GENERAL DATA PROTECTION REGULATION POLICY
This policy updates Fire Risk Solutions current Data Protection Policy and procedures to include the additional requirements of GDPR which apply in the UK from 25th May 2018. The Government hword tas confirmed that despite the UK leaving the EU, GDPR will still be a legal requirement probably via the Great Repeal Bill.
This policy explains the duties and responsibilities of Fire Risk Solutions and identifies the means by which the company will meet its obligations.
MINIMISING RISK AND IDENTIFYING ROLES
GDPR requires that everyone within the company must understand the implications of GDPR and that roles and duties must be assigned. The Managing Director is the Data Controller and the Office Manager is the Data Protection Officer (DPO).
Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes, be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for so long as is necessary for processing; and be processed in a manner that ensures its security.
Information handling is a high/medium risk to the company and will be included in the company’s Risk Assessment. Such risks can be minimised by undertaking an Information Audit; issuing privacy statements; minimising who holds information, and the safe disposal of information and training.
GDPR requires continued care by the Data Protection Office and the company in the sharing of information about individuals, whether as a hard copy or electronically. A breach could result in a fine and a payment for compensation.
THE SIX DATA PROTECTION PRINCIPLES
1. LAWFULNESS, FAIRNESS & TRANSPARENCY
Lawfulness: Processing must meet the tests described in GDPR;
Fairness: What is processed must match up with how it has been described; and Transparency: Tell the subject what data processing will be done.
2. PURPOSE LIMITATION
This will be contained in the company’s Privacy Notice, i.e. telling people why we need their data when we collect it from them, what we will do with it, who we will share it with and how long we will keep it.
3. DATA MINIMISATION
This must be adequate, relevant, and limited to what is necessary.
Will mean that any information will need to be up to date and accurate. If found to be inaccurate, correct and delete without delay.
5. STORAGE LIMITATION
Data must not be kept longer than is necessary or legally required.
6. INTEGRITY & CONFIDENTIALITY
Data must be kept physically and electronically secure.
THE SIX LEGAL PURPOSES FOR THE LAWFUL PROCESSING OF DATE
This is the usual basis for processing data, with burden of proof higher under GDPR.
Consent means ‘freely given specific and informed indication of wishes by which data subject signifies agreement to their personal data being processed’.
Consent is not freely given if there is no real choice or refusal or withdrawing consent will cause detriment. Withdrawing consent should be as easy as giving consent. The burden of proof is on the Data Controller (The Managing Director) to prove consent was given. Consents should be regularly reviewed and updated.
2. PERFORMANCE OF CONTRACT
This means the collection and processing of data to provide the service.
3. COMPLIANCE WITH LEGAL OBLIGATION
Processing is necessary for compliance with a legal obligation to which the controller is subject.
4. VITAL INTERESTS OF DATA SUBJECT
For example, monitoring epidemics, and humanitarian emergencies.
5. PUBLIC INTEREST
For example, the use of personal data for the collection of income tax.
6. LEGITIMATE INTERESTS OF DATA CONTROLLER
For example, for the prevention of fraud.
ENHANCED RIGHTS FOR ALL INDIVIDUALS
All individuals who have dealings with the company have these rights and the company needs to take account of these rights.
REQUESTS FOR INFORMATION (SUBJECT ACCESS REQUESTS)
Under the GDPR a data controller may not charge for dealing with a request for access to personal data (a subject access request), the company must reply promptly and, in any event, within one month (for complex, or numerous, requests this period can be extended by a further two months). There is discretion to charge a reasonable fee, or refuse to comply if the request is unfounded, or excessive, but the data controller bears the burden of proving the request was unfounded or excessive. Third Parties can ask for information but must still prove they have consent, or justify why it is appropriate, as they do now.
People should know whether they are obliged to provide their personal data and what the potential consequences are. This needs to be clear at the point of collecting the data.
The right to have inaccurate personal data corrected. If inaccurate data has been shared there is an obligation to inform any recipients of the correction unless this is impossible or would involve disproportionate effort.
