Data protection compliance and the appropriate and proportionate use of Personal Data is an increasingly significant issue for businesses. Across our business, Gracilis Ltd ("Gracilis" or "we/us/our") collect and use large volumes of Personal Data relating to our customers, employees, suppliers and other individuals whose data we process for business purposes.
We are fully committed to the protection of the data that we process, including by recognising that compliance with applicable data protection laws is a board level issue that impacts upon everyone and requires all employees to meet certain standards when handling or otherwise processing Personal Data.
We are committed to ensuring that:
This Policy is designed to help all employees, contractors and agents (collectively referred to for the purposes of this Policy as "employees") understand Gracilis expectations about how we may use Personal Data from time to time. The Policy (and the requirements and standards described within it) apply to the use of any Personal Data within Gracilis (in whatever format that data is stored or used).
There are lots of examples of the ways in which Personal Data is used by Gracilis. We have set out a few examples below but you should think carefully about your own role and work with others in your team to understand how you process Personal Data on behalf of Gracilis:
Breaches of data protection requirements may result in enforcement action by the Information Commissioner against Gracilis and in fines being imposed of up to £18,000,000 (approximately) or 4% of our global turnover, whichever is higher. It is really important to remember that some breaches of data protection law may also be a criminal offence (e.g. deliberately taking or altering copies of personal data without appropriate authorisation). Trust and reliability are an important part of our brand – our customers need to know that we take our responsibilities seriously. As such, any breach of data protection laws or any security breach could also result in adverse publicity and significant reputational damage.
Gracilis (and its Board) takes compliance with data protection law and this Policy extremely seriously and we expect all employees to take this issue equally seriously. Any breach of this Policy will be investigated and may result in disciplinary action, including termination of employment. We want you to be able to comply with these requirements and so if you are unsure about what is required of you, what the consequences of non-compliance could be or if you have ideas about how compliance could be improved or made easier, please do talk to your line manager or Louise Whitney in the first instance.
This Policy (together with any other policies referred to in it) is an internal document and should not be shared with third parties, customers or regulators without prior authorisation from Louise Whitney (details below).
We will review this Policy regularly to make sure that we are ensuring the highest standards of protection for the Personal Data that we process across Gracilis. On that basis, it may be updated from time to time. The Policy does not form part of any contract of employment or service contract, and any changes will be communicated to you in writing from time to time.
This Policy was last updated on 11th October 2021.
If there is anything in this Policy which you do not understand or which you have any questions about, please contact Louise Whitney (whose details are set out below) for assistance.
Name: Louise Whitney
Telephone No: 01737 274848
However, if you consider that the Policy has not been followed in respect of Personal Data about you or other individuals and you wish to raise a complaint, you should raise the matter with your line manager.
Any information about a living individual which can identify that individual or otherwise allow action to be taken with respect to that individual, even if we don't know their name.
For example, names, contact details including email addresses, job title and other HR data will all obviously be personal data as well as CCTV footage, photographs and voice recordings. So will information in relation to the finances of our customers ahead of a purchase and their choices of optional extras in their new home.
Other data can qualify as "personal data" even if it would typically be seen as less obviously related to an individual, such as shift patterns, physical descriptions of people, opinions about people, location data, device related data, browsing data, online identities and so on that could all lead to that person being identifiable.
Information which does not on its own identify an individual will still be 'personal data' if it can be put together with other information which Gracilis holds or which it could fairly easily get hold of. For example, if personal data for an individual has been made 'anonymous' by Gracilis but we hold (or could easily get hold of) information which could identify that living individual, the 'anonymous' information will still be regarded as 'personal data'. True anonymisation is very difficult to achieve and you should not attempt it without support from Louise Whitney.
Personal Data about an individual which relates to their race or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health or condition, sexual life, gender or criminal proceedings or convictions. The law recognises this data as being worthy of extra protection since its misuse presents a higher risk of harm to the individuals.
This covers virtually anything you can do with Personal Data, for example:
An identified or identifiable person such as an individual using our website, one of our customers or an individual contact at a supplier, or one of our employees.
An organisation (such as a business like Gracilis) that determines how and why Personal Data is collected and how and why that data is used. There can be more than one data controller for a particular dataset.
For the purposes of almost all of the Personal Data that we as a business collect and use, including HR data, customer data and supplier data, we (i.e. Gracilis) will be the data controller.
