Read The Legal Stuff

HER BUSINESS REVOLUTION PRIVACY POLICY


We are advocates of data protection and effective privacy controls.


This Privacy Policy together with our Terms of Use and any other documents referred to in it sets out how HER Business Revolution uses and protects any information that you give us when you use www.herbusinessrevolution.biz (the “Website”).


Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.


Who are we?


For the purposes of the Data Protection Act 1998 and the General Data Protection Regulations (“Data Protection Legislation”), HER Business Revolution is the ‘data controller’ and the ‘data processor’.


HER Business Evolution CIC (13795872) and HER Business Revolution LTD (11491481) - Trading as HER Business Revolution. Registered Office: 72 Godfrey Road, Spixworth, Norwich NR10 3NL (England & Wales). Trading Office: Blofield Business Centre, Woodbastwick Rd, Blofield Heath, Blofield, Norwich NR13 4RR. VAT Registration Number 375 5822 66.


What are our key privacy principles?


HER Business Revolution follows the following principles in order to protect your privacy:


1. we do not collect more personal data (i.e. information that can identify you) than is necessary;


2. we do not use your personal data for purposes other than those specified when you provided that data;


3. we do not keep your personal data if it is no longer needed; and


4. we do not send your personal data to third parties.


What personal data do we collect from you?


Whilst you can use the Website without giving out your personal data, once you contact us via the Website, HER Business Revolution collects information about you, which may include:


  • Your name;
  • Address;
  • Email address;
  • Telephone numbers (including mobile)
  • Social media details (for example, twitter, Facebook, LinkedIn, Slack web addresses / contact details / profile links).


For any areas of the Website which require login details, we may also capture ‘Forgotten Password’ details (e.g. Mother’s maiden name) to assist with password recovery. Any payment details processed and/or retained pursuant to the provision of our services will be processed in accordance with all applicable laws and regulations.


We may also collect technical information about you when you visit the Website. This information may include the Internet protocol (IP) address used to connect your computer to the Internet, your browser type and version, time zone setting, operating system and platform, and browser plug-in types and versions. Information about your visit(s) to the Website may also be collected. The collected information is used to provide an overview of how people are accessing and using the Website. It is not used for any additional purpose, such as to profile those who access the Website.


What do we do with the information we collect?


We may use your personal information:


  • to process order requests for our services and to effectively provide our services;


  • to give you information that you request from us and to improve our services;


  • to notify you about changes to our services;


  • to allow us to operate the Website efficiently;


  • any relevant troubleshooting, testing or statistical analysis as appropriate;


  • and to keep the Website secure.


We may, where we have obtained your express permission, also use the information collected to:


  • provide you with information about our services that we offer via promotional emails;


  • keep you up to date with features on the Website; and


  • permit selected third parties to provide you with information about goods or services they feel may interest you (a list of such third parties are available on request).


You can opt-out of any of these data uses at any time by emailing admin@herbusinessrevolution.biz. We will only keep your information for as long as reasonably required (up to a maximum of three years), or as stated in the contract you have with us.


Please note that we will be unable to process any orders for our services if you do not provide us with your name, address and contact details.


How do we protect your personal data?


When we collect information about you, we also make sure that your information is protected from unauthorised access, loss, manipulation, falsification, destruction or unauthorised disclosure. This is done through appropriate technical measures.


However, you should be aware that providing information over the internet can never be guaranteed as being completely safe and if you choose to send such information to us via the internet, you do so at your own risk.


How can you access the personal data we have on you?


You have the right to request access to the personal information we have relating to you. You can do this by contacting us at admin@herbusinessrevolution.biz. We may make a small charge for information requests if we reasonable consider them to be excessive. In order to comply with your request, we may ask you to verify your identity.


We will fulfil your request by sending a copy of your personal data electronically, unless the request expressly specifies a different method.


How can you correct or delete your personal data?


If you believe that the personal data we have about you is incorrect, you are welcome to contact us so we can update it and keep your data accurate. Any data that is no longer needed for the purposes specified will be deleted. If at any point you wish for us to delete information about you, you can simply email us at admin@herbusinessrevolution.biz.


When and how can we update this Privacy Policy?


We may revise this Privacy Policy at any time by updating this webpage. We regularly review our Privacy Policy and strive towards making it better.


Please check this page from time to time for any changes. Please note that where you have provided your consent to certain data processing activities we won’t change this Privacy Policy in a way which would affect these consents without seeking your permission first.


We recommend that you print a copy of this page for your reference.


How do we use cookies?


This Website uses cookies to help us recognise different users of the Website and to provide users of the Website with a good experience when using it. Please see our Cookies Policy for further information.


How can you make a complaint?


Please note that if you are not satisfied with the processing of your personal data as set out in this Privacy Policy, you have the right to issue a complaint with the Information Commissioners Office (https://ico.org.uk/concerns/).


How can you contact us?


Please contact us at admin@herbusinessrevolution.biz if you have any questions, comments or requests regarding this Privacy Policy.


Last updated January 2022

HER BUSINESS REVOLUTION COOKIES POLICY


Our Website: www.herbusinessrevolution.biz (the “Website”) uses cookies to distinguish you from other users of the Website. This helps us to provide you with a good experience when you browse the Website and also allows us to improve the Website.


IF YOU DO NOT CONSENT TO THE COOKIES USED ON THE WEBSITE, YOU MUST DISABLE THEM OR REFRAIN FROM USING THE WEBSITE.


What is a cookie?


A cookie is a small file of text and numbers which is created by the Website. When you visit the Website, the cookie is attached to your computer or other device but does not access your hard drive on your computer. If you revisit the Website, the cookie will be recognised by the Website.