ERASURE (THE RIGHT TO BE FORGOTTEN)
This is not an absolute right and it does not apply if there is a lawful reason for continued processing. This might be a factor, for example where the company has employment records and someone requests that details of a grievance, or a disciplinary matter, be removed.
RESTRICTION OF PROCESSING
Where there is a dispute about the processing of the data then affected personal data may only be processed with the data subject’s consent, for establishing or defending legal claims, for the protection of another natural or legal person’s rights or for reasons of important public interest. This restriction continues until the dispute is resolved.
This allows a data subject to instruct a data controller to transmit their personal data to another controller where it is technically feasible to do so. There is no obligation to maintain, or adopt, technically incompatible systems.
OBJECTION TO PROCESSING
A data subject can object to the processing of their data and a data controller must respond within one month (within a potential two month extension for complex, or numerous, requests). Processing includes profiling for the public interest, for direct marketing and for historical research or statistical purposes. Other than direct marketing the request is subject to the application of the public interest test.
DATA PROTECTION PRINCIPLE SIX
INTEGRITY & CONFIDENTIALITY – KEEPING PERSONAL DATA SECURE
Keeping personal data secure means keeping IT systems secure. For example, strong passwords, regular back-ups, keeping software updated, and applying patches as soon as possible; and covers encryption, protecting data and having guidance for the storage of the company’s business tablets or phones, and having a company email address.
IMMEDIATE IMPACT OF GDPR ON Fire Risk Solutions
1. Notification is abolished. The company needs to continue to maintain the record of processing what it already has and keep it updated.
2. Appoint a Data Protection Officer, who must have:
· Appropriate expertise;
· Be able to report to the company;
· Be able to operate independently
· Cannot be dismissed for carrying out their role properly.
The tasks will be:
· Dealing with subject access requests and ‘right to be forgotten’ requests;
· Reporting data breaches to ICO and affected data subjects;
· Implementing and updating policies and procedures;
· Dealing with enquiries and complaints from data subjects.
3. The need to review policies on data security, retention and responding to requests for information because they all should work together. This includes a clear process (that everyone is aware of) for identifying a breach of data security and deciding whether it needs to be reported to the ICO.
4. Put in place a Privacy Notice and to ensure the company has appropriate privacy wording whenever personal data is collected.
5. Check IT security – regular back-ups undertaken, and updates need to be applied as soon as available. Patches issued to deal with holes in security need to be applied as appropriate.
6. Check explicit consent is being obtained to use personal data and do not rely on implied consent, pre-ticked boxes or inactivity.
7. When considering using cloud services look for the Cloud Infrastructure Service Providers in European Code of Conduct.
An Information Audit will need to be reviewed annually. Or when services or projects change.
This policy will be reviewed annually or when further advice is issued by the ICO.
All employees are expected to comply with this policy at all times to protect privacy, confidentiality and the interests of Fire Risk Solutions.
See following eleven steps that Fire Risk Solutions have implemented.
Everyone in the company is aware of what is happening.
2. INFORMATION THE COMPANY HOLDS (INFORMATION AUDIT)
The company has checked what information it holds (and why) and have decided whether it needs to keep it.
3. COMMUNICATING PRIVACY INFORMATION
The company needs to tell people why it is collecting their data, what it will be used for, who it will share it with and how long it will be kept for, and this needs to be done every time data is collected.
4. INDIVIDUAL’S RIGHTS
The company needs to ensure its policy makes clear the rights individuals have to see their information, correct it, delete it or transfer it.
5. SUBJECT ACCESS REQUESTS
The company has ensured this policy is easily available and easy to understand.
6. LAWFUL BASIS FOR PROCESSING INFORMATION
The company needs to ensure they are processing data by consent.
The company needs to receive informed consent.
8. DATA BREACHES
The company has a process for identifying breaches and reporting them.
9. DATA PROTECTION BY DESIGN & DATA IMPACT ASSESSMENTS
Systems and policies have safeguards for personal data built in.
10. DATA PROTECTION OFFICER
The company has appointed a Data Protection Officer. The company has ensured that all employees understand the duties and responsibilities.
11. INTERNATIONAL TRANSFER
If the company uses ‘cloud services’ this could result in an international transfer.
Fire Risk Solutions April 2018