GDPR Statement

We have always taken seriously our responsibilities towards data management and data protection. We have been registered with the ICO (UK Information Commission) for many years and we have maintained our policies and procedures in a rigorous manner.
The following points summarise our GDPR Policy and Procedures

Information that we hold
• We specialise in the measurement of people's attitudes towards their work, and in the measurement of people's competence for their work
• We collect this data in order to help our clients to better understand the attitudes, and the competencies of the people that work for them in order for our clients to improve management and leadership decision making
User data
• Users are people who work for our clients
• In order to analyse, interpret and report meaningful data we often collect demographic information about users. This demographic information may include variables such as job role, seniority, business unit, department, work location, and so on. It occasionally includes Special Category Personal Data, such as gender, gender identification, sexual orientation, ethnicity, health, and lifestyle data
• The only personal identifiers that we collect as part of our consulting assignments are user name and user email address
• We delete personal identifiers from our online and offline servers and from all devices as soon as the project assignment comes to an end. We keep anonymised data indefinitely and absorb it into our normative datasets
• We do not collect any other personal identifier data from our users in our consulting assignments
• We hold our user data in an online database which is housed on a UK based server
• We do not, under any circumstances sell, share or pass on user data to third parties
• We collect most of our user data online using online survey methods. Occasionally we use paper and pencil methods of user data collection
Client and Prospective Client data
• Clients are people who contract for our services
• We hold the names, email addresses, work telephone numbers, and work addresses of our clients on our offline work devices, and we hold this data indefinitely for the purposes of ongoing business contact
• We collect most of our client and prospective client data using standard business activity (referrals, conferences, direct marketing campaigns, etc)
Communicating privacy information
• Our Privacy Policy Notice is GDPR compliant and is permanently posted on our website (see Smithfield Privacy Notice)
• Whenever we begin a new project assignment we point all new users to our online Privacy Policy Notice
Individal's rights and subject access requests
• We are committed to individuals' rights - the right to be informed, the right of access, the right of rectification, the right to erasure, the right to restrict processing, the right to data portability, and the right to object. Our Privacy Policy Notice invites users who wish to exercise any of their rights to contact us, and we will respond as soon as possible.
• Our procedure is for a user who wishes to exercise his or her rights to email our Data Protection Officer (DPO) who will respond on behalf of Smithfield Performance Limited
• Where the user wishes to be deleted the DPO has the authority and the access to delete the user's data directly, and the DPO will record the deletion in the GDPR Audit Trail. Where the user wishes to have his or her data electronically ported, the DPO has the authority and the access to compile the electronic data file (CSV file) directly and to send it directly to the user
• The DPO will be responsible for dealing with all other exercised rights and will deal with them within the DGPR specified timescales
Lawful basis for processing data
• The lawful basis for our processing of personal data is "Consent - individuals have given clear consent for us to process their data for specific purposes." We only collect and report on data that is freely given by voluntarily participating users in our assignments
Consent
• Our consent requests are prominent and use positive opt-ins, using clear and plain language, e.g. all of our surveys are prefixed by a specific positive opt-in question
• All new users are specifically pointed to our online Privacy Policy Notice, e.g. all of our invitation emails have a statement relating to our privacy policy and a link to our policy online
• We do not collect data that is observed (by tracking people online), derived from combining other data sets, nor inferred by using algorithms
• Data relating to our clients and prospective clients is held for the purposes of direct marketing. All direct marketing emails have an 'Unsubscribe' button in the footer, along with our name, our postal address, and the name and email address of the person sending the email campaign
Children
• We do not work with children. We do not collect any data from children
Data breaches
• We audit our online servers for any evidence of data breaches once a month. This is the responsibility of the Data Protection Officer
• Our procedures ensure that the only personal identifiers that we use (name and email address) are deleted from our online and offline servers and all devices as soon as a project is complete thus minimising the risks associated with data breaches
• If we were to have a breach we would perform a risk analysis to the rights and freedoms of our users and clients and prospective clients. If the risk analysis indicates a high risk to such rights and freedoms, we will contact the ICO with the relevant details (categories and approximate numbers of individual concerned, categories and approximate numbers of personal data records concerned, a description of the likely consequences of the breach, and the measure that we propose to put into place). We will also immediately inform the individuals concerned
• Examples of breaches include: access by an unauthorised third party; deliberate or accidental action (or inaction) by a controller or processor; sending personal data to an incorrect recipient; computing devices containing personal data being lost or stolen; alteration of personal data without permission; and loss of availability of personal data
Data protection by design
• We have performed a Data Protection Impact Assessment (PIA) in order to assess the risks associated with Special Category Personal Data that we sometimes collect as part of an assignment. This internal document describes the steps that we take to reduce the privacy and compliance risks associated with Special Category Personal Data
Data protection officer
• Despite being an SME we have established the role of Data Protection Officer. We have done this due to the fact that we are people-metrics specialists, and our business model is predominantly an online business model in which we collect data from users using mostly online methods. As such we feel that having a DPO will give us the visibility of and the effective management of data protection risks
International
• There are times when we carry out cross-border processing. We have a single establishment based in the EU (the UK) that carries out processing which substantially affects individuals in other EU states. The lead authority for our processing establishment is the UK Information Commission (ICO)