Data security Policy
This policy sets out GRI’s approach to data protection in accordance with the Data Protection Act (DPA) 1998 and the updated requirements of the General Data Protection Regulations (GDPR) with effect from May 2018.
2. Format of Policy
The narrative of the policy highlights the requirements on us as a business in relation to processing personal data and specifically in relation to the storage, retention and destruction of personal and other confidential data.
3. What the Law Says
For the purposes of data retention our approach is to comply with the requirements of the GDPR from the time of implementing this policy, which assumes compliance with the existing terms of the DPA 1998.
Article 5 of the GDPR requires that personal data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be
incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
4. Our Privacy Principles
- Process personal data lawfully, fairly and transparently,
- Only collect personal data for specified, explicit and legitimate purposes,
- Limit the collection and retention of personal data to what is adequate, relevant and necessary,
- Ensure the data accurate and kept up to date where necessary,
- Keep the data for no longer than is necessary and as instructed by the Data Controller where data subjects are identifiable,
- Process it securely and protect against accidental loss, destruction or damage.
5. General Responsibilities
As processors of data across a range of business functions, GRI is committed to acting responsibly where there is a requirement to retain, share or destroy personal data and will only retain personal data when acting on the instructions of the Data Controller.
We have conducted an in-depth review of data types and current practices across the business as the starting point for this policy.
It is the responsibility of all GRI managers, employees and contractors who access personal data to familiarise themselves with this policy and to adhere to its requirements.
Any queries in relation to data retention should be directed to our appointed Data Protection Officer.
6. Data Retention
GRI will act upon the instructions of the relevant Data Controller in relation to data retention and destruction.
7. Data Destruction
Where we process personal data, we will retain it in accordance with the requirements of the Data Controller.
GRI has a procedure in place in relation to requests for the right to be forgotten. This will be enacted in the event that instructions are received from a Data Controller in relation to one of their data subjects.
Individual departments have appropriate processes in place to ensure that they regularly review data they hold so that it is not held for longer than is required and is destroyed in a confidential, secure way when it is no longer required or when requested.
8. Data Breach Process
All potential personal data breaches MUST be reported IMMEDIATELY to the Data Protection Officer.
GRI is a data processor for the purposes of e-tips® based activity. Under these circumstances, where a potential breach is identified, GRI is obliged to inform the data controller (usually the client or agency).
GRI’s Data Protection Officer MUST be informed IMMEDIATELY when a potential breach is identified.
The Data Protection Officer will notify their equivalent at the Controller organisation as soon as they are made aware and where they consider that a breach may have occurred.
The Data Controller organisation is obliged to report the breach to the ICO within 72 hours of notification.
9. Useful Sources & Links
For further detail on the Data Protection Act 1998 and the General Data Protection Regulations 2018 visit The Information Commissioner’s Office: https://ico.org.uk/.