GDPR.

The organisation complies with the following:

Accountability of the Organisation
The organisation is responsible for appropriate technical and organisational measures to meet the requirements of accountability. and must be able to demonstrate compliance.

Scope: With fewer than 250 employees, only processing activities that are not occasional or could result in a risk to the rights and freedoms of individuals; or involve the processing of special categories of data or criminal conviction and offence data are documented.

Controllers and Processors
A controller determines the purposes and means of processing personal data. Controllers are liable for their compliance with the GDPR. As a controller, you are not relieved of your obligations where a processor is involved. The GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. A processor is responsible for processing personal data on behalf of a controller.

Individuals Rights regarding Personal Data
The individual has the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object. Rights in relation to automated decision making and profiling.

Data Protection Impact Assessment
For certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests a DPIA is carried out.

Personal Data
‘Personal Data’ means any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. Personal identifiers which constitute personal data, can include name, identification number, location data or online identifier, and can reflect changes in technology and the way organisations collect information about people. This applies to both automated personal data and to manual filing systems.

Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Data Collection, Processing, Identification and Security
Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Data is processed lawfully, fairly and in a transparent manner in relation to individuals.

One of the following must apply whenever personal data is processed:

(a) Consent: the individual has given clear consent to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract with the individual, or because they have asked the organisation to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(f) Legitimate interests: the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.

Data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Special category data is more sensitive, and so needs more protection.

To process personal data about criminal convictions or offences there must be both a lawful basis and either legal authority or official authority for the processing.

International Transfer of Personal Data
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.

Personal data may be transferred where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.

This policy will be reviewed annually or earlier if significant changes occur, to ensure its continuing suitability, adequacy and effectiveness.