GDPR

1. POLICY STATEMENT AND PURPOSE

The purpose of this document is to provide the Company’s statement of intent on how it creates a structured and compliant data and records management system, with records being defined as necessary and non-invasive.

Copyright © 2019 | Cold Call Hire

 

This Data Protection Policy  ( “GDPA” or “DPA”) states the terms and conditions that govern the contractual agreement between [CUSTOMER/COMPANY]  as requested from the 25th May 2018, whereby the Data Protection Act (DPA) was replaced with the new General Data Protection Regulation (GDPR)

 

Cold Call Hire recognises and understands that the efficient management of it’s data and records is necessary to support its core business functions, to comply with its legal, statutory and regulatory obligations, to ensure the protection of personal information, and to enable the effective management of the organisation.

This policy and related documents meet the standards and expectations set out by contractual and legal requirements of GDPA,  and have been developed to meet the best practices of business records management and storage.

 

Records including data and personal information, contain information that is a unique and invaluable resource to the Company, and are an important operational asset. A systematic approach to the management of our records is essential to protect and preserve the information contained in them, as well as the individuals such information refers to. Records are also pivotal in the documentation and evidence of all business functions and activities.

 

Effective and competent records and data management is necessary to: -                

  • Ensure that the business conducts itself in a structured, efficient and accountable manner.

  • Ensure that the business thrives in the quality and flow of information, and develops a greater coordination of records and storage systems.

  • Support core business functions and providing evidence of conduct and the appropriate maintenance of associated tools, resources and outputs to clients.

  • Meet legislative, statutory and regulatory requirements.

  • Deliver services to staff and stakeholders in a consistent and professional manner.

  • Assist in document policy formation and managerial decision making.


 

2. GENERAL DATA PROTECTION REGULATION (GDPR)

The Company needs to collect personal information about the people we employ, work with and have a business relationship with, to effectively carry out our everyday business functions and activities, and to provide the products and services defined by our business type. This information can include (but is not limited to), name, address, telephone number, email address, date of birth, company/individual identification number, private and confidential information, sensitive information and bank details.

3. CONFIDENTIALITY

The Consultant shall not disclose to any third party details regarding the Client’s business. This includes (but isn’t limited to), any information regarding (i) the Client’s customer information, business plans, or Confidential Information, (ii) make copies of any Confidential Information or any content contained within the Confidential Information for personal use or distribution, unless requested to do so by the Client, or (iii) use Confidential Information other than to solely benefit the Client and the business transaction.

 

4. SCOPE

This policy applies to all staff within the Company - meaning permanent, contractual, part-time, and temporary staff. It also applies to subcontractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas, and pertains to the processing of personal information. Adherence to this policy is mandatory for all staff within the company, and non-compliance could lead to disciplinary action.

5. MODIFICATIONS

No modification of this Agreement shall be valid unless agreed upon by both Parties in advance of the modifications, and stored in writing.

6. APPLICABLE LAW

This Consulting Agreement and the interpretation of its terms shall be governed by and construed in accordance with the law and subject to the exclusive jurisdiction of the courts located in England.

 

5. OBJECTIVES

A record is information, regardless of media. It is created, received, maintained, and proves the development of and compliance with regulatory and lawful requirements, business practices, legal policies, financial transactions, administrative activities, business decisions or agreed actions. It is the Company’s objective to execute the necessary records management procedures and systems to assess and manage the following processes: -

  • The creation and receiving of records and personal information

  • Compliance with legal, regulatory and contractual requirements

  • The storage of records and personal information

  • The protection of (authentic) records and personal information

  • The use of records and the information contained therein

  • Access to and disposal of records where necessary

 

The Company’s objectives and principles in relation to Data Retention are to: -

  • Access and collect essential details only, and to dispose of all confidential records when they no longer benefit the company, and aren’t required by the consultant.

  • Ensure the confidentiality, protection, and safe storage of personal information and records received from the client, and to only collect information that will benefit and prove necessary to both the client and business transaction.

  •    

  •  

 

6. RETENTION PERIOD PROTOCOLS

All records retained during their specified periods are traceable and retrievable. Any file movement, use or access is tracked and logged, including inter-departmental changes. All company and employee information is retained, stored and destroyed in line with legislative and regulatory guidelines.

For all data and records obtained, used and stored within the Company, we: -

  • Carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain

  • Establish periodical reviews of data retained

  • Establish and verify retention periods for the data, with special consideration given in the below areas: -

  • The requirements of the Company the type personal data

  • The purpose of processing

  • Lawful basis for processing

  • The categories of data subjects

7. GUIDELINES AND PROCEDURES

It is our intention to ensure that all records and the information contained therein is: -

  • Accurate - records are always reviewed to ensure that they are a full and accurate representation of the transactions, activities or practices that they document

  • Accessible - records are always made available and accessible when required (with additional security permissions for select staff where applicable to the document content)

  • Complete - records have the content, context and structure required to allow the reconstruction of the activities, practices and transactions that they document

 

8 SUSPENSION OF RECORD DISPOSAL FOR LITIGATION OR CLAIMS

If the Company is served with any legal request for records or information, any employee becomes the subject of an audit or investigation or we are notified of the commencement of any litigation against our firm, we will suspend the disposal of any scheduled records until we are able to determine the requirement for any such records as part of a legal requirement.

