We hold personal data about our employees, clients, suppliers and other individuals for a variety
of business purposes. This policy sets out how we seek to protect personal data and ensure that
staff understand the rules governing their use of personal data to which they have access in the
course of their work. In particular, this policy requires staff to ensure that the Data
Protection Officer (DPO) be consulted before any significant new data processing activity is
initiated to ensure that relevant compliance steps are addressed.
What is GDPR?
Keeping information about clients and staff confidential makes clear business sense but it is
also required by law. The EU General Data Protection Regulation (GDPR) defines the ethical
handling of personal data. Replacing legislation written before the digital age, the regulation
became EU law in 2016, enforceable from 25th May, 2018.
Business purposes: The purposes for which personal data may be used by us:
administrative, financial, regulatory, payroll and business development purposes.
Business purposes include the following:
- Compliance with our legal, regulatory and corporate governance obligations and
- Gathering information as part of investigations by regulatory bodies or in
connection with legal proceedings or requests
- Ensuring business policies are adhered to (such as policies covering email and
- Operational reasons, such as recording transactions, training and quality
control, ensuring the confidentiality of commercially sensitive information, security
vetting, credit scoring and checking
- Investigating complaints - Checking references, ensuring safe working
practices, monitoring and managing staff access to systems and facilities and staff
absences, administration and assessments
- Monitoring staff conduct, disciplinary matters
- Marketing our business
- Improving services
- Information relating to identifiable individuals, such as job applicants,
current and former employees, agency, contract and other staff, clients, suppliers and
- Personal data we gather may include: individuals' contact details, educational
background, financial and pay details, details of certificates and diplomas, education and
skills, marital status, nationality, job title, and CV.
Sensitive personal data
- Personal data about an individual's racial or ethnic origin, political
opinions, religious or similar beliefs, trade union membership (or non-membership), physical
or mental health or condition, criminal offences, or related proceedings—any use of
sensitive personal data should be strictly controlled in accordance with this policy.
- An organization that determines the way in which personal data is processed.
The controller must be able to demonstrate compliance with the principles and ensure
contracts with data processors comply with the GDPR. Each data controller must also pay a
fee to the Information Commissioner’s Office.
- An organization that processes personal data, but only in accordance with the
instructions of the data controller. This can include subcontractors and agents. Processors
must maintain records of personal data and processing activities and will have legal
liability if responsible for a breach.
- Collecting, disclosing, storing, using or any other operation performed upon
personal data. If you use personal data in any way, you will be “processing” it.
This policy applies to all staff. You must be familiar with this policy and comply with its
terms. This policy supplements our other policies relating to internet and email use. We may
supplement or amend this policy by additional policies and guidelines from time to time. Any new
or modified policy will be circulated to staff before being adopted.
Who is responsible for this policy?
As our Data Protection Officer, has overall responsibility for the day-to-day implementation of