Data Security Policy
1. Purpose
1. Precisely delineating and outlining the essential requisites dictated by the UK General Data Protection Regulation (UK GDPR), alongside The Data Protection Act 2018 (DPA 2018), particularly as they pertain to the operations and activities of Evelors Limited.
2. Providing a clear and coherent framework to delineate the rights, obligations, and duties incumbent upon individuals and entities within Evelors concerning data protection and privacy.
3. Establishing a structured and organised mechanism to define, assign, and execute the various responsibilities and duties related to data protection within Evelors, ensuring accountability and compliance with relevant legislation and regulations.
2. Scope
1. This policy delineates the parameters governing the handling of personal information within Evelors. It encompasses all instances of personal information processing conducted either directly by Evelors or on its behalf. This includes, but is not limited to, personal data accessed or utilised by Evelors staff, contractors, consultants, and other relevant personnel engaged in various activities within the consultancy firm.
2. The breadth of personal data handled under this policy spans various formats, including electronic, hard copy, voice recordings, and verbal communications. For clarity on the types of data covered by this policy, refer to Section 4.
3. Legislative Guidance
1. This policy is meticulously crafted based on the extensive guidance published by the Information Commissioner’s Office (ICO), a regulatory body overseeing data protection regulations in the United Kingdom. The guidance encompasses detailed directives pertaining to compliance with the UK General Data Protection Regulation (UK GDPR) and offers comprehensive insights into the nuances of data protection practices.
2. The policy takes into account the ICO’s authoritative guidance concerning the right of access, which delineates the procedures and obligations surrounding subject access requests. By adhering to these guidelines, Evelors Limited ensures transparency, accountability, and fairness in handling individuals’ requests for accessing their personal data.
3. In alignment with the ICO’s commitment to safeguarding privacy rights, this policy reflects the ICO’s current code of practice pertaining to the deployment of surveillance cameras. It addresses the ethical and legal considerations involved in capturing and processing personal information through surveillance technologies, ensuring that Evelors Limited upholds the highest standards of privacy protection while utilising such systems.
4. Definitions
Personal data – refers to information about natural persons that enables their direct or indirect identification. This includes sensitive data and criminal convictions. Pseudonymized data, although less identifiable, is still considered personal data. Truly anonymized data is exempt from GDPR regulations. Deceased individuals’ information, as well as data about companies or public authorities, does not fall under personal data. Personal data may encompass the individual’s:
– Name (including initials)
– Identification number
– Location data
– Online identifier, such as a username
– Additionally, it may involve factors unique to the individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.
Processing – In relation to personal data, means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction).
Processor – A person, public authority, agency or other body which processes personal data on behalf of the controller.
Data subject – The identified or identifiable living individual to whom personal data relates.
Special category data – The UK GDPR defines special category data as:
– personal data revealing racial or ethnic origin;
– personal data revealing political opinions;
– personal data revealing religious or philosophical beliefs;
– personal data revealing trade union membership;
– genetic data;
– biometric data (where used for identification purposes);
– data concerning health;
– data concerning a person’s sex life; and
– data concerning a person’s sexual orientation.
Personal data breach – A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
5. Data Protection Principles
1. Article 5(2) of the GDPR mandates that Evelors Limited, its employees, and other parties handling personal information must adhere to and demonstrate compliance with data protection principles. These principles outline that personal data should:
– Be processed lawfully, fairly, and transparently in relation to individuals.Be collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes.
– Be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
– Be accurate and kept up to date, with steps taken to rectify inaccuracies without delay.
– Be retained only for as long as necessary for the purposes for which they are processed.
– Be processed securely, with appropriate measures in place to prevent unauthorised access, loss, destruction, or damage.
Evelors adheres to a strict policy ensuring that all personal data processing is conducted in a safe, secure, ethical, and transparent manner. Procedures are in place to facilitate data subjects in exercising their rights, including:
– Protecting individuals’ rights regarding the processing of personal information.
– Developing, implementing, and maintaining data protection policies, procedures, and training to comply with data protection laws.
– Recording and evidencing consent at the time it is obtained.
– Implementing robust Complaints Procedures and Data Incident Reporting policies to address breaches or complaints about data protection.
– Storing and disposing of all personal information in accordance with the Information Retention policy.
– Providing individuals with concise, transparent, easily accessible information about their personal data in clear and plain language.
– Maintaining records of processing activities.
