The following outlines the General Data Protection Regulation Policy for Purley Plastics Ltd hereinafter referred to as 'The Company'.(Compliance From 15/12/2018)
The overarching principle is that:
- All electronic data collected and/or stored by The Company is done so for the sole purposes of The Company's business and an individual's relationship with The Company. This will include, but is not limited to, customer communication, internal marketing of events, notification of publications or CPD. Individual's personal data will not be shared with a third party without prior written consent.
- No member of staff or authorised contractor will share any personal data with a third party without the prior consent of the individual. This includes, but is not limited to Name, address, email address and phone details.
- All staff will sign a consent form for their business email address, phone number and associated business contact details to be circulated for the sole purposes of the company's business.
- All authorised contractors consent to allow staff to freely use their business contact details but do not agree that they are circulated to external third parties without prior consent on a case by case basis, company staff are to avoid using their own personal details for business correspondence.
- From January 2018 the company will not retain any paper files of personal data, except for financial transactional data.
- The company will carry out a full IT security audit each year in collaboration with our specialist IT support contractor
- Where financial transactional data is retained on site it will be stored in a locked filing cabinet where access is restricted to the Directors and the Financial Administrator. The data is treated as confidential and is only shared with authorised personnel. Authorised personnel include, financial administrator and accountant.
- Financial transactional data from previous financial years will be held off site for 7 years within a secured cabinet which only authorised personnel have access to.
- After their expiry any paper records will be destroyed at least once per quarter.
- No PC or workstation shall be left unmanned without a suitable password protected screen saver. All PCs and workstations should be closed, and password protected overnight.
- All Staff should use only their own login to access PCs and databases and not share their login details with others.
- In order to show compliance to the General Data Protection Regulations all staff will carry out a one hour training program and sign a log to agree that they understand the implications. They will also sign this policy to show they have read and understand their responsibility to personal data.
- From January 2018 the CEO, directors and financial administrator will meet quarterly to conduct a GDPR audit to ensure full compliance.
- All staff have signed as part of their contract of employment a confidentiality clause.
- On Joining the company, each member of staff must be told that the company will not under any circumstances use their data for any other purpose than for processing of membership deliverables. The data will not be circulated to third parties unless members of staff give their prior written consent. This is made clear at the beginning of their employment and on every periodically circulated letter or document.
- From time to time the company is approached to circulate relevant matters on behalf of third parties, this is managed from the companies offices and the details are not circulated for any purpose, on joining the company, members of staff can opt out of third parties mailers.
- The data held by the company can only be as accurate as the information supplied to it. It is the responsibility of the individual to ensure their data is accurate.
- Once an individual's relationship with company has become inactive their personal data will be retained electronically for 3 years before deletion.
- An individual may at any time request the removal of their personal data by contacting firstname.lastname@example.org. It should be noted that the removal of all personal data (including email contact details) will result in the company no longer being able to carry out the processing of the information and marketing deliverables.
- An individual may at any time raise a concern by contacting email@example.com. For further details on your rights visit https://ico.org.uk/for-the-public/