GDPR Company Policy
GDPR Data Protection Policy
Policy information
Organisation
Blithfield Safety Training Ltd Director: Michael Davies
Scope of policy
• The Head office of Blithfield Safety Training Ltd
• All Staff and volunteers of Blithfield Safety Training Ltd
• All contractors and suppliers working on behalf of
Blithfield Safety Training Ltd
Policy operational date
1st May 2018
Policy prepared by
Michael Davies, Company Director
Date approved by Board/ Management Committee
1st May 2018
Policy review date
1st May 2021
Introduction
Purpose of policy
• complying with the GDPR law
• following good practice
• protecting clients, staff and other individuals • protecting the organisation
Types of data
• Names
• Dates of Birth
• Email Addresses • Phone Numbers • Addresses
Policy statement
• comply with both the law and good practice
• respect individuals’ rights
• be open and honest with individuals whose data is held
• provide training and support for staff who handle personal data, so that they can act confidently and consistently
• Notify the Information Commissioner voluntarily, even if this is not required
Key risks
• Personal data falling into the wrong hands
• Malware
04/05/2018 Blithfield GDPR Policy 2018 Copy.doc
2
Responsibilities
The Board / Company Directors
Michael Davies Company Director
Data Protection Officer
• Michael Davies
Specific Department Heads
NA
Employees & Volunteers
All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. (From now on, where ‘employees’ is used, this includes both paid employees and volunteers.)
Enforcement
All staff and volunteers will attend a training session where responsibilities regarding data security will be outlined. Data protection will be continuously monitored by Michael Davies
Security
Security measures
Passwords randomly generated and changed at least every 3 months
Malware security installed on computers
Business continuity
Data securely backed up hourly and password protected
Specific risks
Data recording and storage
Updating
Data will be kept for the 3 year period of the qualification and will then be discarded.
Storage
Data records will be stored electronically and discarded after a 3-year period
Retention periods
All certificates last for 3 years so essential details will be retained for 3 years and then discarded
Archiving
All records will be securely deleted, no paper records will be kept
04/05/2018 Blithfield GDPR Policy 2018 Copy.doc
3
Right of Access
Responsibility
The person responsible for accessing stored data will be Michael Davies
Procedure for making request
Right of access requests must be made in writing.
Provision for verifying identity
The identity of the person making the access request must be verified
Charging
Access requests will normally be free of charge however a fee may be charged if the request is complex and requires excessive administration work
The fee will be fairly based on the administrative cost of providing the information
Procedure for granting access
If the request is made electronically, the information will be supplied in a similar electronic format
Transparency
Commitment
Blithfield Safety Training Ltd will ensure that Data Subjects are aware that their data is being processed
• for what purpose it is being processed
• what types of disclosure are likely, and
• how to exercise their rights in relation to the data
Procedure
Data subjects will be informed that minimal data will be retained for a 3-year period that the certificate is still valid.
Data subjects will be given the option to opt in to be reminded when their certificates are due to expire
04/05/2018 Blithfield GDPR Policy 2018 Copy.doc
4
Lawful Basis
Underlying principles
A copy of the register will be kept for the 3 year period that the certificates remain valid. This is to allow reprinting of lost certificates if required and also provides proof that the data subject does hold the qualification in the absence of a certificate
Opting out
Data subjects can opt out of a reminder when the 3 year period is up.
Withdrawing consent
Once given, consent can be withdrawn however the company does have a responsibility to retain minimal records for a 3 year period for the benefit of the data subject
Employee training & Acceptance of responsibilities
Induction
All employees who have access to any kind of personal data will have their responsibilities outlined during their induction procedures
Continuing training
Data Protection issues will be raised during employee training, team meetings, supervisions
Policy review
Responsibility
The review will be carried out by Michael Davies on an annual basis
Timing
The review will be started on the anniversary of the previous review and will usually be completed in a 24 hour period.
04/05/2018 Blithfield GDPR Policy 2018 Copy.doc