A third party (i.e. not an employee) processing Personal Data on behalf of a data controller. This could be a supplier, service provider, business partner or independent contractor/freelancer.
For example, Foot Anstey LLP would be a data processor for Gracilis on the basis that Foot Anstey LLP processes Purchaser’s information data on behalf of Gracilis.
This is the UK Information Commissioner (and "ICO" is an abbreviation of the Information Commissioner's Office) who is responsible for implementing, overseeing and enforcing data protection laws in the UK.
Data protection law requires us to consider risks to individual data subjects' rights whenever we process Personal Data, and to proactively seek to minimise those risks. As such, and in addition to this overarching Policy, there are lots of processes and policies within the business that are relevant to the way that we use Personal Data.
As well as taking (and demonstrating) a general 'risk based' approach as described above, there are a number of broad principles that we need to comply with when processing Personal Data. We have set out an overview of these principles below, along with an explanation of what this means for Gracilis and for you in practical terms.
Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ('purpose limitation').
Fairness and transparency:
In order to make sure that our processing of Personal Data is fair and transparent, we have to give individuals information about the way that we will use their data. For example, we have to tell our employees and customers about the purposes for which we will use their data and who else might have access to it.
We typically inform customers and suppliers about the way that we use their data through our privacy notices published on our website. Employees can find out more about how we process their Personal Data in the Employee Handbook.
We are also required to make sure that we have a legal justification for using data in the way that we want to. There are various legal justifications for processing Personal Data, and all will require careful legal analysis in each case. With this in mind, it's very important that data collected for a particular purpose is only used for that same purpose, as we may not have a legal justification to use it for any other purpose.
Sometimes we may be required to get consent from individuals for certain types of processing. For example, processing Sensitive Personal Data will often require explicit consent, and most types of direct marketing are likely to require consent.
There are additional requirements in respect of Sensitive Personal Data and the purposes for which we can process Sensitive Personal Data are more limited. More information (for relevant business teams) can be found from speaking with Louise Whitney – Sales & Marketing Manager.
When commencing new projects we may need to carry out a data protection impact assessment (as referred to in more detail below) to ensure that our use of Personal Data is necessary and proportionate.
You should only use data that you access for the normal purposes of your job role and you should only use that data for its usual or normal purpose.
For example, we couldn't suddenly start using HR data for marketing purposes, and we couldn't start using email addresses of individual contacts at our suppliers for marketing purposes without additional consideration of appropriate legal justifications for such secondary uses of data.
If you use someone's data in a way that might not be obvious to (or expected by) the individual, then you may be breaching data protection law or infringing someone's rights. If you are ever unsure, make sure you consult with Louise Whitney – email@example.com
If you think that you have identified a new purpose for which the data could be used, you may need to work with key stakeholders to manage any risks involved and ensure that we can use the data in the way that protects the rights of the individuals concerned. In the first instance, you should consult with Louise Whitney – firstname.lastname@example.org
We should not collect Personal Data that we don't need for specific purposes. For example, we don't need information regarding an individual's religious beliefs or their political preferences, in order to discuss their house purchase (however interested we might be for other reasons).
This may seem like an obvious example, but whenever you are capturing data, you will need to think about how to ensure that you are only collecting what you specifically need for the purpose for which you will process the data.
If we need to share Personal Data with third parties, we must ensure that we only share the minimum information necessary to achieve the purpose of sharing the data.
You should use our standard input fields and data capture forms within Outlook for collecting Personal Data wherever relevant, since these have been designed to try to ensure that we only capture data that is relevant for the purpose for which we will process it.
If there is no appropriate template data capture "form" or no available pre-determined data capture fields (e.g. in relation to web analytics), you should only collect the Personal Data that is strictly relevant to what you are doing and you should, at all times, seek to "minimise" the data that we collect and process, including by considering and applying applicable retention policies and practices. You should not speculatively collect excess or additional data fields (even if you think that the additional data may be of interest to Gracilis) as we may not have a valid legal basis to do so.
We are required to implement processes and policies to ensure the 'quality' of our data and to ensure that it can be kept up to date and accurate.
Although ultimately it is our responsibility to make sure Personal Data is up to date and accurate, we will often be reliant on data subjects themselves to tell us of changes to their Personal Data. From a practical perspective it is often useful to encourage data subjects to contact us if Personal Data we hold about them becomes out of date or if they are aware of any inaccurate data we hold about them. For example, we may ask our customers to verify that their details on our systems are up to date.
