Our Data Protection Policy
Our data protection policy statement reiterates the important data protection principles set out in the GDPR, it outlines out how we intend to comply with them and clarifies what rights and obligations an employee has both in relation to their own personal data and when handling other people’s personal data.
Data protection principles
The EU General Data Protection Regulation (GDPR) requires us to comply with six data protection principles in our data processing activities. These say that personal data must be:
- processed lawfully, fairly and in a transparent manner
- collected only for specified, explicit and legitimate purposes and not further processed in a way that’s incompatible with those purposes
- adequate, relevant and limited to what is necessary in relation to those purposes
- accurate and, where necessary, kept up to date
- not kept in a form which permits identification of data subjects for longer than is necessary for those purposes
- processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against loss, destruction or damage.
Businesses not only need to comply with these principles but also must be able to demonstrate that they comply. This is called the principle of accountability. So, we have implemented appropriate technical and organisational measures, including putting in place data protection policies and procedures and providing employee training, to ensure and be able to show that we carry out processing in accordance with the GDPR’s requirements.
Our GDPR Data Protection Policy sets out the principles and legal conditions that we, and your staff, must satisfy when processing personal data in the course of our business activities. This includes not only employees’ and other workers’ personal data but also personal data belonging to customers, clients and suppliers. The data protection principles are a central part of our policy statement as it outlines what those principles are and what our procedures are for ensuring that we comply with them. It also includes policy provisions governing the lawful basis for processing, subject access rights, the other rights of data subjects, data protection impact assessments and data retention and erasure. It’s intended to outline both our responsibilities, and the employee’s rights and obligations, in relation to the processing of personal data. That way, our employees should clearly understand how to implement the data protection principles and apply them in practice. Finally, we’ve confirmed to our employees that a failure to follow data protection requirements is a disciplinary offence. We have adopted our policy statement to ensure it reflects the specific operational practices and procedures that we’ve put in place in relation to data processing activities.