Privacy Policy

Home > Privacy Policy

Privacy Policy

Prism Infosec Ltd is a UK-based cyber security consultancy with offices in Cheltenham and Liverpool. Prism Infosec is committed to protecting personal data and respecting the privacy of individuals. The following policy describes how we collect and handle personal data throughout the course of our interaction with clients and how we respect those rights and comply with applicable legislation.

Should you have any queries with regard to this policy or wish to make a subject access request or exercise any other rights under the terms of the UK Data Protection Act 2018 and the European Union General Data Protection Regulation please use our Contact Us page.

You can also put any request in writing to the following address: –

  • DPO, Prism Infosec Ltd, 803 Eagle Tower, Montpellier Drive, Cheltenham, Gloucestershire, GL50 1TA.

You have the right to make a complaint about our handling of your personal data to the UK Information Commissioners Office (ICO). For further details see: https://www.ico.org.uk/concerns.

Definition of Personal Data

Personal data is defined as information which can be used to identify an individual, either directly (name, date of birth, address) or indirectly (IP addresses, cookies et al).  Further details of the definition of personal data can be found on the Information Commissioner’s Officer’s web page (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/).

Collection of Personal Data

Prism Infosec collects personal data as defined above in the course of our operations. We do not collect special categories of personal data (such as race/beliefs/sexual orientation etc).

We collect much of the information based upon: –

  • legitimate interests (for example, to send you direct marketing about services similar to those you have purchased from us or negotiated or enquired about);
  • Fulfilment of a contractual obligation with you (for example, to provide you with services you have purchased from us).

Without your consent to provide personal data as part of delivery of a contract with you (for example, to provide one of our services or to receive payment) then we may not be able to successfully fulfil the contract.

Our collection of personal data is for the following purposes.

Business Contacts, Operations and Marketing

If you contact Prism Infosec via telephone, email, this website or any social media channel then we will collect the contacting party’s name, job title, company name, address, email address and telephone numbers. Through the course of ongoing interactions with you we may similarly collect the personal details of other people within the business based upon a requirement for interaction with them in the delivery of our services or for marketing purposes. Where there is no case of legitimate interest you must opt-in to receive marketing communications from us and you can withdraw this consent at any time using the “unsubscribe” feature of our communications.

The collection of this information is for the purpose of potentially providing proposals, entering into negotiations and for the possible delivery of business services to you based upon your contact.

We may share this information with our staff, associates and suppliers (e.g. solicitors and accountants), only where necessary in the delivery of a service to you under the terms of any commercial relationship we have in place. In the event that you do not enter into any commercial agreement with us for the delivery of our services we will not share your information to any third party, unless as required by law.

We will only retain this information within our Customer Relationship Management systems, email messages and other systems and applications for as long as necessary, including for the purposes of satisfying any legal / regulatory, accounting, or reporting requirements.

All marketing emails will include the ability to opt-out (via an unsubscribe link) from receiving future communications from us. Additionally, you may request us to ensure that you do not receive marketing communications from us via any source via our Contact Us page.

Use of this Website

Furthermore, if you contact Prism Infosec via the contact us page or order a Cyber Essentials assessment on this website, then we will collect the contacting party’s name, job title, company name, address, email address and telephone numbers. We also collect IP addresses of your organisation on the Cyber Essentials ordering page. Payment for a Cyber Essentials assessment is made via Paypal and we do not collect or store your payment details or any information pertaining to your payment data submitted to Paypal. See Paypal’s privacy policies for further details of how they collect, store and process this informaiton.

We use cookies on this website for analytical purposes and to improve the experience of using our web site. Our cookie policy page has further details on this.

We may also collect information when you visit the website, including but not limited to your IP address, location, time of access, the browser you use, your operating system and the pages you visit. We use Lead Forensics (see: https://www.leadforensics.com) and Google Analytics to analyse the use of our website and to identify organisations that we may wish to contact to discuss our services further. This involves the use of some JavaScript embedded in our page that will analyse the source IP address of your use of our site.