6. Roles and Responsibilities
Chief Executive Officer:
1. Designated individual responsible for overseeing the implementation of data protection policies and procedures.
2. Ensures compliance with data protection laws and regulations.
3. Acts as the point of contact for data protection queries and concerns.
4. Monitors data protection training and awareness programs for staff.
Senior Management:
1. Provides leadership and support for the implementation of data protection policies.
2. Allocates resources for the effective execution of data protection measures.
3. Approves and reviews data protection policies and procedures on a regular basis.
4. Supports the Chief Executive Officer in ensuring compliance with legal requirements.
Employees:
1. Responsible for understanding and adhering to data protection policies and procedures.
2. Ensure that personal data is handled securely and in accordance with data protection laws.
3. Report any data breaches, incidents, or concerns to the Chief Executive Officer or designated authority promptly.
4. Collecting, storing and processing any personal data in accordance with this policy
5. Participate in data protection training and awareness programs provided by the company.
IT Department:
1. Implements technical measures to ensure the security and integrity of personal data.
2. Manages access controls and encryption mechanisms to protect sensitive information.
3. Conducts regular audits and assessments of IT systems to identify and address vulnerabilities.
4. Collaborates with the Chief Executive Officer to address data security incidents and breaches.
Human Resources Department:
1. Manages employee data and ensures compliance with data protection regulations in HR processes.
2. Implements procedures for handling and storing employee records securely.
3. Provides training and guidance to employees on data protection best practices.
4. Collaborates with the Chief Executive Officer to address data protection concerns related to employee data.
Legal Department:
1. Provides legal advice and guidance on data protection matters.
2. Reviews contracts and agreements to ensure compliance with data protection laws.
3. Assists in conducting privacy impact assessments for new projects or initiatives.
4. Represents the company in legal proceedings related to data protection issues.
Data Subjects:
1. Individuals whose personal data is processed by Evelors.
2. Have the right to access, rectify, and erase their personal data as per data protection laws.
3. Should notify Evelors of any changes or updates to their personal information.
4. Can exercise their rights by contacting the Chief Executive Officer or designated authority.
7. Data Governance
Employee Personal Data Handling
At Evelors, we prioritise the protection of our employees’ personal data. We have implemented policies that do not rely on consent as the sole legal basis for obtaining or processing employee personal information. Our policies have been meticulously updated to ensure that employees are fully informed about how we handle their data and the reasons behind it.
Privacy Notice
Our Privacy Notice serves as a comprehensive guide outlining the procedures followed by Evelors when collecting personal information. This information is collected to fulfill our legal, regulatory, statutory, and contractual obligations, as well as to provide our members, international partners, customers, and stakeholders with relevant information. Whether it’s about our products and services or matters of public interest, our Privacy Notice ensures transparency in data collection practices.
Data Storage and Retention
Information and records pertaining to data subjects are stored securely within our systems, ensuring restricted access limited to authorised personnel only. We adhere to stringent data retention policies, storing information for only as long as necessary or as mandated by applicable statutes. Proper disposal methods are employed once data is no longer required.
Data Accuracy and Maintenance
Maintaining accurate data is paramount at Evelors. We take proactive measures to ensure the information remains up to date by periodically requesting data subjects to verify the accuracy of their information and update any changes accordingly.
7. Audits and Monitoring
We conduct regular internal audits, independently overseen by our outsourced IT provider, to assess compliance with data protection measures. Our compliance monitoring processes are robust, ensuring that the controls in place effectively safeguard data subjects and their information in accordance with legal requirements.
8. Training and Awareness
Evelors is dedicated to fostering a culture of data protection awareness among its staff. Our comprehensive staff awareness program includes:
1. Annual refresher training sessions covering data protection, records management, information security, and cyber security, delivered through both in-person and virtual group sessions.
2. Regular updates and alerts on emerging information security risks to keep employees informed.
3. Access to data protection and information security policies, procedures, checklists, and supporting documents to facilitate adherence to best practices.
4. By prioritising ongoing training and awareness initiatives, we empower our employees to fulfil their data protection responsibilities effectively and ethically.
9. Collecting Personal Data
The collection of personal data shall adhere to the principles of lawfulness, fairness, and transparency. Evelors shall ensure that the processing of personal data is conducted lawfully, with fairness to the data subject, and in a transparent manner.
