KBS Electrical & Data Services Ltd needs to gather and use information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has or may need to contact. This policy describes how this data if required must be collected, handled, stored and disposed of to meet The GDPR 2018 requirements, to comply with the Law.
- This GDPR policy ensures KBS Electrical & Data Services Ltd
- Complies with the regulations and follows good practice
- Protects the rights of staff, clients and partners
- Is transparent about how it collects, stores and processes individual’s data
- Protects itself from the risks of data breach
DATA PROTECTION LAW
The Data Protection Act 1998 is being replaced by the General Data Protection Regulations in May 2018 (following an EU directive).
The regulations describe how a company must collect, handle, store and dispose of personal information.
The Regulations apply whether the data is stored electronically or as hard copy.
Data kept will be:
- Collected fairly and legally
- Individuals will be made aware and must actively give permission
- Data must be relevant
- Data will be accurate and current
- Not held for longer than necessary
- Protected appropriately
- Destroyed on request – right to be forgotten
- Supplied on request to the relevant individual FOC
- Not shared with any other party without permission
This policy applies to:
- All staff
- All contractors, suppliers, associates and others working on behalf of the company.
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside GDPR 2018.
This data will include:
- Names of individuals
- Postal addresses
- E-mail addresses
- Telephone numbers – landline and mobile
- Any other information relating to individuals
This policy helps to protect KBS Electrical & Data Services Ltd from security risks including:
- Breaches of confidentiality e.g., divulging information by mistake
- Failing to offer choice e.g., preventing the individual giving permission on holding data that is held and how it is stored
- Reputational damage e.g., company servers being hacked and sensitive data being stolen
- Data should be protected by strong passwords, changed regularly and never shared between staff
- Data will only be stored on designated servers and drives.
- Portable drives will be kept securely
- Servers are protected with security software and appropriate firewalls
Data is at the highest risk of loss, corruption or theft when it is being used:
- Staff should ensure no data is visible on screens when they are unattended
- Personal data should not be shared informally, where possible it should not be sent by email which is not secure
- Staff should not save copies of personal data to their own computer
- KBS Electrical & Data Services Ltd will take reasonable steps to ensure data is kept up to date and it is accurate and relevant: –
It is the responsibility of staff to take reasonable steps to ensure data kept is accurate and up to date
- Data will be held in as few places as possible. Unnecessary additional sets will not be created
- Staff should take the opportunity to update client personal data – by confirming client details when speaking to a client
- Data will be updated as inaccuracies are discovered e.g., if the client can no longer be reached on a specific phone number it should be deleted from the database.
SUBJECT ACCESS REQUEST
- Ask what information is held on them
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed how the company is meeting its legal obligations under GDPR 2018
Subject access requests should be made to the Data Controller (Steve Hinton) formally in writing. Information will be supplied free of charge within 1 month of the request.
The Data Controller will always verify the identity of the person making the subject access request before handing over any information.
DISCLOSING DATA FOR OTHER REASONS
In certain circumstances KBS Electrical & Data Services Ltd may be required to provide personal data to certain authorised agencies e.g., police, HSE etc. Under these circumstances the data controller will ensure the request is legitimate seeking legal advice where necessary.
UPDATES OR AMENDMENTS TO THIS POLICY