General Data Protection Regulation (GDPR)
PPH Hire & Sales is committed to meeting its contractual obligations for procedures and services, to ensure compliance in controlling and processing employees’ personal data.
We ensure our partners and suppliers adhere to the GDPR standards of compliance and regulation and, that our software applications and service solutions support our customers’ GDPR compliance efforts.
Internal security and privacy policies ensure personal data is handled in accordance with the GDPR as our practices safeguard the data of all employees, who are made aware of GDPR restrictions and trained as required.
When processing data, we ensure:
- It is lawful, fair and transparent about what the data is being used for
- It is collected for a specific purpose
- It is necessary for that purpose
- It is accurate and maintained up-to-date
- It is not kept for longer than necessary
- It is kept safe and secure
No personal data is transferred outside of the EU and special category data is only processed where necessary.
When processing information on behalf of clients, it will be subject to strict privacy controls and we will respond to their requests for deletion, rectification, anonymization and, where applicable, ‘The right to be forgotten’.
The Company will undertake a review of all its customers, suppliers and third party contracts to ensure they too adhere to the GDPR.
We are revising the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions, a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
The Company’s data breach procedures are robust and measures are in place to identify, assess, investigate and report any personal data breach at the earliest possible time.
The Company is committed to meeting its contractual obligations for procedures and services, to ensure compliance in controlling and processing employees’ personal data.
The personal data we hold is reviewed, assessed for risks and our Policy sets out staff responsibilities for monitoring compliance.
We have written agreements and contracts with third party service providers and processors that ensure personal data accessed and processed on our behalf is protected and secure, in line with GDPR requirements.
All staff, including self-employed and contracted employees are made aware of their responsibilities under the GDPR, how to recognise ICT threats such as e-mails and malware infection and how to report personal data breaches. The Company’s policies and procedures are available to all staff in the “Employee Handbook”. No documents are left on printers, fax machines or photocopiers, which are switched off at close of business. Unwanted records are disposed of correctly, either by shredding or, when no longer in use, are erased from computers.
We have alarm systems, security lighting and CCTV.
Hardware and software, including home based equipment is managed by an external ICT business and rules are set for authorising and managing mobile equipment and an inventory helps remove unnecessary or unauthorised hardware and software.
Personal data, stored on removable data, is minimised, encrypted and restricted to individual devices, with each user assigned their own user name and password to ensure accountability. Passwords are regularly changed and limit the number of failed log-in attempts. When staff change duties or leave employment, their passwords are disabled.
Anti-malware defenses protect our computers from infection by regularly scanning networks to detect and prevent threats. Electronic information is routinely backed up and maintained in a secure location, inbound and outbound network traffic is monitored for unusual activity and staff made aware.
The Company uses the latest operating systems, web browsers and applications to help prevent exploitation of unpatched vulnerabilities and our web server is separate from the main file server, to prevent attack of our central data store. What constitutes a personal data breach is conveyed to staff and our internal breach reporting procedure will help us decide whether to notify the ICO if individuals are affected?
The marketing department is responsible for compliance with data protection legislation and PECRA and links with key roles in the Company. Our direct marketing policies and procedures are reviewed to ensure they are fit-for-purpose.
Staff with marketing responsibilities are briefed on data protection when marketing materials such as posters, e-mails, intranet updates and newsletters and, consent is sought from customers, giving them the opportunity to select their preferred method of contact from the Company. If details are passed to third parties, their consent is requested. Existing customers’ consents are reviewed so as to comply with GDPR. Consent records are kept of when and how consent was obtained.
On making a telephone call or for automated calls, we announce our Business, providing the Business address, telephone number and caller’s name.
Electronic marketing messages are only sent to those recipients who have ‘opted-in’ and when contacting previous customers, consent is attained using the ‘soft opt-in’, after carrying out regular checks to ensure consent is still valid.
When marketing by post, our marketing mailings List is screened against the Mailing Preference Service (MPS).
When marketing by fax, the receiver will have consented to receiving them. Faxes include Business Name and contact address.