Cookies are widely used to do things such as identifying the type of device you are using (PC or a phone for instance) to access Website, store items in the shop basket and help you navigate pages more easily. They can also help you translate web pages, log into the Website or remember your region or country preferences. Cookies can also be used to help us find out how people use the Website and the number of visitors to it.


Cookies are not harmful to your computer and do not pose a security or virus risk to your computer, nor do they store any personal identifiable information about you. If you would like to know about what cookies are, or how to control or delete them, then you may choose to visit www.aboutcookies.org for more detailed guidance.


What cookies do we use?


There are several types of cookies which we may use from time to time:


  • Necessary cookies. These are necessary for the Website to function. If you do not allow these cookies, the Website will not operate for you.


  • Performance cookies. These cookies allow us to recognise visitors to our Website and to see how they use it. We also use these cookies to help us improve the way in which the Website works, for example, making it easy for people to find what they are looking for.


  • Functionality cookies. These are used to remember you when you revisit our Website, and enable us to personalise content for you, welcome you by name or to remember your preference such as your language choice or region.


  • Targeting cookies. These cookies will record your visit to the Website, pages you visited and any links that you followed. Generally, this information is used to make the Website and any advertising relevant to your interests, but it may also be information which we share with a third party.


The cookie specifications for this Website are as follows:


Google Analytics


We use Google Analytics to collect information about how visitors use and access the Website. This information is used to compile reports to help us improve the site performance and your user experience. Google Analytics uses first party cookies to report on visitor interactions. These cookies collect anonymous information about visitors such as: number of visitors, new or returning visitors, referring sites and pages they have visited. Google Analytics uses the following cookies as detailed below:


Name: _utma

Provider: Google Analytics

Type: 1st Party

Duration: Persistent Cookie

Purpose: 2 years from last update


This cookie is used to determine unique visitors to the Website.


This is written the first time a user visits the site and is updated with each visit. If deleted a new unique cookie will be written during the next visit.


Name: _utmb

Provider: Google Analytics

Type: 1st Party

Duration: Persistent Cookie

Purpose: 30 mins after the last update/visitor inactivity


This is used to establish and to continue a user session on the site. Each time a user visits a different page on the site the cookie is updated. If you have deleted this cookie, a new one is written and a new session is established each time you visit.


Name: _utmc

Provider: Google Analytics

Type: 1st Party

Duration: Session Cookie

Purpose: Expires on exit of session


This cookie is operated in conjunction with the _utmb cookie to determine whether or not to establish a new session for the user and expires when exiting the site.


Name: _utmz

Provider: Google Analytics

Type: 1st Party

Duration: Persistent Cookie

Purpose: 6 months from set/update


This cookie stores the referral type used by the visitor to reach the Website, whether via a direct method, referring link, site search, or campaign such as adwords or an email link. It is used to calculate search engine traffic, ad campaigns and page navigation within the site. The cookie is updated with each page view on the site.


Name: _utmv

Provider: Google Analytics

Type: 1st Party

Duration: Persistent Cookie

Purpose: 2 years from set/update


This cookie is used to analyse custom user segments and is used for displaying custom statistical information in google analytics on site visitor trends and usage patterns.


You can find out more about Google’s position on privacy with regard to its analytics service at: http://www.google.com/intl/en/analytics/privacyoverview.html


Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical or performance cookies or targeting cookies.


How can you manage cookies?


Most browsers automatically accept cookies, but you can usually disable cookies by adjusting your browser settings.


Please note that if you do turn cookies off, this may limit the service that we can provide to you and may affect your experience of the Website.


If you have any queries concerning your personal information or any questions on our use of cookie data, please contact us at admin@herbusinessrevolution.biz.


Last Updated: January 2022

DATA PROTECTION POLICY


1. Document Control


Document owner Serena Fordham, Founder and Managing Director

Prepared by John Fordham, Glow Virtual Assistants Operation Manager

Reviewed by Serena Fordham, Founder and Managing Director

Approved by Serena Fordham, Founder and Managing Director

Approved on 7th May 2019, Next review date 1st April 2022

Reference DPP_001, Version 1.0, Classification Public

Distribution list - Managing Director To approve and authorise, All Staff To understand and comply

Communication - The Data Protection Policy is communicated to all members of staff via email and data protection awareness training.


2. Introduction


HER Business Revolution recognises the General Data Protection Regulation (GDPR) and will endeavour to ensure that all personal data is processed in compliance with this regulation.


This Data Protection Policy is written specifically to ensure appropriate compliance with the GDPR and has used the ICO self-assessment guidance for small organisations as at February 2018 for guidance as to the requirements.


HER Business Revolution has adopted the GDPR compliance requirements of the ‘Data Controller’ and ‘Data Processor’.


3. General Statement of Her Business Revolution Scope


HER Business Revolution processes relevant personal data regarding their members of staff, their clients and their client’s customers, or their client’s prospective customers, as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.


Should the scope of the business undertaken by HER Business Revolution change, this Policy will be updated to reflect the changes in relation to compliance with the GDPR.

HER Business Revolution operates within the European Union and (from March 2020) is expected to be operating in North America also.


4. Contracts with Data Controllers


HER Business Revolution may maintain signed contracts with its clients who are operating as Data Controllers under the GDPR for the purpose of this Policy.


The HER Business Revolution / client contracts grant HER Business Revolution the ability to use sub-processors for the processing of some personal data related tasks such as email marketing.


5. Contracts with 3rd Party Data Processors


HER Business Revolution may use 3rd party data processors such as those specialising in email marketing. HER Business Revolution has signed up to the standard contractual requirements of these processors. Such processors are striving to be GDPR compliant and are only based within the EU.


6. Data Protection Officer


HER Business Revolution has not appointed a Data Protection Officer as it is not required to do so under the GDPR.


Rather, each member of HER Business Revolution staff is expected to understand and comply with this Policy whilst undertaking the processing of personal data.