If we are notified about inaccurate data (for example, a change of contact telephone number or email address), we must ensure that our records are updated promptly. It will be the responsibility of Louise Whitney to ensure that processes are in place to facilitate this.
If an individual notifies you that their Personal Data is incorrect, or that their circumstances have changed, you should ensure that our records for that individual are updated (including ensuring that all relevant datasets and records are updated, not just the dataset that you are using or working with). You will also need to ensure that applicable policies and processes are followed, e.g. processes to periodically review, cleanse, validate and update existing datasets.
We should not keep Personal Data for longer than we need it (this requires us to consider the original purpose for which the data was collected). If Personal Data is no longer required for the purposes for which it was collected, we should securely and confidentially dispose of or delete it.
You should ensure that data that is out of date, or that is no longer required for its original business purpose is deleted according to our existing documented practices and processes. You must ensure that we comply with our Data Retention Policy at all times. If you are unsure about whether or not data is still required for its original business purposes, you must speak to your line manager or Louise Whitney – email@example.com as opposed to simply retaining it without checking.
If you think that you have identified a new purpose for which the data could be used (and so you want to keep it for an extended period), you may need to work with key stakeholders to manage any risks involved and ensure that we can use the data in the way that protects the rights of the individuals concerned. In the first instance, you should consult with Louise Whitney – firstname.lastname@example.org
We need to implement processes to ensure that we keep all Personal Data secure and confidential, and that access is only granted to those people that need and have a right to access it.
Wherever we share Personal Data with service providers or suppliers (e.g. outsourced payroll, hosting or data storage), we need to ensure that we factor in the security of Personal Data that we share at the earliest stage of negotiating the relationship, and that we build appropriate protections for the data into our contracts with these suppliers and related processes.
Keep the Personal Data that we process secure and confidential (remember that your contract of employment or service contract also includes general confidentiality obligations).
There are specific standards that we require you to comply with in respect of data security set out in the Group Employee Handbook.
As a rule of thumb, you must not disclose any Personal Data to a third party supplier or customer other than in very limited circumstances. There are a number of specific conditions that can permit the disclosure of Personal Data. You should work with Louise Whitney – Sales & Marketing Manager to determine whether or not in each case it is appropriate to disclose data. You should not try to make those decisions on your own – if you are unclear, speak to Louise Whitney.
Even in circumstances where the disclosure of data may be justified:
Always speak to Louise Whitney – 01737 274848 or email email@example.com if you are unsure or need further guidance.
Being able to demonstrate accountability and good data governance has long been considered 'best practice' in respect of data protection compliance. However, applicable laws now require us to formally build these concepts into our data protection compliance framework and, accordingly, to put data protection at the heart of our business processes wherever appropriate.
Accountability requires Gracilis to be able to demonstrate that we comply with all of the principles described in section 3.1 of this Policy, above.
In practical terms, this means that we must be able to show that we take data protection rights seriously, i.e. that we have a 'top down' approach and that this is a Board level issue for us.
It also requires us to show that we have implemented strategies, policies, processes, business rules, practices, controls and so on, and that we have ensured that our employees understand what is required and are able to comply, for example by raising awareness and providing training.
We must monitor compliance with our policies and processes and take action to ensure that any issues of non-compliance are remedied by the provision of further training or other measures and we must regularly review the adequacy of our policies and processes to ensure they enable compliance with the data protection principles.
You will need to make sure that you have read and understood all Gracilis policies relevant to the use of Personal Data (including this Policy), and that you carefully follow all relevant processes and practices.
Gracilis relies on the proactive and appropriate conduct of all employees in order to be able to demonstrate 'accountability'. If you have any concerns about the way that Gracilis uses Personal Data or if you can think of ways that we could do things better, please always speak to Louise Whitney – 01737 274848 or email firstname.lastname@example.org
Data protection laws require Gracilis to put in place "comprehensive but proportionate governance measures". Best practice tools that have been championed for a long time by the Information Commissioner such as privacy impact assessments and privacy by design are now legally required in certain circumstances. Gracilis will need to:
∙ keep certain records of the Personal Data that we process;
∙ implement measures, policies and processes to show that Gracilis builds data protection into its business practices (i.e. that we adhere to the principle of "data protection by design and default" particularly when implementing a new service or engaging with a new business partner);
∙ conduct data protection impact assessments in some scenarios where data processing presents certain risks to individuals;
∙ put the rights of the individual Data Subjects at the very heart of what we do; and
∙ keep its decision not to appoint a statutory data protection officer under review.
