This document summarises the policy of Get Off My Pavement Ltd in respect of Data Protection, the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018.
1. Data Security - Storage
All electronic copies of personal data are stored securely using password protection and data encryption.
Hardcopies of personal data, along with any electronic copies stored on physical, removable media, are kept securely in a locked box, drawer, or cabinet.
All personal data stored electronically is regularly backed up.
When communicating electronically (e.g., by email or over the internet), secured connections (e.g., SSL) are always used.
2. Data Security - Disposal
When personal data is to be erased or disposed of for any reason, including copies that are no longer required, it will be securely deleted and destroyed to prevent unauthorised access or recovery.
3. Data Security - Use of Personal Data
No personal data is shared informally.
Personal data is not transferred to employees, agents, contractors, or third parties without the authorisation of the company’s Data Protection Officer, Tom Johnson.
Personal data must be handled carefully at all times and must not be left unattended or visible to unauthorised personnel.
If personal data is being viewed on a computer screen, the device must be locked if left unattended.
4. Data Security - IT Security
Passwords protecting personal data are changed regularly and must include a mix of uppercase and lowercase letters, numbers, and symbols.
Passwords are not written down or shared between employees, agents, or contractors. If a password is forgotten, it must be reset through an approved process.
All software, including operating systems, is kept up-to-date to reduce security vulnerabilities.
Antivirus and firewall software are installed and updated regularly on all systems to protect against threats.
5. Organisational Measures
All employees, agents, or contractors are fully informed of their responsibilities under the UK GDPR and this policy and are provided with a copy of the policy.
Only those who need access to personal data to fulfil their duties are granted access.
Employees and contractors handling personal data receive appropriate training and supervision.
Employees and contractors are required to exercise care, caution, and discretion when discussing work-related matters involving personal data, both within and outside the workplace.
Methods of collecting, holding, and processing personal data are regularly reviewed for compliance with UK GDPR.
All personal data held by the company is periodically reviewed to ensure accuracy and relevance.
Contractors or other parties working on behalf of the company must ensure that their employees handle personal data in accordance with this policy and the UK GDPR.
6. Data Subject Rights
Individuals have the following rights under UK GDPR:
The right to be informed about how their data is used.
The right to access their personal data.
The right to correct inaccuracies in their personal data.
The right to request the deletion of their personal data.
The right to restrict the processing of their personal data.
The right to object to the use of their data for specific purposes.
The right to data portability.
7. Cookies and Tracking
The company uses cookies on its website to enhance user experience and for essential website functionality.
Users can manage their cookie preferences through their browser settings or by contacting the company.
No unnecessary tracking technologies are used without the user's consent.
8. Data Breach Notification
Any personal data breaches must be reported immediately to the Data Protection Officer, Tom Johnson.
If a breach is likely to result in a risk to the rights and freedoms of data subjects (e.g., financial loss, discrimination, reputational damage), the Information Commissioner’s Office (ICO) must be informed within 72 hours.
If a breach is likely to result in a high risk to the data subjects, they must be informed directly and without undue delay.
9. Transferring Personal Data Outside the UK
The company does not currently transfer personal data outside of the UK.
If such a transfer is required in the future, it will only be made to countries with adequate data protection standards as determined by the UK government.
10. Policy Implementation and Review
This policy is effective as of [Insert Date] and is reviewed annually or as required to reflect changes in data protection laws or company practices.
All employees, agents, and contractors must adhere to this policy.
Non-compliance with this policy may result in disciplinary action or termination of contracts.