Personal data shall be processed lawfully, based on one or more of the following legal bases:
a) Consent: Processing is based on the explicit consent of the data subject for specific purposes.
b) Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is a party or for taking pre-contractual steps at the request of the data subject.
c) Legal Obligation: Processing is required to comply with legal obligations imposed on Evelors.
d) Vital Interests: Processing is necessary to protect the vital interests of the data subject or another natural person.
e) Public Interest: Processing is carried out in the public interest or in the exercise of official authority vested in Evelors.
f) Legitimate Interests: Processing is necessary for the legitimate interests pursued by Evelors or a third party, provided that such interests do not override the fundamental rights and freedoms of the data subject, particularly if the data subject is a child.
For the processing of special categories of personal data, Evelors shall adhere to the lawful bases outlined in the UK GDPR Article 9 and the Data Protection Act 2018, along with meeting one of the special category conditions for processing.
10. Transfers of Personal Data to Third Countries
Evelors recognises the importance of safeguarding personal data when transferring it to third countries outside the European Economic Area (EEA) in compliance with the General Data Protection Regulation (GDPR). In the context of our global operations, particularly with offices located in the Netherlands, Switzerland, and Canada, we implement the following measures:
1. Adequacy Decisions: Evelors conducts an assessment of the data protection laws and regulations in the third countries where personal data is transferred to ensure that they provide an adequate level of protection comparable to the standards set forth in the GDPR.
2. Standard Contractual Clauses (SCCs): Where necessary, Evelors enters into legally binding agreements, such as SCCs approved by the European Commission, with the recipients of personal data in third countries to ensure appropriate safeguards for data protection.
3. Binding Corporate Rules (BCRs): Evelors may adopt BCRs, which are internal rules for international data transfers within the corporate group, subject to approval by the relevant data protection authorities.
4. Consent: In certain circumstances, where none of the aforementioned safeguards are applicable, Evelors obtains explicit consent from data subjects for the transfer of their personal data to third countries.
5. Data Subject Rights: Data subjects are informed about the transfer of their personal data to third countries and provided with relevant information regarding the safeguards implemented to protect their data privacy rights.
6. Ongoing Monitoring: Evelors regularly reviews and monitors the adequacy of data protection measures in third countries to ensure continued compliance with GDPR requirements and promptly addresses any identified risks or concerns.
By implementing these measures, Evelors ensures that transfers of personal data to third countries are conducted in accordance with the GDPR’s principles of lawfulness, fairness, and transparency, while upholding the rights and protections afforded to data subjects.
11. Data Protection by Design and Default
Evelors recognises the importance of embedding data protection principles into our systems, processes, and practices from the outset. Data protection by design and default ensures that privacy considerations are integrated into the development and implementation of our products, services, and operations.
Data protection by design entails incorporating privacy features into the design of systems and processes to minimise the risk of privacy breaches and enhance data security.
Data protection by default involves configuring systems and processes to ensure that the highest level of data protection is the default setting, requiring no additional action by the user.
Evelors commits to integrating data protection by design and default principles across all stages of our operations, including product development, service delivery, and internal processes.
We conduct privacy impact assessments (PIAs) to identify and mitigate privacy risks associated with new projects, initiatives, or system implementations.
Our development teams follow best practices for data minimisation, ensuring that only necessary personal data is collected, processed, and retained.
We implement privacy-enhancing technologies (PETs) and encryption mechanisms to safeguard personal data throughout its lifecycle.
Evelors provides training and awareness programs to educate employees about their responsibilities regarding data protection by design and default.
We regularly review and update our data protection policies, procedures, and technical measures to adapt to evolving regulatory requirements and technological advancements.
Feedback mechanisms are established to solicit input from stakeholders, including data subjects, regarding the effectiveness of our data protection measures.
Evelors promotes a culture of privacy and accountability, encouraging employees to proactively identify and report potential privacy risks or compliance gaps.
Our Chief Executive Officer is responsible for overseeing the implementation of data protection by design and default principles and ensuring compliance with relevant laws and regulations.
Regular audits and assessments are conducted to verify adherence to data protection by design and default requirements, with findings reported to senior management for review and action.
Any identified deficiencies or non-compliance issues are promptly addressed through corrective measures and process improvements.
Evelors is committed to upholding the highest standards of data protection by integrating privacy considerations into our business practices. By adopting a proactive approach to data protection by design and default, we aim to enhance trust, transparency, and accountability in our interactions with data subjects and stakeholders.