Data Protection Policy
DPM-01 – 23/05/2018
1 – INTRODUCTION
The General Data Protection Regulation 2018 regulates the way in which all personal data is held and processed. This is a statement of the data protection policy adopted by the Strategy 365 Limited. It applies to all Strategy 365 Limited’s employees.
In order to operate efficiently Strategy 365 Limited needs to collect and use information about the people with whom we work. This includes current, past and prospective employees, reviewers, professional experts, stakeholders, delegates and others with whom we communicate.
Strategy 365 Limited regards the lawful and correct treatment of personal information as integral to our successful operation, and to maintaining the confidence of the people we work with. To this end we fully endorse and adhere to the principles of the General Data Protection Regulation 2018.
2 – PURPOSE
The purpose of this policy is to ensure that everyone handing personal information at Strategy 365 Limited is fully aware of the requirements of the Act and complies with data protection procedures and that data subjects are aware of their rights under the General Data Protection Regulation 2018.
Scope: Information covered by the General Data Protection Regulation 2018
‘Personal data’ covered by the General Data Protection Regulation 2018 is essentially any recorded information which identifies a living individual. Personal data held by Strategy 365 Limited will include contact information for a variety of stakeholders and other personal details.
3 – RESPONSIBILITY
The Managers reports on any data protection matters to the Managing Director.
The Managing Director is the Data Controller has overall responsibility for compliance with the General Data Protection Regulation 2018, but, individual members of staff/the Data Processors are responsible for the proper use of the data they process.
4 – POLICY STATEMENT
The General Data Protection Regulation 2018 and the rights of the individual are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restricting processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The General Data Protection principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
In order to meet the requirements of the principles Strategy 365 Limited will:
- Fully observe conditions regarding the fair collection, and use of information
- Meet its legal obligations to specify the purposes for which information is used
- Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
- Ensure the quality and accuracy of the information used
- Hold personal information on Strategy 365 Limited systems for as long as is necessary for the relevant purpose, or as long as is set out in any relevant contract held with Strategy 365 Limited or Strategy 365 Limited’s Information Retention Policy
- Ensure that the rights of people about whom information is held can be fully exercised under the General Data Protection Regulation 2018 (these include: the right to be informed that processing is being undertaken; the data subject’s right of access to their personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is regarded as wrong information)
- Take appropriate technical and organisational security measures to safeguard personal information and
- Ensure that personal information is not transferred outside the EEA without suitable safeguards.
5 – RESPONSIBILITIES FOR DATA PROTECTION AND CONFIDENTIALITY
Strategy 365 Limited will ensure that there is someone with specific responsibility for data protection in the organisation. The Data Controller is currently the Gavin Nixon, Managing Director. The Managing Director may be contacted at:
16 Haven Crescent
Strategy 365 Limited will ensure that:
- The Data Controller understands their role and their rights and responsibilities
- The Data Processors understand their role and the rights and responsibilities
- This policy is available to each member of staff
- The Data Controller and Data Processors are adequately trained in handling personal information
- Queries about handling personal information are dealt with promptly and courteously
- Clear processes and procedures are in place to show how all data is processed and held
- Data Protection Impact Assessments shall be completed for each data process and reviewed on an annual basis or as processes change
- The Director approves all changes to policy and procedure.
6 – STAFF RESPONSIBILITY
- All staff shall be aware of the requirements of the General Data Protection Regulation 2018 and how the rules apply to them.
- All staff must complete data protection induction and annual training.
- All staff have a responsibility to ensure that they respect confidential information in their possession and maintain information security. Disclosure of confidential information gained as part of your employment to a third party, or assisting others in disclosure, will be viewed by Strategy 365 Limited with the utmost seriousness.
- All staff are responsible for ensuring personal information is kept no longer than is necessary.
- All staff are responsible for making sure that all personal data held, is up-to-date, accurate and relevant.
For further advice, please contact the Managing Director.
7 – PRIVACY STATEMENT
Strategy 365 Limited respects your privacy. The information that you provide us with, or that is gathered automatically, helps us to monitor our services and provide you with the most relevant information. More information on how Strategy 365 Limited safeguards your privacy in relation to websites, email, voicemail, social media, testing and training can be found on our website: https://www.strategy365.co.uk/privacy-policy
8 – SUBJECT ACCESS REQUESTS
Under the General Data Protection Regulation 2018 individuals have the right to access personal information Strategy 365 Limited may hold about them.
Strategy 365 Limited will take no longer than 30 days to provide this information. It will be sent via email to the requester in a clear and concise format.
If you wish to request such information please email firstname.lastname@example.org or consult our guidance on making a subject access request.
9 – DATA PROTECTION COMPLAINTS PROCEDURE
Strategy 365 Limited shall comply fully with its obligations under the General Data Protection Regulation 2018. If you have any questions or concerns regarding Strategy 365 Limited’s management of personal data, including your right to access data about yourself, or if you feel Strategy 365 Limited holds inaccurate information about you, please contact Strategy 365 Limited’s Director & Lead Consultant (details above).
If you feel that your questions or concerns have not been dealt with adequately or that a subject access request you have made to Strategy 365 Limited has not been fulfilled you can use Strategy 365 Limited’s complaints procedure, by contacting us at email@example.com
If you are still dissatisfied, you have the right to contact the office of the Information Commissioner, the independent body overseeing compliance with the General Data Protection Regulation 2018: http://ico.org.uk/
10 – DATA BREACHES
If a breach has occurred which is likely to result in a risk to the rights and freedoms of natural persons, then the following will be reported to the Supervisory Authority:
- The nature of the personal data breach
- The categories of personal data
- The approximate number of data subjects affected
- The approximate number of personal data records concerned
- The contact details for the point of contact here at Strategy 365
- The likely consequences of the personal data breach
- The measures taken to address the personal data breach
11 – REVIEW
This policy will be reviewed on an annual basis.
12 – BREACHES OF THIS POLICY
All Strategy 365 Limited employees, partner agencies, contractors and vendors have a responsibility to protect personal data, and report data security incidents and breaches of this policy as quickly as possible. This also extends to any external organisation contracted to support or access the Information Systems of Strategy 365 Limited.
In the case of third party vendors, consultants or contractors non-compliance could result in the immediate removal of access to the system. If damage or compromise of Strategy 365 Limited’s ICT systems or network results from the non-compliance, Strategy 365 Limited will consider legal action against the third party. Strategy 365 Limited will take appropriate measures to remedy any breach of the policy. In the case of an employee then the matter may be dealt with under Strategy 365 Limited‘s disciplinary process.