Data Protection Statement
Data Protection Statement concerning client data
Caterlyst is compliant with the data protection regulations and Data Protection Act, continually monitor and update policies and processes to ensure continued compliance with Data Protection Legislation and Regulations including the General Data Protection Regulations (GDPR) and Data Protection Act 2018. As part of the various services and products we offer our customers, and this includes system maintenance, we may hold or have access to data that can identify individuals in order to be able to provide our customers with the services, products and support that is agreed through our contracts. In all instances, access to such data is controlled and limited to specific individuals.
Processing Information
Scope and purpose or processing
Personal data is held for the purposes of the provision of data, marketing and CRM services and related products. Client data held is obtained in support of contractual arrangements and is necessary under the ‘legitimate interests’ pursued by the controller (Caterlyst Ltd) as defined in article 6.1 of the GDPR. The facility to opt out of marketing communications remains, but excludes operational or pricing communications.
Nature of processing
Caterlyst Ltd does not undertake any automated decision making as defined by article 22 of the GDPR. Data will be processed internally by the marketing department for the purposes of objective and permission based marketing.
Duration of processing and retention
Caterlyst Ltd maintains personal data for the duration of contracts during the provision of data, marketing and CRM services and related products. Thereafter, the data will be held for a ‘reasonable’ period, depending on the nature of the relationship with the customer. The data will be deleted when the retention of that data can no longer be justified under the provisions of the Data Protection Act and is not overruled by competing legislation or regulations. The terms against which data are held vary and are dependent on the business cycle, regulations and legislation.
Requests for information
Persons whose data are held by Caterlyst Ltd and its associated companies may request their own data. These are called subject access requests. These should be submitted in writing to our postal address or via email to support@caterlyst.co.uk. We will need to verify the identity of the requestor and in the unlikely event there is substantial cost to Caterlyst Ltd in terms of retrieving the data, we may charge a maximum of £10. The regulations require us to respond within 28 days of the request.
Deletion of information
Persons whose data are held by Caterlyst Ltd and its associated companies may request that their data be permanently deleted as stated in Data Protection Regulations and Data Protection Legislation, and such requests will be complied with as soon as practicable where a customer no longer has a relationship with Caterlyst Ltd or its associated companies. Where a requestor continues to have a business relationship with Caterlyst Ltd or its associated companies, we may need to ensure that the requestor’s details are replaced with those of an alternative contact to enable the continued effective management of our relationship with our customers and partners. Any such requests should be submitted in writing to our postal address or via email to info@caterlyst.co.uk. We will need to verify the identity of the requestor in all circumstances.
Types of Personal Data
The personal data held will include: Name, Position, Telephone Number(s), email address.
No ‘sensitive data’ (as defined by the Data Protection Act) or ‘special categories of personal data’ (as defined by the GDPR) are held against any current, former or prospective (wholesale only) customers.
Categories of Data Subject
The data subjects whose data may be held by Caterlyst Ltd is restricted to that of existing, former or prospective customers of associated companies and associated contacts. These data fall under the category of ‘personal data’ and do not include any ‘sensitive data’ (as defined by the Data Protection Act) or ‘special categories of personal data’ (as defined by the GDPR).
Data sharing
There is no routine data sharing of client person identifiable data. Where exceptions exist, these concern the management of systems where providers require sample data for the purposes of de-bugging systems or processes. In these circumstances we would implement a formal data sharing agreement to ensure the transaction is handled for the purposes of the ‘system fix’ and to obtain a legal platform to ensure that access, security and disposal of the data adheres to our requirements in terms of current and future ISO accreditation and Data Protection legislation.
Data hosting
The majority of our data is hosted in secure cloud/data centre environments accessible only through VPN, Our data is held within the EU, and where practicable these data will be held in a UK based environment. Access to all systems is managed through robust permission structures based on the requirement of the individual’s role, and these are regularly reviewed.
Risk management
- There have been no significant security incidents in the last 12 months.
- The organisational risk register contains all risks identified to date and these are managed as determined by our internal processes, reporting to the organisational risk management group.
Data Protection FAQs:
Caterlyst & GDPR on broader data assets
These FAQs concern our data assets, personal data assets as well as our own processing of client specific personal data. The former, personal data assets, constitute proprietary intellectual property, which is integral to our competitive advantage. While we are unable to disclose specific details other than for compliance purposes to a regulator, we can assure that our data is sourced from over 150 reputable and verified channels, ensuring the highest standards of accuracy and data protection compliance.