7. Data Protection Training


HER Business Revolution undertakes appropriate and reasonable data protection training with its employees. The training focuses on the practical, day to day aspects of data protection in the context of the GDPR.


The training is provided for all employees as a dedicated training session during periodic team meetings. Staff not attending are provided with separate training as appropriate.


8. The Principles


HER Business Revolution shall so far as is appropriate and is reasonably practicable comply with the GDPR principles contained in Article 5 of the regulation which sets out the main responsibilities for organisations.


These state that personal data should be:


a) processed lawfully, fairly and in a transparent manner in relation to individuals;


b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;


c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;


d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;


e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and


f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


9. Definitions


Not applicable.


10. Personal Data


Personal data covers facts about an individual where that data identifies an individual. For example, it includes information necessary for:


  • employment such as the member of staff’s name and address and details for payment of salary.;


  • raising of client invoices for the payment of activity undertaken on behalf of the client; and


  • the identification of client’s customers and prospective customers for marketing purposes.


11. Processing of Personal Data


Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.


Where HER Business Revolution processes personal data for direct marketing purposes either for its own benefit or under the instruction of clients, data subjects have the right to request an opt-out to these activities, which will be respected.


HER Business Revolution client direct marketing lists have been constructed using the double opt-in approach.


12. Sensitive Personal Data


HER Business Revolution does not process sensitive personal data as is defined in the GDPR.


If this position changes, this Policy will be updated.


13. Rights of Access to Information


Data subjects (HER Business Revolution staff, clients, client’s customers and prospective customers) have the right of access to information held by HER Business Revolution, subject to the provisions of the GDPR and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the HER Business Revolution.


HER Business Revolution will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 40 days for access to records and 21 days to provide a reply to an access to information request. The information will be imparted to the data subject as soon as is reasonably possible after it has come to the attention of HER Business Revolution and in compliance with the regulation.


The HER Business Revolution Managing Director is to be notified of all requests for information access.


14. Data Sharing


HER Business Revolution recognises that it is important that data entrusted to the business is only used for the purposes intended and that it is not shared beyond the consent received.


Where data relates to HER Business Revolution clients, data consents are captured in the contract with the client.


Where data relates to HER Business Revolution client customers or prospective customers, the individuals are informed at outset as to how their data will be used and whether it will be shared. Sharing of data would require consent.


Staff will notify the Managing Director of any data access request (where the data subject has requested access) for further review and consideration. No requests will be processed until the Managing Director has granted permission to proceed.


Where a contractually bound client requests the sharing of their customer or prospective customer data in the normal course of business, this request will be fulfilled without recourse to the Managing Director.


Any other form of data request should be referred to the Managing Director for review.


A log will be maintained of data sharing requests which fall outside of the normal business processing.


15. Data Transferability


HER Business Revolution supports the ability of data subjects to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability. The process to be employed to facilitate such requests would be assessed at the time to ensure they were appropriate and reasonable whilst maintaining compliance under the GDPR.


16. Automated Decision Making


HER Business Revolution does not undertake personal data automated decision-making including profiling.


17. Accuracy


HER Business Revolution will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.


Periodically, under the direction of or agreement from the clients of HER Business Revolution, client prospective customer marketing lists will be reviewed to ensure the data remains appropriate and up to date. This process may involve the client’s prospective customer being contacted to ascertain whether they wish to remain on the lists, or to be deleted.


In addition, an annual Information Audit is undertaken to identify all sources of data, how and where the data is stored, used and deleted. This information audit is used to ensure that data held remains relevant, accurate and up to date.


18. Enforcement and Personal Data Breaches


If an individual believes that HER Business Revolution has not complied with this Policy or acted otherwise than in accordance with the GDPR, the member of HER Business Revolution staff aware of the grievance should raise the issue with the Chief Executive Officer (Managing Director). The grievance should also be notified to the ICO.


The grievance will then be monitored to a satisfactory conclusion by the Managing Director with any remedial actions and training being identified and implemented. Satisfactory closure includes closure of the grievance by the ICO.


19. Information Risk


HER Business Revolution manages information risk through the identification of areas of risk and the adoption of appropriate measures and processes to mitigate the risk. For example, the annual Information Audit is used to identify what data is stored, where, how it is used etc.


One audit output is the identification of data flows from which information risk assessments are completed.


HER Business Revolution manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively, applying appropriate and reasonable mitigation processes.


Attention is also drawn to the existence of the Information Security Policy and the Records Management Policy, which provide more specific information on data protection processes and risk mitigation.


20. Data Protection Impact Assessment (DPIA)


HER Business Revolution will undertake DPIA’s implementing appropriate and reasonable measures as a matter of its ongoing business and as developments occur, such as new clients, technology or processes.


21. Information Security


HER Business Revolution will take appropriate technical and organisational steps to ensure the security of personal data.


All staff will be made aware of this Policy and their duties under the GDPR.


HER Business Revolution and its staff are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.


An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems.


Attention is also drawn to the existence of the Information Security Policy and the Records Management Policy, which provide more specific information on data protection processes.


22. External Processors


HER Business Revolution must take reasonable and appropriate steps to ensure that data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. are compliant with this Policy and the relevant legislation.


23. Secure Destruction


When data held in accordance with this Policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.

Secure destruction of data will take place within the timescales agreed with the Her Business Revolution client, acting as Data Controller under the GDPR, including contractual timescales, if this is appropriate.


The frequency of the secure destruction of data will depend upon it being an adhoc request from an HER Business Revolution client, or during the Information Audit.


24. Data Processing Suppression Requests


HER Business Revolution clients, acting as Data Controllers under the GDPR, may request HER Business Revolution to suppress the processing of specific data at any point. HER Business Revolution will react to these requests as is reasonable and appropriate ensuring that the clients wish is met.