 

8.1 STORAGE & ACCESS OF RECORDS AND DATA

 

8.2 EXPIRATION OF RETENTION PERIOD

Data Retention & Erasure Policy

Author: Cold Call Hire

Revision Date: 1/04/2019

Version: V1

Once a record or data has reached its designated retention period date, the designated owner should refer to the retention register for the action to be taken. Not all data or records are expected to be deleted upon expiration; sometimes it is sufficient to anonymise the data in accordance with the GDPR requirements or to archive records for a further period.
 

8.3 DESTRUCTION AND DISPOSAL OF RECORDS & DATA
 

8.3(i) PAPER RECORDS

Due to the nature of our business, the Company retains paper based personal information and as such, has a duty to ensure that it is disposed of in a secure, confidential and compliant manner. The Company utilise [Onsite-Shredding or A Professional Shredding Service Provider] to dispose of all paper materials.

Employee shredding machines and confidential waste sacks are made available throughout the building and where we use a service provider for large disposals, regular collections take place to ensure that confidential data is disposed of appropriately.

 

8.3(ii) ELECTRONIC & IT RECORDS AND SYSTEMS

The Company uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.

The deletion of electronic records must be organised in conjunction with the IT Department who will ensure the removal of all data from the medium so that it cannot be reconstructed. When records or data files are identified for disposal, their details must be provided to the designated owner to maintain an effective and up to date a register of destroyed records.

 

8.3 (iii) INTERNAL CORRESPONDENCE AND GENERAL MEMORANDA

Unless otherwise stated in this policy or the retention periods register, correspondence and internal memoranda should be retained for the same period as the document to which they pertain or support (i.e. where a memo pertains to a contract or personal file, the relevant retention period and filing should be observed).

Where correspondence or memoranda that do not pertain to any documents having already be assigned a retention period, they should be deleted or shredded once the purpose and usefulness of the content ceases or at a maximum, 2 years.

Examples of correspondence and routine memoranda include (but are not limited to): -

  • Internal emails

  • Meeting notes and agendas

  • General inquiries and replies

  • Mobile text messages

  • Any other social media messaging service


9.ERASURE

In specific circumstances, data subjects’ have the right to request that their personal data is erased,however the Company recognise that this is not an absolute ‘right to be forgotten’. Data subjects only have a right to have personal data erased and to prevent processing if one of the below conditions applies: -

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed

  • When the individual withdraws consent

  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing

  • The personal data was unlawfully processed

  • The personal data must be erased in order to comply with a legal obligation

  • The personal data is processed in relation to the offer of information society services to a child

  • Where one of the above conditions applies and the Company received a request to erase data, we first ensure that no other legal obligation or legitimate interest applies. If we are confident that the data subject has the right to have their data erased, this is carried out by the Data Protection Officer in conjunction with any department manager and the IT team to ensure that all data relating to that individual has been erased.

  • These measures enable us to comply with a data subjects right to erasure, whereby an individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing. Whilst our standard procedures already remove data that is no longer necessary, we still follow a dedicated process for erasure requests to ensure that all rights are complied with and that no data has been retained for longer than is needed.

If for any reason, we are unable to act in response to a request for erasure, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy. Such refusals to erase data include: -

  • Exercising the right of freedom of expression and information

  • Compliance with a legal obligation for the performance of a task carried out in the public

  • interest

  • For reasons of public interest in the area of public health

  • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing

  • For the establishment, exercise or defence of legal claims



10. SPECIAL CATEGORY DATA

In accordance with GDPR requirements and Schedule 1 Part 4 of The Data Protection Bill, organisations are required to have and maintain appropriate policy documents and safeguarding measures for the retention and erasure of special categories of personal data and criminal convictions etc.

 

9 COMPLIANCE AND MONITORING

The Company are committed to ensuring the continued compliance with this policy and any associated legislation and undertake regular audits and monitoring of our records, their management, archiving and retention. Information asset owners are tasked with ensuring the continued compliance and review of records and data within their remit.

10 RESPONSIBILITIES

Heads of departments and information asset owners have overall responsibility for the management of records and data generated by their departments' activities, namely to ensure that the records created, received and controlled within the purview of their department, and the systems (electronic or otherwise) and procedures they adopt, are managed in a way which meets the aims of this policy.

Where a DPO has been designated, they must be involved in any data retention processes and records or all archiving and destructions must be retained. Individual employees must ensure that the records for which they are responsible are complete and accurate records of their activities, and that they are maintained and disposed of in accordance with the Company's protocols.