GDPR Company Policy

GDPR Data Protection Policy

Policy information

Organisation

Blithfield Safety Training Ltd Director: Michael Davies

Scope of policy

• The Head office of Blithfield Safety Training Ltd
• All Staff and volunteers of Blithfield Safety Training Ltd • All contractors and suppliers working on behalf of

Blithfield Safety Training Ltd

Policy operational date

1st May 2018

Policy prepared by

Michael Davies, Company Director

Date approved by Board/ Management Committee

1st May 2018

Policy review date

1st May 2021

Introduction

Purpose of policy

• complying with the GDPR law
• following good practice
• protecting clients, staff and other individuals • protecting the organisation

Types of data

• Names
• Dates of Birth
• Email Addresses • Phone Numbers • Addresses

Policy statement

• comply with both the law and good practice
• respect individuals’ rights
• be open and honest with individuals whose data is held • provide training and support for staff who handle

personal data, so that they can act confidently and

consistently
• Notify the Information Commissioner voluntarily, even

if this is not required

Key risks

• Personal data falling into the wrong hands • Malware

04/05/2018 Blithfield GDPR Policy 2018 Copy.doc

2

Responsibilities

The Board / Company Directors

Michael Davies Company Director

Data Protection Officer

• Michael Davies

Specific Department Heads

NA

Employees & Volunteers

All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. (From now on, where ‘employees’ is used, this includes both paid employees and volunteers.)

Enforcement

All staff and volunteers will attend a training session where responsibilities regarding data security will be outlined. Data protection will be continuously monitored by Michael Davies

Security

Security measures

Passwords randomly generated and changed at least every 3 months
Malware security installed on computers

Business continuity

Data securely backed up hourly and password protected

Specific risks

Data recording and storage

Updating

Data will be kept for the 3 year period of the qualification and will then be discarded.

Storage

Data records will be stored electronically and discarded after a 3-year period

Retention periods

All certificates last for 3 years so essential details will be retained for 3 years and then discarded

Archiving

All records will be securely deleted, no paper records will be kept

04/05/2018 Blithfield GDPR Policy 2018 Copy.doc

3

Right of Access

Responsibility

The person responsible for accessing stored data will be Michael Davies

Procedure for making request

Right of access requests must be made in writing.

Provision for verifying identity

The identity of the person making the access request must be verified

Charging

Access requests will normally be free of charge however a fee may be charged if the request is complex and requires excessive administration work

The fee will be fairly based on the administrative cost of providing the information

Procedure for granting access

If the request is made electronically, the information will be supplied in a similar electronic format

Transparency

Commitment

Blithfield Safety Training Ltd will ensure that Data Subjects are aware that their data is being processed

• for what purpose it is being processed
• what types of disclosure are likely, and
• how to exercise their rights in relation to the data

Procedure

  • Data subjects will be informed that minimal data will be retained for a 3-year period that the certificate is still valid.
  • Data subjects will be given the option to opt in to be reminded when their certificates are due to expire

04/05/2018 Blithfield GDPR Policy 2018 Copy.doc

4

Lawful Basis

Underlying principles

A copy of the register will be kept for the 3 year period that the certificates remain valid. This is to allow reprinting of lost certificates if required and also provides proof that the data subject does hold the qualification in the absence of a certificate

Opting out

Data subjects can opt out of a reminder when the 3 year period is up.

Withdrawing consent

Once given, consent can be withdrawn however the company does have a responsibility to retain minimal records for a 3 year period for the benefit of the data subject

Employee training & Acceptance of responsibilities

Induction

All employees who have access to any kind of personal data will have their responsibilities outlined during their induction procedures

Continuing training

Data Protection issues will be raised during employee training, team meetings, supervisions

Policy review

Responsibility

The review will be carried out by Michael Davies on an annual basis

Timing

The review will be started on the anniversary of the previous review and will usually be completed in a 24 hour period.

04/05/2018 Blithfield GDPR Policy 2018 Copy.doc