It is not in the commercial interests of HER Business Revolution to continue processing data which is not required by the client, nor would it be compliant with the GDPR.


25. Retention of Data


HER Business Revolution may retain data for differing periods of time for different purposes as required by clients, best practice or regulation.

Her Business Revolution may store some data indefinitely, such as client invoices and staff salary records.


26. CCTV


HER Business Revolution does not currently operate CCTV.


Last Updated: January 2022

INFORMATION SECURITY POLICY


1. Document Control


Document owner Serena Fordham, Founder and Managing Director

Prepared by John Fordham, Glow Virtual Assistants Operation Manager

Reviewed by Serena Fordham, Founder and Managing Director

Approved by Serena Fordham, Founder and Managing Director

Approved on 7th May 2019, Next review date 1st April 2022

Reference ISP_001, Version 1.0, Classification Public

Distribution list - Managing Director To approve and authorise, All Staff To understand and comply

Communication - The Information Security Policy is communicated to all members of staff via email and information security awareness

training.


2. Introduction


HER Business Revolution has an ethical, legal and professional duty to ensure the information it holds conforms to the principles of confidentiality, integrity and availability. In other words, the information HER Business Revolution is responsible for is safeguarded where necessary against inappropriate disclosure, is accurate, timely and attributable, and is available to those who should be able to access it.


This Information Security Policy outlines HER Business Revolution approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of data and information systems.


HER Business Revolution considers information to be a strategic asset that is essential to its core business and objectives. It has a responsibility to manage effectively the risks around protecting the confidentiality, integrity and availability of its data and in complying with all statutory, regulatory and legal requirements.


HER Business Revolution recognises the General Data Protection Regulation (GDPR) and will endeavour to ensure that all personal data is stored and processed in compliance with this regulation.


3. Statement of Intent


The main purpose of this Policy is to describe the minimum level of protection that HER Business Revolution expects of all HER Business Revolution information systems to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.


A secondary but very relevant purpose of this Policy is to ensure that all users understand their responsibilities for protecting the confidentiality and integrity of the data that they handle, including making users aware of relevant legislation.


The overarching objectives set out in the Policy are:


  • To support the business objectives in a flexible and effective way


  • To maintain adequate regulatory compliance


  • To protect HER Business Revolution information assets


  • To maintain business continuity


The policy of HER Business Revolution is to protect information systems from unauthorised access, use, disclosure, destruction, modification, disruption or distribution.


The HER Business Revolution Senior Management will ensure business, legal, regulatory requirements and contractual information security obligations are met.


Information security management system will be monitored regularly with reporting of the status and effectiveness at all levels.


4. General Statement of Scope


This Policy is applicable, and will be communicated to all staff of HER Business Revolution and HER Business Revolution clients who interact with information held by Her Business Revolution and the information systems used to store and process it.


5. Roles and Responsibilities


5.1 Responsibilities of every user of HER Business Revolution IT resources


5.1.1 Appropriate use of IT resources


HER Business Revolution staff and any other authorised users of HER Business Revolution IT resources are expected to meet the acceptable usage policies and related terms and conditions of the services provided by HER Business Revolution and by any 3rd party on our behalf under licensing agreements.


5.1.2 Confidentiality of passwords


Users must manage passwords with care and processes should be in place to ensure confidentiality from the initial creation, storage in applications, communication and day to day usage.


5.2 Responsibilities specific to every staff member of HER Business Revolution


5.2.1 Appropriate use of IT resources


All employees and any third parties authorised to use HER Business Revolution systems are accountable for understanding and following HER Business Revolution information security policies, as well as promoting safe practices within their teams and monitor compliance.


5.2.2 Asking for help, reporting a concern


All employees and authorised third parties are responsible for asking for assistance when in doubt about how to proceed or interpret a policy and also to report any concern or suspect activity encountered.


5.3 Responsibilities specific to managers


5.3.1 Fully understand the data, people, systems and processes


HER Business Revolution managers are expected to identify the data and systems under their remit and, where appropriate and reasonable, accept accountability for its protection.


Managers will make informed decisions on risks and appropriate levels of protection, on behalf of HER Business Revolution.


5.3.2 Setup resilient business processes


HER Business Revolution managers should ensure that risks are mitigated through the introduction of resilient and robust business processes. Managers should ensure that they and their teams (where appropriate) are security savvy, ensuring that responsibilities regarding protecting systems and data are adequately communicated.


5.3.3 Oversee their teams and systems are effective


HER Business Revolution managers should actively, regularly and demonstrably verify what their reports are doing and how systems under his/her supervision are functioning.


5.3.4 Monitor the 3rd party with access to HER Business Revolution systems and data


HER Business Revolution managers should ensure any subcontractor employed for a particular function will meet the requirements specified (on selection and on an ongoing basis) and accept responsibility for their actions.


5.4 Responsibilities of senior management


5.4.1 Risk ownership


The Managing Director owns the overall risk management process, and the prioritisation and acceptance of risks. Risks are generally identified “bottom up” from each staff member and “top down” from the Managing Director in a two‐way flow.


5.4.2 Risk Acceptance


HER Business Revolution managers have the accountability for taking a stance on risks within their authority (or escalating if exceeds it) and ensuring the business operates in line with the Managing Director’s expectations and within regulation.


5.4.3 Risk Treatment


All HER Business Revolution staff will help to identify and mitigate risks. The Managing Director will take advice from these and other sources in assessing and managing risk. Ultimately, the responsibility for risk lies with the Managing Director.


5.4.4 Policies and education


The Managing Director and managers are responsible for communicating acceptable levels of risk and mitigation practices to all HER Business Revolution staff and authorised 3rd parties via policy, standards and awareness programs.


5.4.5 Incident response


The Managing Director and managers are responsible for effectively responding to significant information security related incidents.


