GDPR Compliance Project
This document outlines some of the steps that we have or will be taking in order to comply with the EU General Data Protection Regulation (“GDPR”).
Working towards GDPR compliance
We take privacy and data protection seriously. As part of our commitment to protect the personal information of our customers, suppliers and other persons with whom we interact, we have been actively preparing for GDPR since late 2017.
Our preparations have involved a significant amount of activity by individuals and teams within our organisation. Our group of companies has established a Data Governance Authority, which is tasked with ensuring our compliance. Helyx is represented and participates fully as a member of this team. Examples of the group’s GDPR compliance activities to date include:
- Instruction of external consultancy specialists for a ‘Gap Analysis’
- Selected staff attending external GDPR workshops and conferences
- Completing and passing GDPR Practitioner Course and the IBITGQ EU GDPR exam
- GDPR Foundation course training for specifically identified staff
- Data mapping exercise: documenting personal data flows within the organisation
- The Data Governance Authority meets weekly to plan and coordinate our compliance work on GDPR
- Communication of GDPR requirements to relevant individuals and teams within our organisation
Training and awareness
We are putting in place measures to ensure that individuals and teams within our organisation are appropriately trained and aware of GDPR, including the changes we are making to internal policies, processes, procedures and terms and conditions.
Policy, process and procedure review
The Data Governance Authority is reviewing all appropriate policies, processes and procedures. Key examples of these are listed in ‘Personal Data Procedures and Work Instructions’ below. Helyx continues to revise its policies, processes and procedures in accordance with the recommendations of the Digital Governance Authority.
Terms and conditions review
We are reviewing and updating our terms and conditions to ensure that GDPR contractual requirements are included in contracts between us and our customers, suppliers and subcontractors.
Data Protection Officer
Our organisation is not required to have a Data Protection Officer (DPO) & However, we do place considerable importance on data security and privacy and our Management Team has joint responsibility for ensuring that the recommendations of the Data Governance Authority are fully implemented.
Information Security
The importance we place on data security and privacy can be seen in our certifications. Helyx is certified as Cyber Essentials Plus compliant & This ensures a well-established approach to ‘Security by Design and Default’ which underpins our approach to the security aspects of GDPR.
Personal Data Protection Policy
Introduction – our commitment
We are committed to ensuring that all personal data is collected, stored, processed and used (together “processed”) responsibly, fairly and in compliance with all applicable personal data protection laws, including the General Data Protection Regulation (“GDPR”) (“Data Protection Laws”).
Why is this policy important?
This policy sets out the processes, policies and procedures that we adhere to in order to meet our commitment. Together these measures enable us to:
- Comply with Data Protection Laws
- Ensure that personal data will only be processed in accordance with the Data Protection Laws
- Be reasonable and fair to all individuals
Scope
This policy applies to all of our personal data processing functions. It applies to our personnel (employees and in-house contractors), and to our subcontractors and suppliers.
Responsibilities and roles: our personnel
Helyx Management Team is responsible for developing and encouraging robust information handling practices within our organisation. The Management Team is responsible for compliance with Data Protection Laws & Any breach of this Policy by our personnel will be dealt with under our internal disciplinary policy.
Responsibilities: our subcontractors and suppliers
We expect our subcontractors and suppliers to comply with all Data Protection Laws and, where applicable, to comply with this policy together with any other related policies, measures or instructions that we provide.As our subcontractor or supplier, you must protect all personal data, and must ensure that it is only used for the purpose for which it was provided in accordance with our instructions. Your obligations to us include:
- Implementing and maintaining appropriate technical and organisational measures so that the processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject.
- Obtaining our prior written authorisation if you intend to engage another processor, and to notify us of any changes relating to additional or replacement processors.
- Obtaining our prior written authorisation if you need to transfer the personal data to a third country or international organisation. Such written authorisation will be subject to the third country /international organisation benefiting from an adequacy decision by the EU Commission or the presence of approved appropriate safeguards.
- Processing the personal data in accordance with the contractual terms between us. These will include:
- Details such as: the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and our respective obligations and rights.
- Obligations that you will: process the personal data only on our documented instructions; ensure that any person processing the personal data is subject to obligations of confidentiality; implement all appropriate technical and organisational measures; assist us in responding to requests relating to the exercise of data subject’s rights; delete or return all the personal data to us after the end of the provision of services relating to the processing, and delete existing copies unless EU or UK law requires storage of the personal data; and provide all information necessary to demonstrate your compliance with the contractual terms, including allowing for and contributing to audits or inspections conducted by us or our appointed auditor.
- Notifying us immediately of any suspected or actual data breaches, or loss of personal data; and assisting us in investigating and resolving such.
GDPR Data Protection Principles
The policy is based on the following principles:
- We will only process personal data for the purpose for which it was provided
- We will not pass personal data to third parties without the legal right to do so
- We will implement appropriate procedures, processes and controls to protect personal data
Our processing of personal data will be conducted in accordance with the data protection principles:
- Personal data must be processed lawfully, fairly and transparently
- Personal data can only be collected for specific, explicit and legitimate purposes
- Personal data must be accurate and kept up to date with every effort to erase or rectify without delay
- Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
- Personal data must be processed in a manner that ensures the appropriate security
- The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability)
Personal Data Procedures and Work Instructions
We will demonstrate compliance with the data protection principles by implementing data protection policies, technical and organisational measures, as well as adopting techniques such as data protection by design, breach notification procedures and incident response plans. A list of our related relevant policies, procedures and work instructions is provided below.
Personal Data Protection Principle and their Relevant Policies, Procedures and Work Instructions…
Personal data must be processed lawfully, fairly and transparently.
- DPIA Assessment Procedure
- DPIA Inventory
- Privacy Notice
- Consent Procedure
- Consent Withdrawal Procedure
- Data Transfers ProcedureData Processing Sub-Contractor Procedure
- External Parties – Information Security Procedure
Personal data can only be collected for specific, explicit and legitimate purposes
- Data Protection Policy
Personal data must be adequate, relevant and limited to what is necessary for processing
- DPIA Assessment Procedure
- DPIA Inventory
- DPIA Review
- Privacy Notice
Personal data must be accurate and kept up to date with every effort to erase or rectify without delay.
- DPIA Assessment Procedure
- DPIA Inventory
- Subject Access Request
- Rectification procedure
- Data Retention Policy
- Data Retention Review
- Data Deletion
- Data Retention Policy
- Data Retention Review
- Data Deletion
- Relevant sections of ISO 27001
- Data Breach Notification Procedure
- Data Breach Communication Procedure
- GDPR Compliance internal audits