Westcoast Signs Ltd -Data Protection Policy 2018
22.4 Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
22.5 Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted Deleted at source on business office PC.
22.6 Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
22.7 Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using recorded delivery mail services.
22.8 All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked "confidential".
The Company shall ensure that the following measures are taken with respect to the storage of personal data:
23.1 All electronic copies of personal data should be stored securely using passwords and data encryption
23.2 All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar
.23.3 All personal data stored electronically should be backed up every 6 months with backups store on physical or removable media or a model of data storage in which the digital data is stored in logical pools.
All backups should be encrypted using password protected encryption.
23.4 No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise or Only stored with the formal written approval of The Company's Data Protection Officer
Nigel Burke, Contact details 07971236262, firstname.lastname@example.org
23.5 And, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary and
23.6 No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of.
For further information on the deletion and disposal of personal data, please refer to the
Westcoast Signs Ltd Data Protection Policy 201811
Company's Data Retention Policy.
Use of Personal Data
The Company shall ensure that the following measures are taken with respect to the use of personal data:
25.1 No personal data may be shared informally and if an employee, agent, subcontractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from The Companies Data Protection officer, Nigel Burke, Contact 07971236262
25.2 No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of The Companies Data Protection officer, Nigel Burke, Contact 07971236262 Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, subcontractors, or other parties at any time;
25.3 If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer screen before leaving it; and
25.4 Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of The Company's
Companies Data Protection officer, Nigel Burke, Contact 07971236262 to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third party service such as the TPS
Data Security -
The Company shall ensure that the following measures are taken with respect to IT and information security:
26.1 All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols.
26.2 Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method.
26.3 All software (including, but not limited to, applications and operating systems) shall be kept up to date. The Company's IT responsible staff shall be responsible for installing any and all security related updates [not more than 1 month after the updates are made available by the publisher or manufacturer OR as soon as reasonably and practically possible unless there are valid technical reasons not to do so and
26.4 No software may be installed on any Company owned computer or device without the prior approval of the managing director or General Manager.
The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data: Westcoast Signs Ltd Data Protection Policy 2018 12
27.1 All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company's responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy;
27.2 Only employees, agents, subcontractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company;
27.3 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately trained to do so;
27.4 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised;
27.5 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work related matters that relate to personal data, whether in the workplace or otherwise;
27.6 Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;
27.7 All personal data held by the Company shall be reviewed periodically, as set out in the Company's Data Retention Policy;
27.8 The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;
27.9 All employees, agents, contractors,or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract;
27.10 All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the GDPR; and
27.11 Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Transferring Personal Data to a Country Outside the EEA
The company at time of drafting this policy do not share or transfer personal data outside of the EEA.
Data Breach Notification
29.1 All personal data breaches must be reported immediately to the Company's Data Protection Officer.
29.2 If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner's Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
Westcoast Signs Ltd Data Protection Policy 2018 13
29.3 In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under Part 29.2) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.
29.4 Data breach notifications shall include the following information:
29.4.1 The categories and approximate number of data subjects concerned;
29.4.2 The categories and approximate number of personal data records concerned;
29.4.3 The name and contact details of the Company's data protection officer (or other contact point where more information can be obtained);
29.4.4 The likely consequences of the breach;
29.4.5 Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
30. Implementation of Policy
This Policy shall be deemed effective as of 24 May 2018.
No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This Policy has been approved and authorised by:
Name: Nigel Burke
Date: 18th May 2018
Due for Review by: 18 May 2019