Do you have a process for reporting information security breaches that affect your clients to them in a timely manner?
Yes. In case of a security incident or breach, we will notify our clients immediately, and in no event later than 72 hours from when the incident occurred. Where there is an impact on the privacy or rights of the data subjects, we will also report it to the regulators no later than 72 hours from when the incident occurred.
Has your telephone list been cleaned against preference service suppression files?
Yes, we screen our telephone database against multiple Do Not Call (DNC) registries around the UK, including the DNC lists in the UK (TPS and CTPS).
Are staff required to do regular information security and data protection training?
Yes. All our employees need to take information security and compliance trainings when joining the company, and then on an annual basis.
Do you transfer data outside the EEA? If yes, which protections do you have in place?
We don’t currently transfer data outside the UK or EEA.
What is Caterlyst’s lawful basis to process the data?
We collect, process, and share our data under the lawful basis of legitimate interest and or consent, as allowed under Section 6.1(f) GDPR. We have conducted all relevant assessments and have adequate measures in place to ensure compliance.
How does the data flow?
Caterlyst uses its own database to provide the services. Therefore, data flow is normally from Caterlyst to our customers.
It is only when our customers use specific functionalities that Caterlyst would receive limited data from the customers to match it with its database, and provide updated data to its customers.
However, data received from our customers under this functionality is limited to data we need to match with our records, and it is only used by Caterlyst to provide the services to such client. When customers are using those functionalities, the DPA included in our Terms of Service applies. Where data is added by clients, the client is the controller and Caterlyst is a processor of those data.
Is Caterlyst a controller or a processor under the services?
Each party acts as an independent controller of the data under the services, and processes the data for its own purposes. Thus, Caterlyst processes the data to provide its services, while our customers process the data for their own marketing/lead generation activities.
This is why each party is responsible for its own compliance with applicable data privacy and (in the case of our customers) marketing laws and regulations.
As mentioned above, it is only when customers use specific functionalities that Caterlyst acts as a processor on its customers’ behalf. Each of the parties’ roles and responsibilities under our services is clearly defined in our Terms of Service.
Notifications & Notified Data
Why is having a notified database important?
When collecting and processing data under the lawful basis of legitimate interest, data subjects need to be informed about the fact that a company, like Caterlyst, has their data so they can exercise any of their rights (including, the right to opt-out).
Caterlyst is one of the few data vendors that has notified all its database and notifies any new individual that is added to our database within 30 days, as mandated by GDPR.
What happens when a company fails to comply?
When a company fails to comply with data privacy regulations, like GDPR, a warning may be issued and the company could face fines by the Regulatory Authority.
Do I need to comply with Data Privacy regulations?
Yes. As controllers of the data to be provided by Caterlyst, clients need to ensure that they are in compliance with all applicable regulations when using our data.
This would include, for instance, having a legal basis to process the data, having a privacy policy, an opt-out procedure, and notifying data subjects that they hold their data and what they do with it.
Data Sources
Where does it all come from?
We combine first party with third party sources to give you the best the market can offer.
- Proprietary Data Capture Mechanisms
This is our first data layer: community-sourced data. It comes from members of our community who allow us to match contact information stored in signature blocks to business professionals in our database.
- Publicly available information
We monitor publicly available information across millions of corporate websites, job postings, news feeds, and company registries to confirm business information and add an additional layer of accuracy.
- Strategic partnerships
We have formed strategic partnerships with premium-grade providers. This allows us to provide users with highly accurate supporting data and sales event triggers.
Data Validation & Maintenance
How do we keep it fresh and accurate?
Caterlyst’s data validation and maintenance formula:
Manual Research + Daily Database Updates = Coverage + Completeness + Correctness
We have developed our data quality scores and are validating these at the time of writing. Once we have achieved validation of our target data quality scores, we will publish our minimum standards across a range of data quality and data completeness metrics.
Our formula continued
- Company manual research
We operate and drive continuous database improvement with a quality-first mindset.
To ensure the data we source meets our stringent quality standards, the research team continuously audit our customers’ most desired company and contact profiles, including the information collected via our programmatic primary data capture methods.
- Daily database updates
We perform millions of daily database updates. Apart from keeping our data fresh, these updates enable us to track important contact-level events such as key roles joining or leaving a company. This allows customers to rekindle relationships with former users or connect with new decision-makers who are just starting out and building their strategy, before competitors catch up.