5.5 Responsibilities specific to 3rd party providers


5.5.1 Meeting terms of service/contract agreements, right to audit


3rd party shall adhere to the IT acceptable usage policy as well as any other requirements specified in the service contract.


6. Policy


6.1 Organisation of information security


6.1.1 Ultimate accountability for security


The Managing Director has the ultimate accountability for implementing information security at HER Business Revolution.


6.1.2 Information security reviews


A regular review of information security shall be established and led by the Managing Director. The review will be completed annually.


The Managing Director and all HER Business Revolution staff will review and discuss information security issues at regular team meeting, including delivering policy and

awareness training / updates.


6.1.3 Information Security Manager


It is not currently appropriate for HER Business Revolution to have the role of Information Security Manager due to the small scale of the business.


6.1.4 Segregation of duties


Conflicting duties and areas of responsibility are unlikely to arise given the current small scale of HER Business Revolution, with the exception of clients and staff matters / payments which are currently handled solely by the Managing Director. However, it is recognised by HER Business Revolution that duties should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the business assets.


6.2 Policy management, education and awareness


6.2.1 Policies as minimum expectation, need for risk management


Managing risks is an essential part of the business activity at all levels of management. The information security policies are the minimum expectation to address information security risks according to well established practice.


Management should assess the business, legal, contractual and corporate social responsibility risks and requirements in each relevant jurisdiction to decide on the need for additional controls or exceptions, and be able to justify and be accountable for these decisions.


6.2.2 Policy issuing, communication and updating


Policies and procedures for information security and data protection will be maintained, approved by management, published and communicated to employees and relevant

authorised external parties. These Policies should be reviewed and updated at least annually.


6.2.3 Trust, but verify


The Policy statements are necessary but not sufficient on their own. HER Business Revolution staff should demonstrate the application of the controls and best practice.


6.2.4 Awareness and education on policies and procedures


The Managing Director and managers should ensure staff and external authorised parties working with HER Business Revolution systems and data are formally aware of and educated on the policies and procedures they must be compliant with. This is a fundamental step to establishing any individual’s accountability.


6.3 Human Resource Security


6.3.1 Acceptable use of UWL resources


Every employee and authorised 3rd party granted access to HER Business Revolution systems and/or data has a responsibility to use the systems and data in a secure manner, for HER Business Revolution business purposes, following HER Business Revolution policies and applying good judgment. Only approved hardware, software and data should be used to perform HER Business Revolution business, unless otherwise agreed.


6.3.2 Responsibility for reporting non-compliance


Users are responsible for reporting any concern on how the security processes are performing, any suspected or confirmed incident regarding unauthorized or incorrect use to their manager.


6.3.3 Management responsibility for security


Management is responsible for requiring their teams (where applicable) and contractors to apply information security according to established policies and procedures, and to monitor use within his/her teams, leading by example and ensuring their direct reports have been educated on policies and security practices.


6.3.4 Background checks on employees


HER Business Revolution is not of a scale to warrant checks on prospective employees. In general, existing employees have previously been known to the business and Managing Director.


6.3.5 Terms and condition of employment


The contractual agreements with employees and contractors shall state their responsibilities for data protection and information security.


6.3.6 Enforcement of information security policies


The Managing Director is responsible for defining and communicating the disciplinary process applicable to employees who have committed an information security breach.


6.4 Data / assets management


6.4.1 Data classification


Each manager must identify the data being used for fulfilling their duties and adopt processes appropriate to protect the information according to its risk. It should be assumed that all information is critical.


6.4.2 Retention of information


HER Business Revolution will have processes in place to safely dispose of information as required by law or, within legal compliance, when it is no longer necessary to retain.


Generally, the only data stored by HER Business Revolution, is stored electronically on local laptops, or stored with 3rd party software providers. When electronic data is required to be deleted, this is completed locally from laptops ensuring that all relevant data is removed, or is completed via the 3rd party software following their standard deletion routines.


In the rare instances that hard copy data is collected, it is the accepted practice to transfer the data to electronic systems with the original hard copy being destroyed / shredded. Where this practice is not appropriate and hard copies are retained, these are stored in a locked filing cabinet within a locked office.


Retention periods are generally defined by the Managing Director (for Her Business Revolution staff and client payment related data) and by the clients of HER Business

Revolution (for client customer and prospective customer data), but always in accordance with the relevant regulation.


6.4.3 Safe storage, use and disposal of electronic media and surplus hardware


The current HER Business Revolution operating model is that each staff member is responsible for providing their own electronic media and hardware. Therefore, it is the staff members responsibility to securely store and dispose of media and hardware using best practice, such as:


Storage, use:


  • Devices to be password protected.


  • Individual files to be password protected.


  • Devices to be stored securely when not in use, out of direct sight of windows etc.


  • Operating system to be kept updated with manufacturer recommended updates.


  • Only manufacturer approved and recommended software updates to be applied.


  • Operating system firewall to be turned on.


  • Anti-virus protection to be installed.


  • Regular sweeps for virus and malware to be conducted.


Disposal:


  • Device to be reset to factory settings to eliminate all traces of data.


  • Where possible, hard drive to be removed for destruction.


HER Business Revolution recognises the environmental impacts of the disposal of media and hardware and would employ best practice at the time of disposal to limit the impact.


Arrangements need to be dealt with on a case by case basis.


6.4.4 Use of removable media


HER Business Revolution accepts that in certain circumstances the use of removable media is necessary. Where this use is defined as being required, the media device should be rest to factory settings before and after use (to remove all traces of previous / current data). The use of encryption will be considered on a case by case basis. The removable media is to be securely stored.


6.4.5 Physical security, controlled areas


As referred to in 6.4.3 HER Business Revolution requires each staff member to ensure security of their hardware, systems and media, protecting them against intentional or accidental physical damage. Each staff member generally works remotely and as such HER Business Revolution does not have a single site requiring physical security or controlled areas.


