General Data Protection Policy
1. Approvals & Review
2. Version Control
3. Policy Owner
5. Risk Appetite Statement
8. Roles & Responsibilities
9. Related Policies
10. Links to Supporting Templates
11. Glossary of Terms
12. Document Management
1. Approvals & Review
1.1 This policy was endorsed by (John Thatcher Director/Board Member or Policy Committee on 25 May 2018 and will be approved by the Board on 14 June 2018.
The policy shall apply 14 June 2018 and will be enforced from 14 June 2018.
1.2 This Policy shall be reviewed by Policy Committee no later than 25 May 2019.
2. Version Control
2.1 The current official copy of this policy shall be located on the dedicated GDPR file on the corporate server Training / GDPR / Policies folder.
If this document was found in any other location, the reader should check the policy portal to confirm they are reading the current requirements.
3. Policy Owner
3.1 The Owner of this policy is the incumbent Data Protection Officer.
4.1 An organisation which controls processing activities, involving Personal or Sensitive Data relating to European Union Data Subjects, must comply with the General Data Protection Regulation 2016 ('GDPR') and the Privacy & Electronic Communications Regulation 2003 ('PECR'). This policy sets out the requirements all those in scope must adhere.
4.2 This Policy is subject to all the laws, rules and regulations that this organisation is governed by.
In the event this policy allows the exercise of discretion, such discretion must be exercised within the confines of the organisation's statutory obligations and must not contravene any of its legal, accounting or other regulatory requirements.
5. Risk Appetite Statement
5.1 The Boards Risk Appetite for a material breach of GDPR compliance is LOW.
5.2 The Board has identified personal data breaches, failing to uphold Data Subjects' rights and reputational damage as key data protection risks.
6.1 The scope of this policy covers all Processing activities and supporting Information Systems involving Personal or Sensitive Data where the organisation acts as the Controller. This includes personal or sensitive data in physical form, stored in a relevant filing system.
6.2 The scope of this policy covers all global geographic territories. For the avoidance of doubt, this includes Third Countries, outside the European Union (EU).
6.3 The scope of this policy covers all Employees, Contractors, Third Parties, Processors or others who process Personal of Sensitive Data on behalf of the organisation.
7.1.1 All Processing activities shall be:
i. Collected for specified, explicit and legitimate purposes only
ii. Accurate and, where necessary, kept up to date
iii. Retained only for as long as necessary
iv. Processed lawfully, fairly and in a transparent manner
v. Processed securely, in an appropriate manner to maintain security
vi. Adequate, relevant and limited to what is necessary
7.2 Data Protection Officer (DPO)
7.2.1 A Data Protection Officer (DPO) shall be appointed and report directly to the Board.
7.2.2 The DPO shall support the organisation in upholding the rights of Data Subjects as it relates to the organisation's processing activities.
7.2.3 The DPO shall respond to enquiries from Data Subjects in a timely manner.
7.2.4 The DPO shall establish and maintain a programme to monitor compliance with this policy.
7.2.5 The DPO shall establish and maintain a General Data Protection training and awareness programme.
7.2.6 The DPO shall support compliance with this policy by providing support and advice as it relates to complying with the requirements of this policy.
7.2.7 The DPO shall be provided timely and appropriate access to information and information systems as it relates to the discharge of their duties.
7.2.8 Details of the DPO, and their contact details shall be made publically available.
7.2.9 The DPO shall maintain the following registers:
i. Register of Processing Activities
ii. Register of Data Protection Impact Assessments (DPIA)
iii. Register for Data Protection Metrics
iv. Register for Data Subject Enquiries
7.2.10 The DPO shall report personal data breaches to the Supervisory Authority no later than 72 hours after the breach has been detected.
7.3.1 A record of processing activities shall be provided to the Data Protection Officer
7.3.2 A System Owner shall be appointed for all Information Systems containing Personal or Sensitive Data. The System Owner shall not be from IT unless IT is performing the primary processing activity (e.g. IT operate the Service Desk System and so an IT Manager could be assigned as System Owner).
7.3.3 System Ownership shall not be assigned to a person who does not have budgetary responsibility for the Information System.
7.3.4 System Ownership shall not be assigned to a person who does not hold formal authority over those carrying out processing activity within the Information System.
7.3.5 A System Owner may delegate responsibility for operational tasks relating to this policy but shall not delegate accountability.
7.3.6 A System Owner may seek advice in the discharge of their duties but remains accountable for any subsequent decisions taken (e.g. acceptance of risk).
7.3.7 Processing activities shall be documented and a Process Owner appointed
7.3.8 Process Ownership shall not be assigned to a person who does not hold formal authority over those carrying out processing activity within the Information System.