Those wishing to ‘opt-out’ of receiving any marketing material can do so by a one-step process. Those who consented to the ‘soft opt-in’ can ‘opt-out’ of marketing under PECR.
All personal data is accurate and kept up-to-date but will change as business needs change and data for direct marketing will be corrected or removed if inaccurate, or out of date. Retention periods are assigned to the types of information held and destroyed securely at the end of these periods.
The accounts department liaises with other departments to co-ordinate records in line with our records policy, covering storage and maintenance or disposal of records. The Policy is reviewed to mitigate risks.
Induction training is delivered to new employees who are responsible for the creation, use, maintenance and destruction of records. Our KPIs are managed to ensure compliance assurance. Paper and electronic records are classified according to their sensitivity, retrieval and disposal. All information held is audited, to determine which business functions create certain records vital to the business, where they are kept and, for how long.
Personal data is safeguarded with processes in place to limit what is necessary to keep and, ensure that inaccurate or out of date records are removed regularly. The GDPR requires individuals have the right to their personal data being rectified if inaccurate or incomplete and data is restricted by;
- moving the data to another processing system
- making the data unavailable to users, or
- temporarily removing published data from a website
Our tracking mechanisms ensure security between different storage areas, including archived records and in an annex facility which is heated, protected against flood risk, fire protected, locked and entered by named personnel only, i.e., HR personnel and Accounts. There are no electronic records kept offsite.
Access to personnel records is limited to authorised personnel to fulfill their job function and regular electronic data is backed up in the event of disaster or hardware failure. Retention periods are assigned to records, which are destroyed on reaching the end of their retention period.
The method of waste disposal matches the sensitivity of personal data and where it is not possible to destroy electronic records, they are ‘put beyond use’.
Under the GDPR individuals have the right to request we erase their personal data (“right to be forgotten”) in specific circumstances, i.e.
- where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- when the individual withdraws consent
- when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- the personal data was unlawfully processed (i.e., otherwise in breach of the GDPR)
- the data has to be erased in order to comply with a legal obligation
- the personal data is processed in relation to the offer of information society services to a child. The request may fall outside your standard destruction schedule. You should have processes in place to allow you to action any individual requests.
DATA SHARING AND SUBJECT ACCESS
The Company communicates policies, procedures and guidance to all staff, explaining how to achieve compliance with the GDPR requirements, e.g., monitor information sharing lists, quality assess samples of instances of sharing. This links with a Data Protection Impact Assessment (DPIA), carried out if a process poses a high risk to the rights and freedoms of individuals. Responsibility is assigned to the Quality Officer/PA to the Director, who has received the specialist training to fulfill her role and, Data protection training has been delivered to particular staff likely to make decisions on data sharing, as set out in data protection legislation. If sharing special categories of personal data, this will satisfy the criteria under the GDPR.
The Company has data sharing agreements with a Finance Company and ICT Contractor with assurance that our business has legal authority to share personal data which complies with the GDPR. Our Data Sharing Agreement (DSA) addresses:
the purpose(s) of sharing
the potential or types of recipients and circumstances in which they will have access
the data shared (kept to a minimum)
data quality: accuracy, relevance, usability, etc.
retention of shared data
individuals’ rights: procedures for dealing with access requests, queries and complaints
review of effectiveness/termination of the sharing agreement
sanctions for failure to comply with the agreement or breaches by individual staff
Data shared or transfer between organisations is carried out securely, i.e., e-mail encryption. Managers approve requests for personal data and include how to:
seek verification of the requestors’ identity
calculate any administrative fees (if applicable)
find and retrieve the information requested, comply with the timescales for response
log the request and manage each stage of the response process
apply derogations (if applicable)
quality check responses
Copies of responses will be retained for audit purposes.
Trained staff know their responsibilities to identify, process and escalate requests for personal data and review all the requests, updating to ensure adequate and relevant.