6.5 Security by design, secure architecture, acquisition and development


6.5.1 Governance on approved technology and security design principles


Should the use of new technology be required in a specific project or assignment, generally the Managing Director will determine if the suggested approach and technologies are acceptable for HER Business Revolution.


6.5.2 Information security in new projects


Information security shall be considered for any new project which falls outside of the standard processing techniques or systems.


6.5.3 Separation of Environments


Due to the nature of the current HER Business Revolution business model, system environments, for example test and production, are not required.


6.5.4 Protection from malware


As referred to in 6.4.3 the default approach is that all HER Business Revolution hardware should have detection, prevention and recovery controls to protect against malware combined with appropriate user awareness. Exceptions need to be formally approved on a case by case basis by the Managing Director.


6.5.5 Minimum security features in systems


Systems should be developed/acquired and configured with the security features necessary to enable enforcement of the following:


  • Staff and authorised users can only access data and functionality for which they are authorised.


  • Accountability for usage is maintained via appropriate audit trails.


6.5.6 Installation of software, patching


As referred to in 6.4.3 manufacturer approved / recommended software updates should be kept current. To facilitate this, ‘updates’ should always be set to auto-update.


6.5.7 Testing of security


Whilst HER Business Revolution has no formal security testing procedure, staff are aware that periodically senior staff may undertake testing of security as part of the regular business as usual.


6.6 Technical and operational security


6.6.1 Control requirements for remote and mobile access / working


HER Business Revolution staff generally operate remotely and therefore as such there are no additional control requirements for remote access.


With regards to mobile access and working, staff are required to be aware of their surroundings and take any appropriate measures to ensure security, including but not limited to, the physical security of the hardware and data.


6.6.2 Encryption of data


HER Business Revolution does not currently regularly encrypt data unless it is required for specific projects. Data is generally transferred electronically through known channels / systems. Where there are exceptions to this, the circumstances and need for encryption will be determined on a case by case basis.


6.6.3 Logging and auditing


As such, HER Business Revolution does not actively log or audit systems use due to the nature of the business model as previously described. Therefore, only manufacturer, software or 3rd party logging is completed. For example, website hosting provided by third parties maintains an audit of changes to pages and content.


6.6.4 Physical and environmental security


As previously described in this Policy, it is the responsibility of staff to provide physical and environmental security for devices, hardware and hard copies of data. Exceptions to this are considered on a case by case basis.


6.6.5 Data backup and restore procedures


A 3rd party storage provider (currently “Google Drive”) is used by HER Business Revolution for the storage of the majority of client files. Other data, for example client customer data, is stored on a variety of other 3rd party systems and these will maintain their own backups.


System backups and restore procedures are not performed explicitly by HER Business Revolution, rather, these are inherent in the operating systems and software employed by the business.


6.7 Access management


6.7.1 Due diligence before granting access


Access to systems and information, including setting up permanent network connectivity solutions, will be granted to employees and third parties/service providers only after a due diligence assessment has been performed and after the employment or service contracts, including confidentiality and accountability clauses has been agreed in writing.


6.7.2 User accountability for security


All employees and third parties using HER Business Revolution systems are accountable for understanding and following HER Business Revolution security policies, in particular on how to protect their accounts and passwords from misuse. All employees are expected to report any concern or potential suspect activity they may encounter.


6.7.3 Privileged access to systems


All privileged/administrator activity (e.g., providing access to data, maintenance, and support) will be traceable to the individuals through the 3rd party software / system providers routines.


6.8 Incident management


6.8.1 Incident response


HER Business Revolution incident management will be maintained by the Managing Director or the manager designated for dealing with such incidents. The incident response will be determined on a case by case basis.


6.8.2 Contact with authorities


Appropriate contacts with relevant authorities and external parties shall be maintained. In case of an incident, contacts will be nominated who are authorised to liaise with authorities and external parties.


6.8.3 Responsibilities of staff


If a member of the HER Business Revolution staff is aware of an information security incident then they must report it to the Managing Director.


6.9 Continuity management


6.9.1 Secure operations in contingency


People, assets and information services need to be protected in a disaster situation. Should such situations arise, each will be treated on a case by case basis.


6.9.2 Business management responsibility for security


All HER Business Revolution staff are responsible for security and, where appropriate, the availability of systems/data.


6.10 Compliance, validation and certification


6.10.1 Compliance with the law


HER Business Revolution and each of its employees is accountable for operating within the law, and it is their responsibility to be aware of legal and contractual requirements and implement the controls within their remits to comply.


6.10.2 Information security in contracts with 3rd parties


HER Business Revolution contracts with 3rd parties, including contracts with HER Business Revolution clients, will contain appropriate security and regulatory or contractual obligations.


Where HER Business Revolution has no powers to set or amend the contractual wording of 3rd party providers, the appropriateness of each contract will be considered on a case by case basis.


6.10.3 Supplier service delivery management


The HER Business Revolution Managing Director and / or staff members assume responsibility for monitoring and reviewing supplier service delivery where this is appropriate.


6.10.4 Management controls


When appropriate, HER Business Revolution managers should review the compliance of information processing and procedures within their area of responsibility with this security policy.


6.10.5 Internal and independent security reviews


Internal security reviews may be undertaken at the instruction of the Managing Director.


Independent security reviews are considered unlikely to be required given the current HER Business Revolution business model, however they remain an option should an appropriate situation arise.


Last Updated: January 2022

RECORDS MANAGEMENT POLICY


1 Document Control


Document owner Serena Fordham, Founder and Managing Managing Director

Prepared by John Fordham, Glow Virtual Assistants Operation Manager

Reviewed by Serena Fordham, Founder and Managing Managing Director

Approved by Serena Fordham, Founder and Managing Managing Director

Approved on 7th May 2019, Next review date 1st April 2022

Reference RMP_001, Version 1.0, Classification Public

Distribution list - Managing Director To approve and authorise, All Staff To understand and comply

Communication - The Records Management Policy is communicated to all members of staff via email and records management awareness training.


