TransDataBPO General Data Protection Regulation GDPR) Policy
Contents
1 Introduction to this GDPR policy
2 Principles of Data Processing
3 Our lawful bases for processing
4 Data controllers and data processors
5 Description of our processing activities
6 The rights of data subjects
7 Our responsibilities
8 Practical Security Measures
9 Recording and reporting a data breach
1 Introduction to this GDPR policy
This GDPR policy ensures TransDataBPO:
- Complies with data protection law and follows good practice Protects the rights of staff, clients and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from data protection risks such as breaches of confidentiality, failure to offer choice and reputational damage
This policy applies to:
- Contractors and suppliers
- The TransDataBPO office
- All staff of TransDataBPO
- All contractors, suppliers and other people working on behalf of TransDataBPO
The General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 from 25th May 2018. It applies to both data controllers and data processors, which have day-to-day responsibility for data protection.
A controller is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
A processor is a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller.
The data subject is the individual who is the subject of the relevant personal data.
This GDPR policy will be operational from 25th May 2018 and should be next reviewed in June 2021.
2 Principles of Data Processing
GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
3 Our lawful bases for processing
Our lawful basis for processing the personal data of clients is that processing is necessary to perform or enter into the contract we have with them to undertake accounting, audit, payroll, bookkeeping and related services, as outlined in their engagement letter and the terms of business.
Our lawful basis for processing the personal data of employees is that processing is necessary to perform or enter into the employment contract we have with them. Our lawful basis for processing the personal data of employees for salaries and other benefits payments.
Our lawful basis for holding the personal data of potential employees / candidates is that we have a legitimate interest in deciding whether to recruit them. Should a candidate be unsuccessful, this legitimate interest will cease to exist and any personal data held on unsuccessful candidates must be deleted/destroyed within three months, as agreed by the directors.
We will only process personal data in relation to marketing activities if we have clear consent from the data subject.
Our policy is to hold personal data relating to company records for approximately 7 years. We may keep these records for longer than 7 years if we have a legitimate interest to do so. Payroll records will be kept for 7 years.
4 Data controllers and data processors
The GDPR applies to data controllers and data processors. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.
Obligations as the data controller
When processing personal information for fulfilling the contractual obligations, TransDataBPO acts as the data controller and will therefore comply with the following obligations:
TransDataBPO is liable for its compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected
Whenever the data controller uses a data processor, it needs to have a written contract in place
The data controller must ensure written contracts between data controllers and processors comply with GDPR.
Obligations as the data processor
For some of the contractual services where TransDataBPO processes personal data on behalf of its client, the company acts as the data processor and the client acts as the data controller. TransDataBPO will therefore comply with the all the obligations placed on it as the data processor, under the GDPR.
5 Description of our processing activities
TransDataBPO process personal information in order to:-
- Provide contractual services
- Support and manage its employees and to process the payroll
This information may include:
- Personal details
- Family, lifestyle and social circumstance Goods and services
- Financial details Education details
- Employment details
TransDataBPO processing activities do not involve automated decision making or profiling.
6 The rights of data subjects
The GDPR provides the following rights for individuals:-
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
- Right to be informed
We are obliged to provide ‘fair processing information’, typically through a privacy notice or policy document. The information that must be supplied includes:
- Identity and contact details of the data controller
- Purpose of the processing and the lawful basis for the processing The legitimate interests of the controller
- Any recipient or categories of recipients of the personal data Retention periods
- The rights of the data subjects
- The existence of any automated decision making and profiling
If the data is obtained directly from the data subject, the information should be provided at the time the data is obtained. If the data is not obtained directly from the data subject, the information should be provided:
- Within one month of obtaining the data
- When the first communication takes place
- Before the data is disclosed to another recipient, if disclosure to another recipient is envisaged
The information we supply individuals about the processing of personal data must be:
- Concise, transparent, intelligible and accessible
- Written in clear and plain language
- Free of charge
- Right of access
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
The company must provide a copy of the information free of charge. However, it can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
Information must be provided without delay and at the latest within one month of receiving the request. The company will be able to extend the period of compliance by a further two months where requests are complex or numerous.
- Right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
A request for rectification must be responded to within one month. This can be extended by two months where the request is complex.
- Right to erasure / Right to be forgotten
The right to erasure enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances. There are some specific circumstances where the right to erasure does not apply and the company can refuse to deal with a request.
- Right to restrict processing
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, the company is permitted to store the personal data, but not further process it. The company can retain just enough information about the individual to ensure that the restriction is respected in future.
- Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The company must provide the personal data in a structured, commonly used and machine-readable form. This should enable other data controllers to use the data.
The information must be provided free of charge. The company must respond without undue delay, and within one month.
- Right to object
Individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- Direct marketing (including profiling); and
- Processing for purposes of scientific/historical research and statistics
- Rights in relation to automated decision making and profiling
The GDPR has provisions on automated decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).
TransDataBPO confirms its processing activities do not involve automated decision making or profiling.