Information submitted via forms on the Prism Infosec is forwarded to staff members only and we will only retain this for as long as necessary, including for the purposes of satisfying any legal / regulatory, accounting, or reporting requirements.

Sharing of Personal Data

We do not share client personal data with third parties unless there is a legal requirement to do so or to ensure the successful delivery of services to you. Examples of legitimate business purposes for the sharing of your personal data include: –

  • Engagement of subcontractors to deliver a service to you as agreed under our terms and conditions;
  • The use of professional services such as accountants or solicitors associated with the ongoing operation of our company;
  • External certification service providers such as CREST and the National Cyber Security Centre (NCSC);
  • External third parties who, acting as data processors, provide IT, application and telephony services.

We do not sell your personal data to any other organisation.

Storage of Personal Data

We may store your personal data on: –

  • Cloud-based email services
  • Cloud-based Customer Relationship Management (CRM) services
  • Cloud-based accountancy services
  • EEA Cloud-based Infrastructure as a Service which we run internal services on
  • Telephony services (Simply66 Ltd Call Answering Service) who store voice messages and contact names, telephone messages and company names on our behalf

In using these services, the data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) and transferred from such destination to another destination outside the EEA.  Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring our suppliers are compliant with the GDPR legislation.

Retention of Personal Data

Personal data is only retained for as long as we need it to deliver our services to you or to meet our legal obligations as outlined above.  Once personal data collected is no longer required it will be deleted from our storage facilities. Our data retention policy is available on request.

Information Security of Personal Data

As a cyber security consultancy Prism Infosec is committed to the information security of personal data that it collects, processes and stores. Prism Infosec is assessed to the UK Cyber Essentials Plus standard on an annual basis and is currently implementing an ISO27001 ISMS with a plan to have this certified in the future.

Prism Infosec has implemented technical security controls and information handling policies to mandate how data is protected within the organisation. Our data handling and customer engagement policies associated with the delivery of our client engagements have been independently audited by CREST.

Your Rights

Under the terms of the UK Data Protection Act 2018 you have a number of rights with regard to our handling of your personal data: –

  • The right to be informed: you have the right to be advised how your data is being handled and processed.
  • The right to access: you have the right to ask us (via a subject access request) to provide a copy of any personal data we hold about you.
  • The right to rectification: You have the right to request inaccurate or incomplete data that we hold to be updated.
  • The right to erasure (also known as ‘the right to be forgotten’): You can request that we erase your data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected. This includes instances where you withdraw consent for us to hold your data.
  • The right to restrict processing: you can request that we limit the way an organisation uses personal data.
  • The right to data portability: You have the right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller,, where applicable i.e. where our processing is based on consent or is necessary for the performance of our contract with you or where we process your data by automated means).
  • The right to object: You have the right to object to the processing of personal data that has been collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority.
  • Rights related to automated decision making including profiling: You have the right to challenge and request a review of the processing / profiling for decisions made with no human involvement.

These are defined by the ICO at the following URL: –

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

Further details can also be found at the following URL: –

https://gdpr-info.eu/chapter-3/

Subject Access Requests

You have the right to obtain a copy of all personal data we hold on you (subject access request). We do not charge to provide this access to personal data held). However, unfounded or excessive requests may lead to the leverage of an administrative fee at our standard admin hourly rate.  Alternatively, we may refuse to comply with the request in such circumstances, for example if requests are unfounded or excessive.

To ensure security we may need to confirm your identity using a passport or other Government-approved identification method.

To request a copy of the personal data we may hold on you, use our Contact Us page.

Third Party Processors

Our carefully selected partners and service providers may process personal information about you on our behalf as described below:

Digital Marketing Service Providers

We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information.  Our appointed data processors include:(i) Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here: http://sopro.io.  Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can be emailed at: dpo@sopro.io.