General Data Protection Regulation (GDPR) – Policy
P N Daly Ltd is committed to protecting the rights and privacy of employees, clients, clients’ customers and the general public in accordance with the General Data Protection Regulation (GDPR). This new law takes effect from 25th May 2018. It replaces the Data Protection Act. Organisations must demonstrate that they comply with the new law. This policy supersedes any previous company policies in respect of personal data.
The new law demands higher accountability in how companies manage and use personal data. It also has new and stronger rights for individuals. Any individuals who are the subject of personal data are entitled to see what data is held regarding them, unless requests are “manifestly unfounded or excessive”.
In order to comply with the new law P N Daly Ltd have identified the following lawful bases:
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary to protect the vital interests of a data subject or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
This policy applies to all staff and subcontractors. A breach of this policy by P N Daly Ltd staff or subcontractors will more than likely be treated as misconduct and P N Daly Ltd’s disciplinary procedures will be invoked, or a subcontractor’s deployment may be discontinued.
Your Data Protection Officer (DPO) is Lisa Ritson, who will be required to do periodic checks on GDPR compliance across all parts of the company. Lisa will report direct to me regarding GDPR. You may address any concerns regarding data held by the company to Lisa regarding how it is held and used.
All staff must adhere to the following principles at all times:
- Process all personal data fairly and lawfully.
- Process the data for the specific and lawful purpose for which it is collected. eg only send employee starter packs to one pre-designated person at head office rather than copying it to every department where all departments might see the person’s personal private phone number or bank details for example. The pre – designated person will distribute each element of the starter pack to the relevant department.
- Ensure that all personal data, whether it relates to employee, client, clients’ customers, or the general public, is accessible only to those who have a valid reason for using it.
- Ensure that all data is relevant, accurate and where necessary up to date.
- Only keep personal data for as long as is necessary, as confirmed by your manager, and for the purpose it was intended, and keep it secure.
- All members of staff are responsible for ensuring that any personal data which they hold is kept securely and not disclosed to any unauthorised third parties.
- All hard copies of personal data must be kept in lockable cabinets/cupboards or in a lockable office with controlled access.
- Specific passwords must be on all PC’s or mobile electronic devices that hold personal data electronically, and passwords must be changed regularly, and not written down, unless locked away.
- PC screens must not be left unattended without a password protected screen-saver being used.
- Post-it notes or paper containing names alongside personal private contact details must not be left on desks.
- If personal data is being legitimately shared with a third party, the third party must be provided with a copy of the company GDPR policy. ie this document, along with a statement by us that P N Daly Ltd expect our policy to be applied by them also in respect of this data.
- All emails relating to another person must be deleted from all computers after 6 months, having placed it in the relevant person’s personnel file if appropriate. This should allow ample time for the relevant matter to have been dealt with. Exceptions to this can be made where necessary for issues that are unavoidably ongoing.
- Personnel files are not to be duplicated. Bank details and NI numbers are to be kept in wages or accounts office as appropriate only and locked away, and not to be kept on desks. Desks must be kept tidy. Sick notes are to be kept in personal files only which should be locked away.
- All timesheets are to be kept locked away.
- Any document containing people’s data, cannot be left in a tray in a communal area.
- A personal private phone number alongside a person’s name must not be displayed on any notice board.
- All data must be deleted from phones and ipads, once the employee who operated the relevant device has left.
- Personal data which is not needed must be deleted and not stored.
There are significant fines for non-compliance with GDPR. Compliance by our people is essential. This document is both an explanation and a reasonable management instruction from me to our employees and subcontractors.
Should you have any queries kindly contact Lisa Ritson (by email: firstname.lastname@example.org) in the first instance.