7.4 Lawfulness of Processing
7.4.1 Process Owners shall ensure processing is lawful and document the lawful grounds for processing.
7.4.2 Where processing involves data of Children, parental consent must be sought, provided and documented.
7.4.3 With the exception of storage, processing shall cease immediately where there are no longer lawful grounds for processing.
7.5.1 Process Owners shall ensure information related to their processing activities is made available to the DPO so that an organisational Data Protection notice may be published.
7.5.2 Data Subjects shall be informed of processing activities and provided statutory information at the time data is collected.
7.5.3 Where data is collected from a source other than the Data Subject, they shall be informed of processing activities and provided statutory information as soon as practicable but no less than 10 working days.
7.5.4 Process Owners shall review the published Data Protection notice quarterly for any inaccuracies relating to their processes. The Process Owner shall report inaccuracies to the DPO within 5 working days.
7.6 Data Protection by Design & Default
7.6.1 Information Systems and Processes shall be designed to comply with the requirements of this policy.
7.6.2 Process and System Owners shall implement appropriate technical and organisational measures to ensure that data protection is incorporated into processes and systems, by design and default.
7.6.3 Processing activities and supporting Information Systems shall be designed to ensure the minimum personal data is stored and for the minimum period necessary.
7.6.4 All Information Systems shall ensure their systems undergo a Data Protection Impact Analysis (DPIA) which contains at a minimum:
i. A systematic description of the envisaged processing operations and the purposes of the processing.
ii. An assessment of the necessity and proportionality of the processing operations in relation to the purposes; Ill. an assessment of the risks to the rights and freedoms of data subjects
iii. The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this policy taking into account the rights and legitimate interests of data subjects and other persons concerned
7.6.5 The System Owner shall consult with the DPO in relation to the completion of the DPIA.
7.6.6 The DPO shall, where the risk to Data Subjects' rights is deemed HIGH, consult with the Supervisory Authority.
7.6.7 System Owners shall ensure systems are explicitly designed to minimise the impact involved in upholding Data Subjects' rights.
7.6.8 Process Owners shall ensure processes are explicitly designed to minimise the impact involved in upholding Data Subjects' rights.
7.7 Security of Processing
7.7.1 System Owners shall be accountable for ensuring systems meet the minimum required standards for security, including, but not limited to:
i. Identity & Access Management
ii. Patch & Vulnerability Management
iii. Change Management
iv. Backup & Restoration
v. IT Service Continuity Planning and Testing
vi. Development and Testing Activities
vii. Security breach monitoring and detection
7.7.2 Information Systems, containing personal or sensitive data, exposed to the Internet or a Third Party, shall be subject to an independent, risk-based penetration test to an agreed scope, no less than annually. System Owners shall ensure all issues identified are appropriate treated commensurate with the Board's risk appetite.
7.7.3 Personal Data Breaches shall be reported to the DPO as soon as possible but no later than 24 hours after detection.
7.8 Accuracy of Processing
7.8.1 Process Owners shall ensure data remains accurate and where inaccurate corrected as soon as possible but no later than 5 working days from when the error is reported and verified.
7.8.2 Process Owners of processes involving automated decision making or profiling shall document an alternative manual process and ensure appropriate resources are trained to carry out the manual process if required.
7.8.3 A Data Subject shall have a right not to be subject to an automated decision or profiling. Process Owner shall ensure this right is respected except where statutory exemptions apply.
7.9.1 With the exception of data held under statutory exemptions, personal data shall not be retained any longer than necessary.
See our data retention policy (add link – Steve).
7.10 Data Subject Access
7.10.1 Process Owners shall ensure those processing data understand how to identify a Data Subject access request
7.10.2 Data Subject access requests shall be recorded in a register owned by the DPO.
7.10.3 Data Subject access requests shall be completed as soon as possible but no more than 30 calendar days.
7.10.4 Data Subject access requests shall not incur a charge
7.10.5 Data Subject access request shall be processed electronically if this is requested by the Data Subject.
7.10.6 Reasonable steps shall be taken to verify the identity of the Data Subject prior to providing access to their personal data.
7.10.7 System Owners shall ensure appropriate resource is made available to support Data Subject access requests.
7.10.8 Reasonable steps shall be made to seek the permission of third parties prior to including their information within an access request. Where permission is not provided, the DPO shall be consulted to determine whether data should be provided or redacted.
7.10.9 Requested information shall be communicated to the Data Subject securely
7.11 Third Party Processing
7.11.1 Processing activities shall not be outsourced to a third party without a binding written contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of Data Subjects and the obligations and rights of this Organisation.
7.11.2 Process Owners shall use only third-party Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this policy and ensure the protection of the rights of the Data Subject.
7.11.3 Process and System Owners shall consult with, and attain a written recommendation from the DPO and representatives from Legal, Procurement, Information Security, Business Continuity and Risk prior to signing a contract with a third party Processor and with sufficient time to carry out effective due-diligence on the proposed outsourced process and the third party Processors data protection technical and organisational controls.