7 Our responsibilities
Everyone who works for or with TransDataBPO has some degree of responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. The board of directors is ultimately responsible for ensuring that TransDataBPO meets its legal obligations.
Key areas of responsibility
- The board must be kept updated about GDPR responsibilities, risks and issues
- The company must demonstrate compliance with the data protection principles and GDPR
- The company should implement appropriate technical and organisational measures to ensure and to demonstrate that processing activities are compliant with the GDPR
- All data protection procedures and related policies will be reviewed every year years, as agreed by the directors
- Training and advice on data protection should be arranged for the people covered by this policy
- The data protection officer, should handle data protection questions from staff and anyone else covered by this policy
- The organisation should deal with requests from individuals such as right of access or right to be forgotten
- Any third party services the organisation is considering using to store or process data should be evaluated
- Contracts with third parties and processors that may handle the company’s sensitive data should be checked and reviewed
- All systems, services and equipment used for storing data must meet acceptable security standards
- Regular checks and scans should be performed to ensure security hardware and software is functioning properly
- Data protection statements attached to communications such as emails should be approved and updated when necessary
- Marketing initiatives should abide by GDPR principles
- Adequate data protection procedures should be in place for when an employee leaves
- Following any breaches, the company should review the adequacy of its security measures
- The company should make sure individuals are aware that their data is being processed, how the data is being used and how to exercise their rights
- The company must have a lawful basis for all processing activities
- The company should make sure this policy document is made available to potential and existing clients and employees
8 Practical Security Measures
Office Building
- The building is alarmed outside of office hours
- Visitors can only enter with authorization from reception Employees require office keys to enter the building
- The reception area is not left unattended if there are visitors in the building
General Staff Guidelines
- Employees should keep all data secure by taking sensible precautions and following the guidelines below
- TransDataBPO will provide training to all employees to help them understand their responsibilities
- Employees should request help from the data protection officer, if they are unsure about any aspect of data protection
- The only people able to access data covered by this policy should be those who need it for their work
- Personal data should not be disclosed to unauthorized people, either within the company or externally
- Employees should only process personal data electronically from the company’s remote desktop and keep their credentials secure
- Employees must maintain their duty of confidence as outlined in their confidentiality agreements
Data Storage
- Servers containing personal data should be sited in a secure location, away from general office space
- Data should be backed up frequently and these backups should be tested regularly
- All servers and computers containing data should be protected by approved security software and a firewall
- When data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones
- Employees should not save copies of personal data to their own computers or the normal desktop
- Payroll details held electronically should be password protected and payroll details held manually should be retained in files within a secure environment
- The company should keep account of the number of memory sticks in use; employees should limit how many memory sticks they use
- Personal data stored on memory sticks should be protected as much as possible Data stored on memory sticks should be cleared regularly
- Personal data stored or printed out on paper should be kept in a secure location where unauthorized people cannot see it
- Data printouts should be shredded and disposed of securely when no longer required
Data Use
- When working from home or at clients’ premises, or if visitors are in the office, employees should ensure computer screens are locked when left unattended
- When using clients’ laptops in the office, employees should ensure access is restricted that laptops are kept locked away overnight
- When using clients’ remote desktops, written consent must be given and access must be restricted
- When taking files and records containing personal data out of the office, employees should take reasonable measures to ensure the data is protected and that no unauthorized persons access the data
- Employees should be encouraged to use lockable briefcases to take client’s personal files out of the building
Data Accuracy
- It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible
- Staff should take every opportunity to ensure data is updated; data should be updated as inaccuracies are discovered
- TransDataBPO must make it easy for data subjects to update their information that is held by the company
Emailing personal data
- Documents containing personal data should be shared between the company and clients through a secured email platform.
- Attachments to emails containing personal data should be password protected or encrypted if this is possible
9 Recording and reporting a data breach
What constitutes a personal data breach?
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
Recording a breach
All data breaches should be recorded internally, using the TransDataBPO Data Protection Breach Report Form. This form should be completed by the member of staff who discovered the breach, a member of staff who has knowledge of the company’s data protection procedures in place, and the decision as to whether to report the breach must be signed off by the directors. Completing this form will assist the company when and if the breach is reported.
How do we decide whether to report a breach?
Each case must be considered on its own merits. Breaches that are considered by the company to be ‘serious’ should be reported to the relevant government authority.
The potential detriment to individuals is the overriding consideration in deciding whether to report a breach of security. Detriment includes emotional distress as well as both physical and financial damage. Where there is significant actual or potential detriment as a result of a breach, whether due to the volume of data, its sensitivity or the combination of the two, there should be a presumption to report.
How do we report a breach?
The company has 72 hours from the time it becomes aware of a reportable breach within which to report it. Serious breaches will be reported to the government authority by the data protection officer.
Should we notify the data subject(s) affected?
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the breach must also be reported to the affected individual(s) without undue delay.
It is the company policy that individuals will be notified of a breach in writing by the data protection officer.