Data Protection Policy
Data Protection Policy
Data Protection Policy
CONTENTS
1 PURPOSE........................................................................................................................................................... 2
2 SCOPE............................................................................................................................................................... 2
3 POLICY STATEMENT........................................................................................................................................ 2
3.1. Governance................................................................................................................................................. 2
3.2. Data Protection Principles........................................................................................................................... 2
3.3. Data collection............................................................................................................................................. 2
3.4. Data Use..................................................................................................................................................... 2
3.5. Data Retention............................................................................................................................................. 2
3.6. Data Protection............................................................................................................................................ 2
3.7. Data subject Requests................................................................................................................................ 2
3.8. Law Enforcement Requests & Disclosures.................................................................................................. 2
3.9. Data Protection Training.............................................................................................................................. 2
3.10. Data Transfers........................................................................................................................................ 2
3.11. Complaints handling................................................................................................................................ 2
3.12. Breach Reporting.................................................................................................................................... 2
4 ROLES AND RESPONSIBILITIES...................................................................................................................... 2
4.1 Implementation............................................................................................................................................ 2
4.2 Support, Advice and Communication.......................................................................................................... 2
5 REVIEW.............................................................................................................................................................. 2
6 RECORDS MANAGEMENT................................................................................................................................ 2
7 TERMS AND DEFINITIONS............................................................................................................................... 2
8 RELATED LEGISLATION AND DOCUMENTS................................................................................................... 2
9 FEEDBACK AND SUGGESTIONS..................................................................................................................... 2
10 APPROVAL AND REVIEW DETAILS................................................................................................................. 2
1 PURPOSE
This policy establishes an effective, accountable and transparent framework for ensuring compliance with the
requirements of the GDPR.
2 SCOPE
This policy applies to all Clark and Poole Limited employees and all third parties responsible for the
processing of persona data on behalf of Clark and Poole Limited services/entities.
3 POLICY STATEMENT
Clark and Poole Limited is committed to conducting its business in accordance with all applicable data
protection laws and regulations and in line with the highest standards of ethical conduct.
This policy sets forth the expected behaviours of Clark and Poole Limited employees and third parties in
relation to the collection, use, retention, transfer, disclosure and destruction of any personal data belonging
to a Clark and Poole Limited contact (i.e. the data subject).
Personal data is any information (including opinions and intentions) which relates to an identified or
identifiable natural person. Personal data is subject to certain legal safeguards and other regulations, which
impose restrictions on how organisations may process personal data. An organisation that handles personal
data and makes decisions about its use is known as a Data Controller. Clark and Poole Limited, as a Data
Controller, is responsible for ensuring compliance with the data protection requirements outlined in this
policy. Non-compliance may expose Clark and Poole Limited to complaints, regulatory action, fines and/or
reputational damage.
Clark and Poole Limited’s leadership is fully committed to ensuring continued and effective implementation of
this policy, and expects all Clark and Poole Limited employees and third parties to share in this commitment.
Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.
3.1. Governance
3.1.1.Data Protection Officer
To demonstrate our commitment to data protection, and to enhance the effectiveness of our compliance
efforts, Clark and Poole Limited has appointed a Data Protection Officer. The Data Protection Officer
operates with independence and is supported by suitability skilled individuals granted all necessary authority.
The Data Protection Officer reports to Clark and Poole Limited’s Directors. The Data Protection Officer’s
duties include:
Informing and advising Clark and Poole Limited and its employees who carry out processing pursuant to
data protection regulations, national law or European Union based data protection provisions;
Ensuring the alignment of this policy with data protection regulations, national law or European Union
based data protection provisions;
Providing guidance with regards to carrying out Data Protection Impact Assessments (DPIAs);
Acting as a point of contact for and cooperating with Data Protection Authorities (DPAs);
Determining the need for notifications to one or more DPAs as a result of Clark and Poole Limited’s
current or intended personal data processing activities;
Making and keeping current notifications to one or more DPAs as a result of Clark and Poole Limited’s
current or intended personal data processing activities;
The establishment and operation of a system providing prompt and appropriate responses to data
subject requests;
Ensuring establishment of procedures and standard contractual provisions for obtaining compliance with this
Policy by any third party who:
provides personal data to a Clark and Poole Limited service/entity
receives personal data from a Clark and Poole Limited service/entity
has access to personal data collected or processed by a Clark and Poole Limited
To ensure that all data protection requirements are identified and addressed when designing new systems or
processes and/or when reviewing or expanding existing systems or processes, each of them must go
through an approval process before continuing. Each Clark and Poole Limited service/entity must ensure
that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the Data Protection
Officer, for all new and/or revised systems or processes for which it has responsibility. The subsequent
findings of the DPIA must then be submitted to the Directors for review and approval. Where applicable, the
Information Technology (IT) department, as part of its IT system and application design review process, will
cooperate with the Data Protection Officer to assess the impact of any new technology uses on the security
of personal data.