7.11.4 Process and System Owners shall engage an independent (internal or external) assessor that is professionally qualified to assess the third party Processor's data protection technical and organisations controls.
7.11.5 Process and System Owners engaging third-party Processors shall ensure continuing compliance with this policy and maintain accurate records of relevant meetings and compliance visits including supporting evidence of the third party Processor's ongoing compliance.
8. Roles & Responsibilities
8.1 The Board has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised in this policy.
8.2 Senior Management shall ensure appropriate resources are made available to support the implementation of this policy throughout all in-scope areas.
8.3 All those in scope of this policy are responsible for adhering to the requirements of this policy
8.4 The Data Protection Officer (DPO) is responsible for monitoring compliance with this policy and shall provide periodic reporting to the Board and Senior Management on the organisation's compliance with this policy.
8.5 The Data Protection Office shall be the contact point for all matters relating to the Supervisory Authority (SA)
8.6 The Chief Information Security Officer (CISO) is responsible for providing information security support as it relates to this policy.
8.7 Those described as Owners of this policy are responsible for ensuring their Processes, and Information Systems meet the minimum requirements of all in-scope policies.
8.8 The Owners of the policies, detailed in 10.1, shall ensure requirements are amended to reflect the requirements of this policy.
8.9 The Head of Human Resources shall ensure Human Resources processing is compliant with the requirements of this policy.
8.10 The Head of Marketing shall ensure processing related to marketing activities is compliant with the requirements of this policy.
8.11 The Head of Procurement shall ensure procurement processes are compliant with the requirements of this policy.
8.12 Internal Audit shall provide the Board with independent assurance that the organisation is adhering to the requirements of this policy.
9. Related Policies
9.1 This policy should not be read in isolation. The following policies also include specific and supporting requirements:
i. (Enterprise/Operational) Risk Management Policy
ii. Information Security Policy
iii. Incident Response Policy
iv. Records Management Policy
v. HR Policy Portfolio
vi. Change Management Policy
vii. Project Management Policy
viii. Outsourcing Policy
ix. Fraud Policy
9.2 The policies can be found in on the corporate server Training / GDPR / Policies folder.
10. Links to supporting Templates
Templates and other supporting materials can be found in the Data Protection Section of the Organisation's Intranet Site.
11. Glossary of Terms
The following definitions are crucial to understanding the General Data Protection Regulation. When dealing with personal data, you must keep the following definitions in mind as they will be vital to understanding your data protection roles and responsibilities. This list is not exhaustive and more terms will be described throughout the book but initially, the most useful are as follows:
Natural Person: Essentially an EU citizen who is alive.
A Natural Person may also be referred to as a Data Subject.
Child: For the purposes of GDPR is a Natural person who requires parental consent, usually if they are below 16. The EU Member States can, however, reduce the requirement for consent to those no younger than 13 (i.e. if the Natural Person is over 13 parental consent would not be required).
Personal Data: any information relating to an identified or identifiable Natural Person (or 'Data Subject'); an identifiable Natural Person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Natural Person.
Sensitive Data: special categories of information relating to an identified or identifiable Natural Person (or 'Data Subject'). Examples include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, sex life of sexual orientation.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a Natural Person, in particular to analyse or predict aspects concerning that Natural Person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Consent: any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
EU Member State: any country party to the founding treaties of the European Union (EU) and thereby subject to the privileges and obligations of membership. Member States are subject to binding laws in exchange for representation within the common legislative and judicial institutions.
Third Country: any country which is not an EU Member State (e.g. USA, India, China or the Philippines)
Supervisory Authority: the regulator within a European country who will provide regulatory oversight for GDPR, provide guidance and advice and, where necessary impose corrective actions or administrative fines.
Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data Protection Impact Assessment (DPIA): An assessment of the impact of the envisaged processing operations on the protection of personal data and the rights and freedoms of natural persons.
Subject Access Request (SAR): A request, made by a natural person, to access personal data held by a Controller or Processor,
Data Protection Officer (DPO): a person with expert knowledge of data protection law and practices who assists the Controller or Processor to monitor internal compliance with GDPR. Such data protection officers, whether or not they are an employee of the Controller, should be in a position to perform their duties and tasks in an independent manner.
The Lawful Basis for Processing:
You must have a valid lawful basis in order to process personal data.
There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason.
Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
What are the Lawful Bases for Processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
12. Document Management
This document is valid as of 14 June 2018.
This document is reviewed periodically and at least annually to ensure compliance with the following prescribed criteria.
i. General Data Protection Regulation
ii. Legislative requirements defined by law, where appropriate
(Role) Business Development Director
(Author) Stuart King