2 Introduction


HER Business Revolution recognises the General Data Protection Regulation (GDPR) and will endeavour to ensure that all personal data is processed in compliance with this regulation.


This Records Management Policy is written specifically to ensure appropriate compliance with the GDPR and has used the ICO self-assessment guidance for small organisations as at February 2018 for guidance as to the requirements.


3 General Statement of HER Business Revolution Scope


HER Business Revolution processes relevant personal data regarding their members of staff, their clients and their client’s customers, or their client’s prospective customers, as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.


Should the scope of the business undertaken by HER Business Revolution change, this Policy will be updated to reflect the changes in relation to compliance with the GDPR.


HER Business Revolution operates within the European Union and (from March 2020) is expected to be operating in North America also.


4 Purposes of this policy


HER Business Revolution records are important sources of HER Business Revolution and client information, and therefore crucial to the current and future operations of the business.


This Policy has been implemented to help the business:


  • Meet its legal obligations under the appropriate regulations,


  • Support the objective of maintaining the business as an effective and developing going concern; and


  • Manage information resources effectively, by making sure records can be located, accessed, interpreted, trusted and maintained.


The Managing Director and managers of Her Business Revolution believe that administrative and management processes benefit from a system of records management that enables it to meet the purposes listed above.


This Policy should be read in conjunction with the Data Protection Policy and the Information Security Policy.


5 Scope of this Policy


The Managing Director has the overall responsibility for the implementation of this policy in the business, with day-to-day responsibility delegated to the managers and other staff.


A record is information created, received and maintained as information by HER Business Revolution or its staff in pursuance of the transaction of business. Records can be in either paper or electronic format and both formats are covered by this policy.


This document sets out the overall framework within which staff should manage records.


Should it become necessary, the Managing Director or designated manager will produce operational procedures and guidance to help members of staff implement the objectives of this policy.


6 Responsibility for Records Management


All members of staff who create, store, receive and use records must:


  • Treat all records as a Her Business Revolution resource;


  • Ensure as far as practicably possible that records are accurate and filed in such a way that they can be easily located, either electronically or physically;


  • Keep records no longer than they are needed;


  • Keep confidential records in a secure environment;


  • Keep records stored in a safe and cost-effective way;


  • Allow people to access information only if they need or have a right to do so;


  • Create records that are accurate and that do not defame another individual, expose the business to unnecessary risk or to tamper with records in a way that risks them becoming inaccurate;


  • Save long term records in an open source or archival format to ensure readability even if systems change.


Where appropriate, managers are responsible for ensuring that the actions listed above are communicated to, and carried out by, the members of staff whom they manage.


All staff shall ensure that records kept are secure and in line with the Information Security Policy and relevant regulation. In addition, staff developing new procedures for records management will take account of the Information Security Policy.


The Managing Director and designated managers will advise on records management procedures and best practice and provide guidance on how to achieve best practice.


The Managing Director will be responsible for HER Business Revolution being compliant with regulations and professional standards which are relevant to the area of records

management.


7 Standards and Processes


The following standards and processes are employed by HER Business Revolution in relation to records management undertakings:


7.1 Creation and storing of records


7.1.1 Her Business Revolution client records


Paper or electronic records related to HER Business Revolution clients, or potential clients, can only be established with written consent from the client, typically this will be in the form of a signed contract. Any deviation from this standard will be on a case by case basis and with the approval of the Managing Director or a designated manager.


7.1.2 Client customer records


Paper or electronic records related to Her Business Revolution client customer data, or client prospective customer data, can only be established with written consent from the client, typically this will be in the form of a signed contract. Any deviation from this standard will be on a case by case basis and with the approval of the Managing Director or a designated manager.


7.1.3 Permissions capture


Where client customer or prospective customer data is being captured electronically, typically through sign up forms on websites, the standard HER Business Revolution approach is to use ‘double opt-in’ which is compatible with the GDPR principles. The use of double opt-in is accepted by existing clients and will be the approach recommended to new clients going forward.


Where client customer or prospective customer data is being captured manually, once collected, the manual records are captured electronically with a double opt-in request

subsequently being issued.


7.1.4 Manual and electronic record keeping systems


HER Business Revolution has no regular requirement for manual record keeping.


HER Business Revolution electronic recording keeping largely comprises of data related to staff (e.g. for salary payment), to clients (e.g. for raising of invoices, access to software and systems) and to client’s customers or prospective customers (e.g. for marketing purposes).


Electronic data is stored across a number of systems. HER Business Revolution will conduct an information audit with associated data flows to identify the systems on which it has data stored. The information audit is retained centrally and updated at least annually.


7.1.5 Data is accurate, adequate, relevant and not excessive


HER Business Revolution will strive to ensure that the personal data it collects is accurate, adequate, relevant and not excessive.


Where data relates to HER Business Revolution staff and clients, only the minimum required to perform the relevant task is collected and stored.


Where data relates to a client’s customers or prospective customers, HER Business Revolution staff will work with the requesting client to ensure that the data is fit for purpose and is not excessive, raising any concerns with the Managing Director for further consideration.


7.1.6 Movement of manual records


Manual records are not in general required. Should manual records become a requirement, they will be maintained and destroyed in line with regulation.


7.2 Retention and deletion of records


HER Business Revolution will only retain records for the purpose of its business, that is, records related to HER Business Revolution staff and for the completion of client instructed tasks, within regulatory guidelines.