3.1.3.Compliance Monitoring
To confirm that an adequate level of compliance that is being achieved by all Clark and Poole Limited
services/entities in relation to this policy, the Data Protection Officer will carry out an annual data protection
compliance audit for all such services/entities. Each audit will, as a minimum, assess:
Compliance with policy in relation to the protection of personal data, including:
The assignment of responsibilities.
Raising awareness.
Training of employees.
The effectiveness of data protection related operational practices, including:
Data subject rights.
Personal data transfers.
Personal data incident management.
Personal data complaints handling.
The level of understanding of data protection policies and privacy notices.
The currency of data protection policies and privacy notices.
The accuracy of personal data being stored.
The conformity of data processor activities.
The adequacy of procedures for redressing poor compliance and personal data breaches. The Data
Protection Officer, in cooperation with key business stakeholders from each Clark and Poole Limited
service/entity, will devise a plan with a schedule for correcting any identified deficiencies within a
defined and reasonable time frame. Any major deficiencies and good practice identified will be
reported to, monitored and shared by the Clark and Poole Limited Directors.
Clark and Poole Limited has adopted the following principles to govern its collection, use, retention, transfer,
disclosure and destruction of personal data:
Principle 2: Purpose Limitation. Personal data shall be collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with those purposes. This means Clark
and Poole Limited must specify exactly what the personal data collected will be used for and limit the
processing of that personal data to only what is necessary to meet the specified purpose.
Principle 3: Data Minimisation. Personal data shall be adequate, relevant and limited to what is necessary
in relation to the purposes for which they are processed. This means Clark and Poole Limited must not store
any personal data beyond what is strictly required.
Principle 4: Accuracy. Personal data shall be accurate and, kept up to date. This means Clark and Poole
Limited must have in place processes for identifying and addressing out-of-date, incorrect and redundant
personal data.
Principle 5: Storage Limitation. Personal data shall be kept in a form which permits identification of data
subjects for no longer than is necessary for the purposes for which the personal data is processed. This
means Clark and Poole Limited must, wherever possible, store personal data in a way that limits or prevents
identification of the data subject.
Principle 6: Integrity & Confidentiality. Personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protection against unauthorised or unlawful processing,
and against accidental loss, destruction or damage. Clark and Poole Limited must use appropriate technical
and organisational measures to ensure the integrity and confidentiality of personal data is maintained at all
times.
Principle 7: Accountability. The Data Controller shall be responsible for, and be able to demonstrate
compliance. This means Clark and Poole Limited must demonstrate that the six data protection principles
(outlined above) are met for all personal data for which it is responsible.
3.3.1.Data Sources
Personal data should be collected only from the data subject unless one of the following apply:
The nature of the business purpose necessitates collection of the personal data from other persons or
bodies.
The collection must be carried out under emergency circumstances in order to protect the vital interests
of the data subject or to prevent serious loss or injury to another person.
If personal data is collected from someone other than the data subject, the data subject must be informed of
the collection unless one of the following apply:
The data subject has received the required information by other means.
The information must remain confidential due to a professional secrecy obligation
A national law expressly provides for the collection, processing or transfer of the personal data.
Where it has been determined that notification to a data subject is required, notification should occur
promptly, but in no case later than:
One calendar month from the first collection or recording of the personal data
At the time of first communication if used for communication with the data subject
At the time of disclosure if disclosed to another recipient.
3.4.1.Data processing
Clark and Poole Limited uses the personal data of its contacts for the following broad purposes:
The general running and business administration of Clark and Poole Limited services/entities.
To provide services to Clark and Poole Limited’s stakeholders.
The ongoing administration and management of customer services.
The use of a contact’s information should always be considered from their perspective and whether the use
will be within their expectations or if they are likely to object. For example, it would clearly be within a
contact’s expectations that their details will be used by Clark and Poole Limited to respond to a contact
request for information about the products and services on offer. However, it will not be within their
reasonable expectations that Clark and Poole Limited would then provide their details to third parties for
marketing purposes.
