Data Protection Policy

(in accordance with General Data Protection Regulations)

Key Definitions

Data Processing:
Any operation or set of operations performed upon personal data or sets of personal data.

Data Subject:
Identified or identifiable living individual to whom personal data relates.

Data Controller:
Natural or legal persons, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor:
Natural or legal persons, public authority, agency or other body which processes personal data on behalf of the Controller.

Personal Data:
Any information relating to an identified or identifiable individual, whether directly (i.e. name, personnel number, location data or on- line indicator) or indirectly (i.e. where the individual is identifiable by reference to one or more factors specific to their physical, psychological, genetic, mental, economic, cultural or social identity).

Special Category Data:
Special Category Data is information relating to;- racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, genetic data, biometric data, a person’s age, data concerning health, data concerning a natural person’s sex life or sexual orientation.

Introduction

The Company needs to gather and process certain information about individuals (Personal Data). Such individuals may include employees, customers, suppliers and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to the requirements of the General Data Protection Regulations.
This Policy should be read in conjunction with the Company’s Privacy Statements.

Why This Policy Exists

This Data Protection Policy ensures Synergy Global Consulting Ltd;

Complies with data protection law and follows good practice
Protects the rights of employees, customers and business partners
Is open about how it stores and processes individual data
Minimises the risks of a data breach

Data Protection Legislation

“The General Data Protection Regulations” which became effective on 25th May 2018 replaced “The Data Protection Act 1998.

The Regulations describe how organisations, including Synergy Global Consulting Ltd. must collect, access, organise, store and destroy personal data (i.e. Processing).

Not only must the Company comply with the law regarding the processing of personal data safely and lawfully, the Company must demonstrate its compliance with the law.

The rules apply regardless of whether data is stored electronically, on paper or on other materials (e.g. CCTV)

The General Data Protection Regulations are underpinned by the following important principles;-

Lawfulness, fairness and transparency:
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose Limitation:
Personal data must be collected only for specified, explicit and legitimate purposes.

Data Minimisation:
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy:
Personal data must be accurate and where necessary kept up to date.

Storage Limitation:
Personal data which is kept in a form which Permits identification of data subjects must be kept for no longer than is necessary for the purpose for which data is processed.

Integrity and Confidentiality:
Personal data must be processed in a manner that, through use of technical or organisational measures, ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Accountability:
The data controller is responsible for and must be able to demonstrate compliance with the other data protection principles.

Responsibilities

It is the responsibility of all employees who work with personal data to take reasonable steps to ensure it is collected, stored and handled appropriately and is kept as accurate and up to date as possible. The following people however have key areas of responsibility;-

The Directors are ultimately responsible for ensuring Synergy Global Consulting Ltd. meets its legal obligation in respect to personal data.

The Data Protection Officer/Human Resources Manager is responsible for;

Keeping the Directors updated about data protection responsibilities, risks and issues
Arranging data protection training and advice for the people covered by this policy
Handling data protection questions form employees and anyone else covered by this Policy
Dealing with requests from individuals to see the data Synergy Global Consulting Ltd holds about them
Checking and approving any contracts or agreements with third parties that may handle personal data
Notifying any data breaches

The IT Manager is responsible for;

Ensuring all systems, services and equipment used for storing data meets acceptable security standards
Performing regular checks and scans to ensure security hardware and software is functioning properly
Evaluating any third-party services the Company is considering using to store or process data (e.g. cloud computing services)

The Marketing Manager is responsible for;

Ensuring any marketing initiatives abide by General Data Protection Regulations principles
Ensuring a lawful basis exists for processing any personal data held on a marketing database or similar.

Employee Responsibilities

Employees must be mindful of their responsibilities in respect of processing data. In particular employees must identify a lawful basis for processing personal data, these comprise;

Performance of a Contract:
Where the organisation has a contract with an individual and needs to process their Personal data to comply with its obligations under the contract.

Legal Obligation:
Where the organisation needs to process An individual’s personal data to comply with a common law or statutory obligation.

Consent:
Where the individual gives their consent. This must be freely given, specific, Informed and unambiguous.

Legitimate Interest:
Where the organisation identifies a legitimate interest in in “processing”

Vital Interest:
Where the organisation needs to process the individual’s personal data to protect someone’s life.

Public Task:
Relevant to Public bodies.

The only people able to access personal data are those who need to do so for their work and should do so in accordance with one (or more) of the lawful basis identified above.

Data should not be shared informally or where there is no lawful basis, either within the Company or externally. Moreover personal data must be held in as few places as necessary. Employees must not create unnecessary additional data sets.

Employees should keep all data secure, by taking sensible precautions. In particular strong passwords and/or encryption should be used. (See also data storage below).
Personal data should be regularly reviewed and updated. If it is out of date or no longer required, it should be deleted or disposed of confidentially.
Synergy Global Consulting Ltd has provided training to all employees (and will provide training to new employees) to help them understand their responsibilities when handling personal data.

Special Category Data

In addition the Company will at times need to process Special Category Data (or Sensitive Data). In such circumstances, the Company must identify at least one additional lawful ground (in addition to the general processing grounds, to justify processing special category data.

Data Use

It is when personal data is accessed and used, that it can be at greatest risk of loss, corruption or theft.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts;

the personal data and can show processing is necessary to achieve it. This requires the organisation to balance its needs against the interests, rights and freedoms of the individual. This is best done by completing a Privacy Impact Assessment.

Data should be protected by strong passwords that are changed regularly.
If data is stored on removable media, these should be kept locked away securely when not being used.
Data should only be stored on designated drives and servers.
Servers containing personal data should be sited in a secure location, away from the general office.
Data should be backed up frequently.
Data should only ever be saved temporarily to laptops or other mobile devices like tablets or smartphones (which are password protected) and then deleted as soon as possible.
All servers and computers containing data should be protected by approved security software and a firewall.

Where data is stored on paper, it should be safely stored in a secure place where unauthorised personnel cannot see it. In particular;-

When not required, files or other paper based personal data should be kept in a locked drawer or filing cabinet.
Employees should make sure papers are not left where unauthorised people could see them (e.g. on a printer).
Documents should be confidentially shredded and disposed of securely when no longer required.

These responsibilities also apply to data that is usually stored electronically but has been printed out for some reason.

Individual Rights

Individuals who are the subject of personal data held by Synergy Global Consulting Ltd are entitled to be;

Informed about how the Company will handle their data. This will normally be done by issuing a Privacy Notice
Ask to gain access to personal data held about them
Withdraw their consent, where consent is the lawful basis for processing
Request their personal data is erased in certain circumstances
Request their personal data is transferred to a third party in certain circumstances

Synergy Global Consulting Ltd may face significant fines for a data breach or for failing to adhere to the General Data Protection Regulations.

Employees should be aware they can be criminally liable if they knowingly or recklessly disclose personal data. Serious breaches of this Policy may be treated as a disciplinary offence.

Policy Prepared by: Tony Culpin
Approved on: 25/5/2018
Operational on: 25/5/2018