Deletion of records will employ best practice as is appropriate at the time. Generally, manual records will as a minimum be shredded, with electronic records being deleted and removed from any history files (deletion from 3rd party systems will utilise the 3rd party deletion routines).


8 Training


The Managing Director and designated managers will be responsible for organising an appropriate amount and level of records management training for relevant members of staff.


Training will be delivered periodically alongside related training (Data Protection and Information Security).


Training will be tailored to meet the requirements for the induction of new staff and refresher training for existing staff.


The training will be allocated a dedicated agenda item at the regular HER Business Revolution team meetings.


9 Contractual Requirements


Written agreements with clients and with 3rd party service providers will include information security conditions where this is considered to be appropriate.


Where HER Business Revolution has control over contractual arrangements, for example, contracts with its clients, HER Business Revolution will endeavour to ensure that appropriate


information security conditions are considered and accepted.


Where HER Business Revolution generally has no control over contractual conditions with 3rd party service providers, HER Business Revolution will review the contractual terms and consider on a case by case basis whether it is appropriate to agree to the terms or to seek another provider.


Last Updated: January 2022

SUPERWOMAN MEMBERSHIP CLUB & HER BUSINESS ELITE ACADEMY TERMS & CONDITIONS


Members are forbidden from sharing any login details, information, documents, content, videos, and similar, with anyone else. It should be used for personal use, and not copied or imitated in any way for any other purpose.


Members use the HER Business Revolution content at their own risk, and HER Business Revolution, and any associated companies, take no responsibility for any legal, financial, reputable, or similar consequences that arise from its use.


Membership payment is to be paid to HER Business Revolution in monthly or yearly intervals (depending on payment plan selected), and failure to pay will result in immediate termination of membership, and claiming of any monies owed to the company in full. In this case accessing or using any of the benefits associated with the HER Business Revolution Superwomen Membership Club and/or HER Business Elite Academy Programme will be prohibited until payment has re-commenced and monies owed have been claimed.


Membership cannot be cancelled at any time within the initial 12 month period following any trial or funded period (if applicable). Following the initial trial or funded term your membership will automatically renew, and it will automatically renew on an annual basis, if not cancelled in advance in writing via email. Upon cancellation in writing (or of the direct debit payment), any monies owed for the remaining membership term will be due immediately, of which failure of payment will result in legal action. It is the responsibility of the individual member to ensure that any payment subscriptions are cancelled within their own Paypal/Stripe/Bank accounts following written cancellation of any membership plan, and HER Business Revolution will not issue any refunds in such situations where additional payments have been taken due to any subscriptions/direct debits not being cancelled correctly.


HER Business Revolution has the right to remove members immediately from the membership club/academy programme if they are found to be misusing, damaging or having negative impact on the group or brand in any way, and also reserve the right to decline re-entry on this basis.


HER Business Revolution can remove, add, and amend content in the HER Business Revolution Superwomen Membership Club and/or HER Business Elite Academy Programme anytime without prior notice.


HER Business Revolution has the right to increase the price of the HER Business Revolution Superwomen Membership Club and/or HER Business Elite Academy Programme, or ask for extra payments for additional material or content, however sufficient prior warning will be given to all members in these cases. This includes the increase in price due to the addition of VAT or other taxes.


HER Business Revolution will always endeavour to do the best by its members and will always welcome feedback to improve products and services. Please contact us through our website at www.herbusinessrevolution.biz with any queries, comments or suggestions for improvement.


NatWest Funded HER Business Elite Academy Special Terms & Conditions


NatWest Funded HER Business Elite Academy members agree to the following when subscribing and accessing the funded programme – They MUST:


Have a brand new business idea, be a start-up business under 3 months old, or earn a maximum of £1,000 per year from your business, and not have been supported, coached or trained by HER Business Revolution within the last 3 months.


Be based in the Midlands, Norfolk, Suffolk or Cambridgeshire areas of the United Kingdom.


Follow the HER Business Elite Academy programme as instructed, and interact and communicate throughout the 12 weeks within the academy Facebook group.


Not share your login details with any third parties or divulge any sensitive information related to others involved in the programme.


Be committed to completing the 12 week HER Business Elite Academy, submitting the final feedback survey and providing a testimonial from your experience on the programme.


Allow HER Business Revolution to share your name, email address and any feedback you have provided to the funding provider.


Set up your subscription when you joined to receive your welcome email and login details. Should you not wish to continue with discounted additional training and coaching after this initial 12 week HER Business Elite Programme you are permitted to cancel your subscription immediately after the 12 week programme has ended.


Important – You understand that it is your responsibility to cancel your PayPal payment subscription and that if you do not do so before the 3 month anniversary date of you joining that the subscription will renew automatically with an £180.00 per year (RRP £360.00) membership fee for further coaching, training and support with our award-winning Superwomen Membership Club. You will continue to be charged this fee on an annual basis unless you cancel this payment subscription directly within your PayPal account. Also, by cancelling your subscription prior to completing the academy programme and feedback survey will automatically lock you out of the HER Business Elite Academy Training Material Login Portal, and will mean that you will incur a repayment fee for the cost of the academy programme of £100.00 minimum.


The above Terms & Conditions do not affect statutory rights, and by subscribing to the HER Business Revolution Superwomen Membership Club and/or HER Business Elite Academy Programme and paying the associated subscription fee this automatically means that you agree to them.


Last Updated: January 2022

Let Us Help You To Set Your Goals &

Boost Your Business To The Next Level Now

Copyright © 2022 HER Business Evolution CIC (13795872) and HER Business Revolution LTD (11491481) - Trading as HER Business Revolution. Registered Office: 72 Godfrey Road, Spixworth, Norwich NR10 3NL (England & Wales). Trading Office: Blofield Business Centre, Woodbastwick Rd, Blofield Heath, Blofield, Norwich NR13 4RR. VAT Registration Number 375 5822 66