Each Clark and Poole Limited service/entity will process personal data in accordance with all applicable laws
and applicable contractual obligations. More specifically, Clark and Poole Limited will not process personal
data unless at least one of the following requirements are met:
The data subject has given consent to the processing of their personal data for one or more specific
purposes.
Processing is necessary for the performance of a contract to which the data subject is party or in order
to take steps at the request of the data subject prior to entering into a contract.
Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
Processing is necessary in order to protect the vital interests of the data subject or of another natural
person.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise
of official authority vested in the Data Controller.
Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or
by a third party (except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject, in particular where the data subject is a child).
3.4.3.Children’s Data
Children under the age of 14 are unable to consent to the processing of personal data for information society
services (any service normally provided for payment, by electronic means and at the individual request of a
recipient of services). Consent must be sought from the person who holds parental responsibility over the
child. However, it should be noted that where processing is lawful under other grounds, consent need not be
obtained from the child or the holder of parental responsibility.
3.4.4.Data Quality
Each Clark and Poole Limited service/entity will adopt all necessary measures to ensure that the personal
data it collects and processes is complete and accurate in the first instance, and is updated to reflect the
current situation of the data subject. The measures adopted by Clark and Poole Limited to ensure data
quality include:
Correcting personal data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or
outdated, even if the data subject does not request rectification.
Keeping personal data only for the period necessary to satisfy the permitted uses or applicable statutory
retention period.
The removal of personal data if in violation of any of the data protection principles or if the personal data
is no longer required.
Restriction, rather than deletion of personal data, insofar as:
3.4.6.Digital Marketing
As a general rule Clark and Poole Limited will not send promotional or direct marketing material to an Clark
and Poole Limited Contact through digital channels such as mobile phones, email and the Internet, without
first obtaining their consent. Any Clark and Poole Limited service/entity wishing to carry out a digital
marketing campaign without obtaining prior Consent from the data subject must first have it approved by the
Data Protection Officer. Where personal data processing is approved for digital marketing purposes, the data
subject must be informed at the point of first contact that they have the right to object, at any stage, to having
their data processed for such purposes. If the data subject puts forward an objection, digital marketing
related processing of their personal data must cease immediately and their details should be kept on a
suppression list with a record of their opt-out decision, rather than being completely deleted. It should be
noted that where digital marketing is carried out in a ‘business to business’ context, there is no legal
requirement to obtain an indication of Consent to carry out digital marketing to individuals provided that they
are given the opportunity to opt-out.
4.1 Implementation
The management team of each Clark and Poole Limited service/entity must ensure that all Clark and Poole
Limited employees responsible for the processing of personal data are aware of and comply with the
contents of this policy. In addition, each Clark and Poole Limited service/entity will make sure all third parties
engaged to process personal data on their behalf (i.e. their data processors) are aware of and comply with
the contents of this policy. Assurance of such compliance must be obtained from all third parties, whether
companies or individuals, prior to granting them access to personal data controlled by Clark and Poole
Limited.
6 RECORDS MANAGEMENT
Staff must maintain all records relevant to administering this policy and procedure in electronic form in a
recognised Clark and Poole Limited recordkeeping system.
All records relevant to administering this policy and procedure will be maintained for a period of 5 years.
General Data Protection Regulation (GDPR): the General Data Protection Regulation (GDPR) (Regulation
(EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and
the European Commission intend to strengthen and unify data protection for all individuals within the
European Union (EU). It also addresses the export of personal data outside the EU.
Data Controller: the entity that determines the purposes, conditions and means of the processing of
personal data.
Data Processor: the entity that processes data on behalf of the Data Controller.
Data Protection Authority: national authorities tasked with the protection of data and privacy as well as
monitoring and enforcement of the data protection regulations within the Union.
Data Protection Officer (DPO): an expert on data privacy who works independently to ensure that an entity
is adhering to the policies and procedures set forth in the GDPR.
Data subject: a natural person whose personal data is processed by a controller or processor.
personal data: any information related to a natural person or ‘data subject’, that can be used to directly or
indirectly identify the person.
Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the
personal data that are processed and the policies in place to protect the data.
Processing: any operation performed on personal data, whether or not by automated means, including
collection, use, recording, etc.
Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject
behaviour.
Regulation: a binding legislative act that must be applied in its entirety across the Union.
Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and
information about the personal data that a controller has concerning them.
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data
protection and privacy for all individuals within the European Union. It addresses the export of personal
data outside the EU.
Clark and Poole Limited employees may provide feedback and suggestions about this document by emailing
the Data Protection Officer (Natalie@clarkandpoole.co.uk)