You will need to make sure that you understand the way that data protection impacts your role, and work with your teams and Louise Whitney, to ensure that you understand how you can demonstrate good data governance in your everyday role.
More specifically, you must make sure that you have read and understood our data protection policies and that you have attended all necessary training. As set out above, if you have any concerns about the way that Gracilis uses Personal Data or if you can think of ways that we could do things better, please always speak to Louise Whitney – 01737 274848
Our arrangements with Data Processors must be documented in a written contract and that contract must include certain mandatory clauses as required by data protection laws.
We must carry out checks (including appropriate information security due diligence) before appointing any Data Processor to ensure that they are capable of providing appropriate protections for the relevant Personal Data and to ensure that their processing of the data will be compliant with applicable requirements.
Please always speak to Louise Whitney – 01737 274848 or email email@example.com for more information before appointing a third party Data Processor and before signing any Data Processor terms.
We will carry out ongoing monitoring of Data Processors to ensure compliance with Data Protection Legislation, e.g. periodic audits or reviews.
You will need to work closely with Louise Whitney (and other stakeholders such as the IT team) to ensure that the third party supplier, service provider, business partner or contractor/freelancer is capable of providing appropriate protections for Personal Data, and to ensure that any contract terms are acceptable to us before signing them. You may need to assist in carrying out a data protection impact assessment in certain circumstances and so it is important to engage with Louise Whitney and other stakeholders as early as possible when procuring services or engaging with suppliers that may act as Data Processors on Gracilis behalf.
You will also need to understand the location of processing carried out by the supplier (see 3.5 below).
We must ensure that a central record of all data processing activities is maintained.
Any new data processing activities or changes to existing data processing activities must be recorded on the central record.
We will ensure that we regularly review the record to ensure that it is accurate and up to date.
Our central record of processing is available at 111 Bell Street, Reigate, Surrey, RH2 7LF.
If you think that you have identified a new or different purpose for which the data is or could be used, please talk to your line manager or Louise Whitney so that we can update the appropriate records.
Applicable data protection laws give individual Data Subjects various rights. It is important that you understand them and that you are able to recognise them (since you could, depending on your role, be the recipient of a request from an individual to exercise their rights). A very brief summary of the rights is set out below:
The key points to remember are that:
Some examples of international data flows that could trigger these requirements are:
The earlier in the process that these issues are raised, the easier it will be to come up with a workable solution. Speak to Louise Whitney whenever this is (or is likely to be) an issue. Remember that a "transfer" means that any processing occurs in the overseas territory, even if the data is just viewed or accessed from overseas – "transfers" are much broader than just overseas data storage.
Any employee dealing with telephone enquiries should be careful about disclosing any personal information held by us. In particular they should:
No-one should feel that they are being bullied into disclosing personal information.
Data protection breaches and data security breaches can take a variety of forms (it is not all about cyber security or 'hacking' or phishing attempts). For example, all of the following (and many more events) would count as a data breach:
The two key points for you to be aware of are:
Clearly, we take our data protection obligations extremely seriously. One of the ways that we can ensure that we mitigate risks to the individuals whose data we have (and also mitigate compliance risks to Gracilis) is to ensure that whenever we process Personal Data, we put the individual's data protection rights at the heart of everything we do.
Data protection by design and default impacts on every team and every role within the business and having a good understanding of this Policy is a good starting point for everyone.
Essentially, applying the principle of data protection by design and default will require you to factor in and give consideration to data protection whenever you process Personal Data, and particularly when you propose to do something new with Personal Data. Data protection should not be a "bolt on" issue or an afterthought and, as such, the key practical point is to make sure that you consider these issues as soon as possible at the concept/design/proposal stages of any new business plans or processes involving Gracilis’ use of Personal Data.
A few illustrative examples of the ways that we can apply data protection by design and default are set out below:
If you have any questions or if you think that there are ways that we can do things better (i.e. if you identify a way for Gracilis to apply data protection by design and default), please speak to Louise Whitney – 01737 274848.
Louise Whitney – Is responsible for reviewing this Policy on an ongoing basis (and at least annually) and updating our board of directors on Gracilis' data protection responsibilities and any risks in relation to the processing of data. We will continue to review the effectiveness of this Policy to ensure it is achieving its stated objectives. If you have any concerns or suggestions, please let Louise Whitney know in the first instance.