The Company’s CCTV policy outlines the system that complies with legal obligations and is handled by our Security Officer. Individuals’ rights of access identifies and documents the potential impact on individuals’ privacy when installing CCTV, considers any cameras that may overlook private areas or in workplace locations, such as locker rooms or social areas.
Individuals, staff or customers who request a copy of their image are given the information without delay and at the latest within one month of receipt of the request. Careful consideration will be made about third parties, not to provide images other than for lawful enforcement bodies to assist them in the detection or prevention of a crime.
Our CCTV policy and procedure is communicated to staff, e.g.
- all staff authorised to access cameras should be familiar with the system and with the processes for reviewing footage and extracting if required.
- all staff should be familiar with procedures for recognising and dealing with requests for personal data
- all staff should be familiar with the likely disciplinary penalties for misuse of the cameras
- where a staff member’s role explicitly includes monitoring of CCTV, the appropriate training is given and appropriate training standards followed
CCTV footage is retained for a minimum length of time for its purpose, then disposed of appropriately when no longer needed. If however, a law enforcement body is investigating a crime and asks for retention of the footage, it will be retained until no longer needed and will be deleted as appropriate.
Controls to include:
documented information retention policy for CCTV information, to ensure it is understood by those who operate the system
measures implemented to ensure information is permanently deleted through secure methods at the end of the retention period
systematic checks to ensure compliance with the retention period in practice
All CCTV information is protected to ensure it does not fall into the wrong hands. Security precautions include technical, organisational and physical security, i.e.
protect wireless transmission systems from interception
restrict the ability to view or make copies of information to appropriate staff
a secure space where footage is stored
staff training in security procedures and sanctions against staff who misuse surveillance system information
established controls with system connected to computer network. Internet-protocol (IP), cameras protected by firewall and router controls and, default passwords changed as necessary
software updates, as published by the equipment’s manufacturer to the system, in a timely manner
recorded footage from CCTV protected on tapes or hard disk against access by any unauthorised person, staff or outsider
data collected is stored securely, via encryption or other appropriate method
Individuals are clearly informed of our CCTV use, with suitably sized signs displayed appropriately.
DATA CONTROLLERS AND DATA PROCESSORS
The principles relating to the processing of personal data apply to processors and controllers. This includes many stipulations regarding tasks, duties and liabilities on several levels.
Just as controllers need to, processors must also cooperate with the supervisory authority when asked and take all measures to ensure a sufficient level of security processing.
The Company’s appointed Data Controller will provide advice and guidance and manage various Policies and Procedures in relation to GDPR, to ensure compliance across our internal and digital processes. He/she will be responsible for appropriate data breach reporting, including internal handling, investigating and overseeing corrective work to protect against future breaches. Additionally, the DC will manage and coordinate information asset risks and build strong processes to ensure the highest level of data integrity across the Company’s systems.
The DP, will be issued with a written contract to guarantee the implementation of technical and organisational measures meet all the requirements set in the GDPR and the protection of the data subjects’ rights. The Contract will set out the subject matter, duration, nature and purpose of the processing, the type of personal data processed, the categories of the data subjects and his/her duties and rights.
The Contract between the DP and DC will set out the subject matter, duration, nature and purpose of the processing, the type of personal data that is processed, the categories of data subjects and the duties and rights of the DC. The DP will only act upon receipt of the DC’s documented instructions.
The DP will ensure that all staff processing personal data are committed to confidentiality duties or other appropriate statutory obligation of confidentiality. The DP must also guarantee that the implementation of technical and organisational measures, ensure a level of security appropriate to the risk, in line with the GDPR.
Unless exempted by the GDPR, the DP will maintain a register of all clients and provide the DPO with the necessary information to demonstrate compliance and allow audits and inspections by the DPO. The DP will also inform the DPO if he/she thinks the DC’s instruction infringes the GDPR, other Union or Member State data protection law.
The DP will co-operate with the Supervisory Authority with the performance of his/her tasks and, unless exempted will designate in writing, a representative in the EU to be addressed in all the issues relating to the processing for compliance purposes with the GDPR.