General Data Protection Regulation Policy
PSP Group is committed to full compliance with the requirements of UK General Data Protection Regulation
and DPA Act 2018, as well as any other relevant government legislation. All Company Personnel are issued with
a GDPR Manual to be aware of their obligations and duties when processing personal data on behalf of the PSP
Aims and Objectives
To ensure full compliance with the Data Protection Act 2018 and new legislation enforced from May 2018 and
to ensure the necessary resources are in place to assist staff to achieve compliance.
To issue a GDPR Manual to staff members with strict guidelines that must be followed.
1. To actively comply with this policy.
2. To familiarise themselves and abide by any PSP Group’s data protection compliance guidelines and best
practice procedures relating to all employees and the day to day activities of PSP Group.
3. To report any concerns relating to data protection breach to the Directors.
1. To ensure that staff are aware, trained and compliant regarding this policy.
2. An audit will be undertaken on a periodic basis as agreed with the Directors to provide reasonable
assurance that the policy and procedures are working effectively and to enable risk areas to be identified
3. The Directors have overall responsibility for ensuring company compliance with UK GDPR 2018.
The potential consequences of breaching GDPR are serious, for PSP Group as a company as well as for
individual employees. Deliberate disregard of this policy and its associated guidelines will be viewed very
seriously and may be regarded as a disciplinary matter.
Signed: Name and Position: Date: Review Date:
DP01.5 Data Protection Policy Page 2
1. Personal data should be processed fairly, lawfully and transparently; PSP Group will use Personal Data both
fairly, lawfully and transparently. In any circumstance in which individuals provide PSP Group with their
Personal Data for the first time, or for a new purpose, they will be informed of the identity of the Data
Controller, the use to which their data will be put and whether any disclosure may be made to third parties.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further
processed in any manner incompatible with that purpose or those purposes; PSP Group will only process
Personal Data for the purpose(s) which the Data Subject was previously informed of and it will not be used
for any other purpose that is incompatible with the original purpose(s).
3. Personal data shall be adequate, relevant and limited to the purpose or purposes for which they are
processed; PSP Group will ensure that only the minimum Personal Data necessary for the purpose is
processed and will not collect or hold data on the basis that it might be useful in the future without having
a legitimate business reason for how it will be used in the present.
4. Personal data shall be accurate and, where necessary, kept up to date; this principle covers the integrity of
Personal Data. Data will be inaccurate where it is incorrect or misleading as to any matters of fact. There
must be processes in place to maintain the quality of data entry at the point data is first collected by PSP
Group and to accurately amend, update or correct Personal Data.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that
purpose or those purposes; Business areas must ensure that Personal Data is securely destroyed once the
purpose(s) for processing the Personal Data has come to an end; and there is no legal requirement or valid
business/operational reason for its continued retention.
6. Personal data shall be processed in accordance with the rights of data subjects GDPR. These rights are to:
Gain access to their data • Seek compensation for substantial damage or distress caused by their data not
being processed • Prevent their data being processed in certain circumstances • ‘Opt out’ of having their
data used for direct marketing at any time • Have automated decisions reconsidered. Requests from Data
Subjects to access Personal Data will be managed in accordance with PSP Group Data Privacy and Protection
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of, or damage to, personal data. PSP
Group standard contractual clauses on data protection must be used in any circumstances where processing
of personal data on behalf of PSP Group is carried out by a service provider or other third party. Personal
Data will be managed in accordance with PSP Group Data Privacy and Protection Policy. All staff must report
any incident, or potential incident, likely to result in unauthorised disclosure, damage, destruction or loss
of Personal Data directly to the Privacy and Data Protection Team within Information Governance.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless
that country or territory ensures an adequate level of protection for the rights and freedoms of data
subjects in relation to the processing of personal data. the company will comply with the restrictions in the
DPA on the transfer of Personal Data outside the European Economic Area. The Privacy and Data Protection
Team within Information Governance must be consulted in advance of any such transfers being undertaken