General Data Protection Regulation Policy
PSP Group is committed to full compliance with the requirements of UK General Data Protection Regulation
and DPA Act 2018, as well as any other relevant government legislation. All Company Personnel are issued with
a GDPR Manual to be aware of their obligations and duties when processing personal data on behalf of the PSP
Aims and Objectives
To ensure full compliance with the Data Protection Act 2018 and new legislation enforced from May 2018 and
to ensure the necessary resources are in place to assist staff to achieve compliance.
To issue a GDPR Manual to staff members with strict guidelines that must be followed.
To actively comply with this policy.
To familiarise themselves and abide by any PSP Group’s data protection compliance guidelines and best practice procedures relating to all employees and the day to day activities of PSP Group.
To report any concerns relating to data protection breach to the Directors.
To ensure that staff are aware, trained and compliant regarding this policy.
An audit will be undertaken on a periodic basis as agreed with the Directors to provide reasonable assurance that the policy and procedures are working effectively and to enable risk areas to be identified and addressed.
The Directors have overall responsibility for ensuring company compliance with UK GDPR 2018. The potential consequences of breaching GDPR are serious, for PSP Group as a company as well as for individual employees. Deliberate disregard of this policy and its associated guidelines will be viewed very seriously and may be regarded as a disciplinary matter.
Signed: Name and Position: Date: Review Date:
DP01.5 Data Protection Policy Page 2
Personal data should be processed fairly, lawfully and transparently; PSP Group will use Personal Data both fairly, lawfully and transparently. In any circumstance in which individuals provide PSP Group with their Personal Data for the first time, or for a new purpose, they will be informed of the identity of the Data Controller, the use to which their data will be put and whether any disclosure may be made to third parties.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes; PSP Group will only process Personal Data for the purpose(s) which the Data Subject was previously informed of and it will not be used for any other purpose that is incompatible with the original purpose(s).
Personal data shall be adequate, relevant and limited to the purpose or purposes for which they are processed; PSP Group will ensure that only the minimum Personal Data necessary for the purpose is processed and will not collect or hold data on the basis that it might be useful in the future without having a legitimate business reason for how it will be used in the present.
Personal data shall be accurate and, where necessary, kept up to date; this principle covers the integrity of Personal Data. Data will be inaccurate where it is incorrect or misleading as to any matters of fact. There must be processes in place to maintain the quality of data entry at the point data is first collected by PSP Group and to accurately amend, update or correct Personal Data.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes; Business areas must ensure that Personal Data is securely destroyed once the purpose(s) for processing the Personal Data has come to an end; and there is no legal requirement or valid business/operational reason for its continued retention.
Personal data shall be processed in accordance with the rights of data subjects GDPR. These rights are to:
Gain access to their data
Seek compensation for substantial damage or distress caused by their data not being processed
Prevent their data being processed in certain circumstances
‘Opt out’ of having their data used for direct marketing at any time
Have automated decisions reconsidered.
Requests from Data Subjects to access Personal Data will be managed in accordance with PSP Group Data Privacy and Protection Policy.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. PSP Group standard contractual clauses on data protection must be used in any circumstances where processing of personal data on behalf of PSP Group is carried out by a service provider or other third party. Personal Data will be managed in accordance with PSP Group Data Privacy and Protection Policy. All staff must report any incident, or potential incident, likely to result in unauthorised disclosure, damage, destruction or loss of Personal Data directly to the Privacy and Data Protection Team within Information Governance.
Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. the company will comply with the restrictions in the DPA on the transfer of Personal Data outside the European Economic Area. The Privacy and Data Protection Team within Information Governance must be consulted in advance of any such transfers being undertaken or agreed.