GDPR Compliance

The Hot Topic for all policy and compliance aficionadors
our GDPR Policy will clearly demonstrate our compliance
with all Information Commissioner’s Office requirements

Our Aims
At Gerard Greenan Consulting Limited (GGCL) we aim to ensure that all data collected about staff, clients and third pareties is collected, stored and processed in accordance with the Data Protection Act 1998.
This policy applies to all data, regardless of whether it is in paper or electronic format
Legislation and Guidance
This policy meets the requirements of the Data Protection Act 1998, and is based on guidance published by the Information Commissioner’s Office.
Definitions
Personal data
Data from which a person can be identified, including data that, when combined with other readily available information, leads to a person being identified
Sensitive personal data such as:
•    Contact details
•   Racial or ethnic origin
•   Religious beliefs, or beliefs of a similar nature
•   Where a person is a member of a trade union
•   Physical and mental health
•   Sexual orientation
•   Whether a person has committed, or is alleged to have committed, an offence
•   Criminal convictions
Processing
Obtaining, recording or holding data
Data subject
The person whose personal data is held or processed
Data controller
A person or organisation that determines the purposes for which, and the manner in which, personal data is processed
Data processor
A person, other than an employee of the data controller, who processes the data on behalf of the data controller
Data Controller
GGCL processes personal information relating to Clients, staff and at times information relating to third partiesincluded as content with client projects and, therefore, is a data controller. At times we delegate the responsibility of data controller to teith Gerard Greenan or Vicqui Bartum.
Data protection principles
The Data Protection Act 1998 is based on the following data protection principles or rules for good data handling:
•   Data shall be processed fairly and lawfully
•   Personal data shall be obtained only for one or more specified and lawful purposes
•   Personal data shall be relevant and not excessive in relation to the purpose(s) for which it is processed
•   Personal data shall be accurate and, where necessary, kept up to date
•   Personal data shall not be kept for longer than is necessary for the purpose(s) for which it is processed
•   Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998
•   Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of,  or damage to, personal data
•   Personal data shall not be transferred to a country or territory outside the European Economic Area unless the country or territory ensures an adequate level of protection for the rights and freedoms of data in relation to the processing of personal data
Roles and responsibilities
The Managing Director has overall responsibility for ensuring that GGCL complies with its obligations under the Data Protection Act 1998.
Day-to-day responsibilities rest with the Gerard Greenan, or Vicqui Bartrum his absence. Gerard Greenan will ensure that all staff are aware of their data protection obligations, and oversee any queries related to the storing or processing of personal data.
All designated staff at GGCL are responsible for ensuring that they collect and store any personal data in accordance with this policy. Staff must also inform the GGCL of any changes to their personal data, such as a change of address.
Privacy/fair processing notice
At GGCL we process data relating to those we employ to work at, or otherwise engage to work at, our business. The purpose of processing this data is to assist in the running of the business, including to:
•   Enable the development of a comprehensive picture of the workforce and how it is deployed
•   Inform the development of recruitment and retention policies
•   Enable individuals to be paid
•   Support effective performance management
Staff personal data includes, but is not limited to, information such as:
•   Contact details
•   National Insurance numbers
•   Salary information
•   Qualifications
•   Absence data
•   Personal characteristics, including ethnic groups
•   Medical information
•   Outcomes of any disciplinary procedures
We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.
We will not share information about staff with third parties without consent unless the law allows us to.
Any staff member wishing to see a copy of the information about them can do so upon request.
Storage of records
Paper-based records and portable electronic devices, such as laptops and hard drives, that contain personal information are kept under lock and key when not in use
Papers containing confidential personal information should not be left  where there is general access
Where personal information needs to be taken off site (in paper or electronic form), staff must sign it in and out from the office
Passwords that are at least 8 characters long containing letters and numbers are used to access all computers, laptops and other electronic devices.
Encryption software is used to protect all portable devices and removable media, such as laptops and USB devices
Disposal of records
Personal information that is no longer needed, or has become inaccurate or out of date, is disposed of securely.
For example, we will shred or incinerate paper-based records, and override electronic files.
We may also use an outside company to safely dispose of electronic records.
The General Data Protection Regulation
We acknowledge that the law iwas changed on the rights of data subjects and that the General Data Protection Regulation in May 2018.
We have reviewed working practices when this legislation took effect and have provided training to members of staff where appropriate.
Monitoring arrangements
The Managing Director is responsible for monitoring and reviewing this policy.
The Data Protection Officer checks compliance with this policy by, among other things, reviewing all records in line with the companies retention policy.
This document will be reviewed when the General Data Protection Regulation every 2 years.
At every review, the policy will be amended and uploaded to the company website.