At Go Gaga Experiential Limited we take the responsibility of managing our stakeholders, employees and client’s data very seriously.
This policy therefore seeks to ensure that we:
- Are clear about how personal data must be processed and Go Gaga Experiential expectations for all those who process personal data on its behalf;
- Comply with existing data protection laws and with good practice;
- Protect Go Gaga Experiential’s reputation and the reputation of our partner/ clients by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights
- Protect Go Gaga Experiential from risks of personal data breaches and other breaches of data protection law.
Go Gaga Experiential takes into account the GDPR terms and conditions and the Kenyan Data Protection Act 2019 on all data collection platforms, informing the users that data is being collected at the point of collection and its purpose. We give our customers the choice to opt in before using our services or sharing their personal data.
- We only collect personal data when we need it
- We have checked that consent is the most appropriate lawful basis for processing.
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in.
- We don’t use pre-ticked boxes or any other type of default consent.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it.
- We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.
- We name our organization and any third party controllers who will be relying on the consent.
- We allow individuals to withdraw their consent.
- We ensure that individuals can refuse to consent without detriment.
- We avoid making consent a precondition of a service.
- Data Retention
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)” As Go Gaga Experiential:
- We know what personal data we hold and why we need it.
- We carefully consider and can justify how long we keep personal data. We regularly review our information and erase our anonymous personal data when we no longer need it.(Review Annually)
We have a policy with standard retention periods where possible, in line with documentation obligations.
We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’.
All personal data is categorized based on the similarity of the retention period following GDPR and Data Protection Act 2019 framework where data personal data is not kept longer than is necessary for purposes for which the personal data are processed. We ensure appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate and clear measures
Article 5(1)(c) says:
“1. Personal data shall be:
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)”
As Go Gaga Experiential:
We only collect personal data we actually need for our specified purposes with the content of our client.
We have sufficient personal data to properly fulfill those purposes.
We periodically review the data we hold, and delete anything we don’t need.
We follow the GDPR policy where we look at sufficiency of the data by properly fulfilling its stated purpose; relevancy by understanding the purpose and limitation to what is necessary by not holding more than we need for that purpose.
Our data deletion policy rule is determined for each data category based on collection date, average processing time and the start of the respective retention period.
We know how to recognise a request for erasure and we understand when the right applies.
We have a policy for how to record requests we receive verbally.
We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
Complying with requests for erasure
We have processes in place to ensure that we respond to a request for erasure without undue delay and within one month of receipt.
We are aware of the circumstances when we can extend the time limit to respond to a request.
We understand that there is a particular emphasis on the right to erasure if the request relates to data collected from children.
We have procedures in place to inform any recipients if we erase any data we have shared with them.
We have appropriate methods in place to erase information.
We use encryption and/or pseudonymisation where it is appropriate to do so. (Third Party Supplier)
We understand the requirements of confidentiality, integrity and availability for the personal data we process.
We make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement. (Third Party Supplier)
Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism.
We ensure that any data processor we use also implements appropriate technical and organizational measures.
In case of a data breach we brief our data controller a third party (Evo Business Solution) within 48 hours via official email communication. The data controller then investigates and analyzes the breach taking the necessary and proportionate action for purposes of prevention, detection or investigation of an offense by the concerned relevant body.
We have trained our contractors on our principles and policies based on the Kenyan Data Protection Act 2019 and GDPR framework.
Go Gaga Experiential has developed a contractor Codes of conduct, this enables contractors to own and resolve key data protection challenges. The Go Gaga Experiential see this as a way of demonstrating accountability and encouraging their partner to be compliant.
Using the Go Gaga Experiential approved code of conduct gives assurance that the code and its monitoring is appropriate and will help companies to meet GDPR expectations.
Codes of conduct should reflect the requirements of different data processing dynamics and take account of the specific needs of small and medium sized enterprises.
A code of conduct will describe the appropriate monitoring mechanisms and (where applicable) the monitoring KPI meets compliance as part of the code approval process.