company for marketing purposes, there is a minimal risk of offense to, or harm to a data subject as a consequence of their data being used for marketing the Company’s services.

In order that the Company fulfils a cost effective marketing strategy, email marketing will be the preferred approach - making use of the Company’s in-house mailer facility. Any data processed will not be sensitive, and as such will not require special protection under the GDPR.

3. The rights of the individual whose data is processed

3.1. Minimal intrusion

Following any email marketing correspondence, the data subject will be encouraged to view the Company’s Privacy Policy, where they will be able to see the legal basis on which the Company relies on for gathering data. In the event that an individual feels that their data is unconnected to the business that they represent or that they do not expect their information to be used for purposes connected to the product or service of Betton Design, they will be able to manage their subscription via the Betton Design website Subscriptions page (accessible via the unsubscribe link on an email or via the Company’s Privacy Policy page).

The Subscriptions page is intended to provide a minimal intrusion experience for the data subject. Should the data subject wish to see their data stored in the Betton Design master database, they will receive a link to their own Subscription web page, from which they will be able to unsubscribe from a mailing list or update their data. In the event that an individual would like to exercise their right to erasure, they will be provided with an email address on Betton Design’s Privacy Policy (This email address is being protected from spambots. You need JavaScript enabled to view it.) and their request will be considered with reflection upon the criteria prescribed by the GDPR.

3.2. Sharing data

Betton Design will not share its database with any other business. Betton Design may need to make use of third party data processors in order to fulfil their marketing challenge; on these occasions, a contract will be in place between Betton Design (the data controller) and the third party data processor - only GDPR compliant third party data processors will be used to provide these services. The contract, which is a requirement of GDPR will ensure that both parties understand their responsibilities and liabilities.

Data may need to be shared with the authorities such as the ICO during an IT or Cyber security investigation. This may be required under the GDPR following a breach of security. Another example of data sharing may be if the authorities need to investigate a subscribers details during an anti-fraud or criminal investigation.

3.3. Security measures and online safeguards

This section will focus on the security measures that Betton Design has in place for the hosting and administration of its own website bettondesign.co.uk. The website is a Content Management Systems and as such is able to collect  and organise data into lists (these lists identify the origin of the data, so, subject data from an enquiry via the website, subject data from a ‘Latest News’ signup form via the website, manually entered data, etc.). The data is contained in a main database, which is hosted online.

As a specialist web development business, the Company’s own website utilises a vast array of security measures from server through to website. The website is hosted by a GDPR compliant hosting services provider on a Virtual Private Server (VPS) and benefits from a rigorous maintenance regime for optimal site security.

3.4. Privacy impact & risk mitigation

Betton Design have designed processes, which work to establish transparency as well as to protect the data subjects rights according to GDPR guidance; these processes include the following:

  1. Routine data consent refresh every 12 months - All data subjects will be emailed to confirm that they are happy to remain subscribed to one or more of the Company’s commercial or marketing lists - the email will provide clear access to:
    1. Details relating to the data controller (Betton Design)
    2. The legal basis used by the Company for processing data
    3. How the Company may use the data
    4. What data is processed by Betton Design (non sensitive)
    5. Betton Design’s Privacy Policy
    6. A Subscriptions page
      1. Right to withdraw consent
      2. Unsubscribing from all lists
      3. Contact details about the controller’s Data Protection Officer
      4. Link to a supervisory authority to lodge a complaint against Betton Design
    7. Information relating to 3rd party data processors
    8. Information relating to sharing of data
    9. Information relating to security of and storage of data
    10. Information relating to retention of data
    11. Information relating to the right to erasure
  2. Record keeping of the activities relating to the way that the Company processes an individual’s data
    1. How and when data was collected
    2. How and when data was used
    3. When the data subjects’ consent was refreshed - consequence of the refresh
  3. Record keeping of any actions taken by the subject following any communication from the Company
    1. Opens, clicks, unsubscribes
    2. Correspondence with the This email address is being protected from spambots. You need JavaScript enabled to view it.
    3. How and when does a contact unsubscribe
      1. Unsubscribe link from Marketing email
      2. Subscriptions page unsubscribes (directly via bettondesign.co.uk)
      3. Verbal notice
    4. Responses to any complaint relating to information/rights that we receive, clearly stating how we have processed the individual’s personal information and explaining how the Company will put right anything that's gone wrong
  4. Most record keeping referred to above is carried out automatically. Subscription and marketing activities are handled by the website, so access to records is relatively straightforward - this also means that the Company’s master database is dynamic - as individuals subscribe or unsubscribe or as data is added manually, the master database is always up to date. The beauty of this approach is that version control is always accurate, minimising irritation of data subjects once unsubscribed.

4. Summary of the Company’s reliance on the ‘Legitimate Interest’ legal basis

Betton Design Ltd is a small business that takes its reputation in the local business community very seriously. The Company is a technically skillful business which wishes to embrace the ethos of GDPR, further establishing its credibility with compliance and transparency. The Company does need to be progressive and its target audience is primarily local SME and micro businesses. The services provided by Betton Design are relevant to most businesses and it is the quality of the Company’s services that demands an ethical and professional marketing effort, which can only be enhanced by adherence to the GDPR. As the Company attempts to build trade, email marketing will be used as a cost effective and highly relevant marketing channel (a product of the business) - more the reason to demonstrate this product well.

Almost without exception, enquiries into the Company (through various channels) are from existing businesses, or from individuals who are exploring a new business venture. The Company gathers an enquirers data as a means to engagement and dialogue, but also to help develop exposure. Any preliminary data captured or recorded is kept to a minimum, ie. name, email and telephone number, this information is not sensitive and is necessary to conduct initial enquiry business. Following their initial enquiry, the data subject is likely to to receive some further communication via email, relating to services that the Company offers. The assumption here is that the data subject is very likely to require services that are offered by the Company and their business is likely to benefit from some exposure to them - consequently, the data subject is very likely to be interested in the content of the marketing and would reasonably expect that their data will be used for marketing purposes. This is also the case with data that is gathered through local business intelligence and networking. The Company does make it very easy for a data subject to manage their data via a Data Management web page and any inconvenience felt by the data subject following a marketing communication (email) is easily avoided in the future simply by following the unsubscribe link.

Occasionally an enquiry will be made which contains a personal email address - the Company takes the view that a data subject that uses a personal email address for business purposes does so, accepting that their email address is in the business domaine. Once again, if the data subject does feel that the Company’s use of their data is intrusive, it is very easy for the data subject to unsubscribe from the Company’s marketing. As an aside, there are many small local businesses that do use personal email addresses within their own marketing campaigns and the Company may record this data for marketing purposes.