DATA PROTECTION POLICY
Sterling understands the importance of protecting personal information and is committed to complying with the General Data Protection Regulation 2016/679 (GDPR) and Data Protection Act 2018 (DPA). It is committed to fostering a culture of transparency and accountability by demonstrating compliance with the principles set out in the Regulation.
The GDPR sets out the rules for how organisations must process Personal Data and sensitive Personal Data about living individuals. It gives individuals the right to find out what Personal Data is held about them by organisations and to request to see, correct or erase Personal Data held.
We need to collect and process Personal Data about the people (including employees and individuals) we interact with to carry out our business effectively.
We are committed to ensuring that employees are appropriately trained and supported to achieve compliance with the GDPR and DPA.
1. Policy scope
1.1 This policy applies to all Personal Data collected and processed by us in the conduct of our business and applies to both electronic and manual filing systems.
1.2 This policy also applies to all employees, whether permanent or temporary together with any relevant third parties such as contractors and consultants.
2. Personal Data definitions
Personal Data is defined in the GDPR and DPA:
Data Controller is the decision maker who decides how, when and where data under their control will be processed.
Data Processor refers to the individual or organisation that carries out data processing activities under instruction from the Data Controller. The Data Controller may also be the Data Processor.
Data Subject is the individual that the Personal Data relates to and identifies.
Personal Data means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Special categories of Personal Data relate to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
3. Data protection principles
3.1 The GDPR and DPA outlines six principles which underpin the handling of Personal Data. To ensure compliance with them, we ensure that Personal Data is:
(a) Processed lawfully, fairly and in a transparent manner. In practice this means:
• Having legitimate grounds for collecting and using Personal Data.
• Not using Personal Data in a way that would have an adverse effect on the rights and freedoms of any individual.
• Being transparent about how we intend to use Personal Data and provide privacy notices where appropriate.
• Handling Personal Data in a way that people would reasonably expect.
• Ensuring that we do nothing unlawful with Personal Data.
(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In practice this means:
• Being clear about why we are collecting Personal Data and what we will do with it.
• Providing privacy notices when collecting Personal Data.
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which Personal Data is processed. In practice this means only processing the Personal Data that is necessary.
(d) Accurate and, where necessary, kept up to date. In practice this means:
• Taking reasonable steps to ensure the accuracy of any Personal Data held.
• Ensuring that the source of the Personal Data is clear.
• Carefully considering any challenges to the accuracy of Personal Data.
• Considering whether it is necessary to update the information.
(e) Not kept for longer than is necessary for the purpose. In practice this means:
• Reviewing the length of time Personal Data is retained.
• Securely deleting Personal Data that is no longer needed.
(f) Processed in a manner that ensures the security of Personal Data using appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction. In practice this means:
• Designing and organising our security to fit the nature of the Personal Data held and the harm that may result from a breach.
• Ensuring that the right physical and security measures are implemented, backed by robust policies and procedures and reliable, well-trained employees.
• Ensuring we regularly audit our security measures.
3.2 We are able to demonstrate compliance with these principles.
4. Access to Personal Data
4.1 Employees will have access to Personal Data only where it is required as part of their job role.
4.2 People are entitled to make Subject Access Requests to ask whether the Company holds any Personal Data relating to them and, if so, to be given a description of and a copy of that Personal Data. Exemptions may apply in certain circumstances.
4.3 Subject Access Requests are dealt with in our Privacy Notice that can be located <here>.
5. Data sharing
5.1 Personal Data will not be transferred outside the UK or the European Economic Area.
5.2 Personal Data in any format will not be shared with a third-party organisation without sufficiently lawful grounds.
6. Privacy by design
6.1 We are committed to meeting the GDPR and DPA requirement to consider data privacy at all stages of processing.
6.2 The Company is able to demonstrate to Data Subjects and regulators that Personal Data is handled in a responsible and secure way in compliance with the GDPR and DPA.
6.3 As part of the design and implementation of any new technology, system or process we continually review that the impact to Personal Data processing is considered and addressed in line with this policy and data protection law.
7. Roles and responsibilities
7.1 The Managing Director has overall responsibility for our compliance with the GDPR/DPA as a Data Controller and Data Processor.
7.2 The Managing Director is responsible for ensuring that all employees receive appropriate training relating to their knowledge of Personal Data processing and their responsibilities within those processes.
7.3 All employees are responsible for ensuring that they familiarise themselves with this policy, our Data Protection Procedure and related documents.
8. Security
8.1 The company shall ensure that all relevant technical and organisational measures are in place to protect Personal Data.
8.2 Where applicable the company shall maintain certification to recognised security standards, independently audited by accredited certification bodies.
9. Policy benefits
• Promoting transparency and accountability and fostering a data protection culture across the organisation.
• Ensuring compliance with the GDPR and DPA.
• Ensuring employee confidence and compliance in the processing of Personal Data, being fully informed and aware of their responsibilities and obligations.
10. Compliance
10.1 Compliance with this policy is a mandatory requirement subject to disciplinary action where failure to comply is identified.
10.2 Regular audit of our Personal Data processing activities are performed to ensure continued compliance with this policy and associated processes
10.3 All incidents and breaches shall be investigated within a timely manner in line with a formal Incident Management Process, which includes the involvement of Data Controllers and Data Processors and, where required, the Supervisory Authority and affected Data Subjects.
11. Review
This policy will be reviewed annually, following significant changes or as business reasons dictate.
Signed
Joe Cotterell
Managing Director
Date: 01/05/20