DATA PROTECTION (UK GDPR) POLICY AND PROCEDURE
POLICY STATEMENT
Dynamite Lifestyle (the Company) has an obligation to protect its information assets and, in particular, the information relating to its employees, clients, and other individuals in whatever form that information is held. The Company is responsible for ensuring that Personal Data is properly safeguarded and processed in accordance with the United Kingdom General Data Protection Regulations (UK GDPR) and the Data Protection Act (2018). The purpose of this policy is to set out the standards of how the company handles Personal Data, whether held electronically or manually.
The company is registered as a Data Controller with the Information Commissioners Office (ICO) on an annual basis.
The company functions require us to process personal data to deliver our business operations. In addition, to administer contracts with our employees, contractors, consultants, and suppliers and to comply with our legal obligations (for example, disclosing employees’ salaries to HMRC).
Full details of what Personal Data we process, our lawful basis for processing, and what personal data is shared with third parties is as set out in the Company’s Privacy Notices.
SCOPE
This policy sets out what the company expects of all its employees, contractors, consultants, delegates, and directors in order to comply with Data Protection legislation.
DEFINITIONS
Please refer to Appendix 1 for a Glossary of Terms and Definitions.
PROCEDURE FOR IMPLEMENTATION
- The Chief Executive of Dynamite Lifestyle will have the responsibility to endorse and support in assisting in raising the profile of the Data Protection Legislation and will have ultimate responsibility for ensuring that the Company complies with Data Protection Legislation.
- The Company will:
- Inform and advise its employees about their obligations to comply with the UK GDPR and other data protection laws.
- Monitor compliance with the UK GDPR and other data protection laws.
- Co-operate with the supervisory authority, the Information Commissioner’s Office (ICO).
- Ensure its employees are kept informed of legislative changes and that relevant amendments are implemented into the Company processes.
- Ensure that the Company Policy, guidelines, and security measures are appropriate and up to date for the types of data being processed.
- All staff, workers, contractors, consultants, delegates, and directors (collectively referred to as Staff) are responsible for working in compliance with Data Protection Legislation and the conditions set out in this policy.
- Throughout the course of working with the Company, staff will have access to various extracts of Personal Data pertaining to Staff/clients, depending on the nature of their role.
- Staff must ensure that they:
- adhere to all Data Protection related policies and procedures to ensure the confidentiality, integrity, and availability of personal data.
- Complete any required training on UK GDPR and adhere to regular information updates on new policies and procedures as they become operational.
- are compliant with this policy. Any breach of this Data Protection Policy may lead to disciplinary action being taken, access to Company information facilities being withdrawn, or in substantial cases, a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up initially with the Chief Executive.
- familiarise themselves and comply with all published policies and procedures.
- As Data Subjects, all employees, workers, contractors, consultants, delegates, and directors are responsible for:
- ensuring that any personal information they provide to the Company in connection with their employment, registration or other contractual agreement is accurate.
- informing the Company of any changes to any personal information which they have provided, e.g., changes of address, and bank details.
- responding to requests to check the accuracy of the personal information held on them and processed by the Company and informing the Company of any errors or changes to be made.
- The Company cannot be held responsible for any errors unless the data subject has informed the Company of the changes.
- DATA PROTECTION PRINCIPLES
- The Company adheres to the six principles (Article 5(1)) relating to the processing of Personal Data set out in the UK GDPR and the Data Protection Act 2018, which requires Personal Data to be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject - (Lawfulness, Fairness and Transparency).
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes – (Purpose limitation).
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed - (data minimisation).
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay – (Accuracy).
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject – (Storage Limitation).
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures - (Integrity and Confidentiality).
- Article 5(2) of the UK GDPR requires that:
The controller shall be responsible for and be able to demonstrate compliance with the Data Protection Principles listed above.
- Please refer to Appendix 2 for details on the UK GDPR Principles.
- LAWFUL BASIS FOR PROCESSING PERSONAL DATA
You may only collect, process and share Personal Data fairly and lawfully and for specified purposes.
- The Company will ensure all processing is affiliated to one or more of the following:
- Consent: The Data Subject has given clear consent to process their personal data for a specific purpose.
- Contract: the processing is necessary for purposes of a contract with the Data Subject or with a view to entering into a contract.
- Legal obligation: the processing is necessary to comply with legislation (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data, which overrides those legitimate interests.
- LAWFUL BASIS FOR PROCESSING SPECIAL CATEGORY DATA
Special Category data is personal data that requires more protection because it is sensitive. This data will only be processed where:
- explicit consent is given – consent which can be demonstrated.
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
- processing is carried out in the course of its legitimate activities with appropriate safeguards.
- processing relates to personal data, which are manifestly made public by the data subject.
- processing is necessary for the establishment, exercise, or defence of legal claims.
- processing is necessary for reasons of substantial public interest.
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
- processing is necessary for reasons of public interest in the area of public health.
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
- INDIVIDUAL RIGHTS
Data Protection Legislation provides the following rights for individuals, which the Company will respond to within the provision of the law. These rights are not absolute.
- The right to receive certain information about our Processing activities.
- The right of access to Personal Data.
- The right to rectification of inaccurate or incomplete data.
- The right to ask us to erase their Personal Data if it no longer necessary in relation to the purposes for which it was collected or processed.
- The right to restrict processing in certain specific circumstances.
- The right to data portability in certain specific circumstances.
- The right to object in certain specific circumstances (for example, to us processing for direct marking purposes).
- Rights in relation to automated decision-making and profiling.
- Right to Withdraw Consent.
- Right to Complain to the Information Commissioners Office (ICO).
- All requests made in relation to the rights listed above should immediately be forwarded to the Chief Executive, who will provide advice and assistance on responding to this request.
- CONTRACTS
Data Controllers and Data Processors are both liable in the event of a data breach therefore, individuals and departments who enter into a contract with a third-party data processor are responsible for ensuring that all processing of personal data carried out on behalf of the Company is done in compliance with this policy.
- CONSENT
Data Subjects are able to withdraw consent; therefore, it is the Company Policy that consent should only be relied on as the lawful basis for processing in exceptional circumstances. Where the Company relies on consent as a condition for processing, it will:
- Ensure the consent is clear and unambiguous (e.g., no pre-ticked opt-in boxes)
- Place consent declarations separate from other terms and conditions
- Provide clear and easy ways for subjects to withdraw consent at any time, including contact details of a responsible owner.
- Act on withdrawals of consent as soon as possible.
- Retain records of consent/withdrawals of consent throughout the lifetime of the data processing.
- Ensure consent is the appropriate legal basis for the processing in question.
- Ensure obtaining of consent meets the requirements of UK GDPR
- Ensure open transparency to the data subjects.
- DISCLOSURES TO THIRD PARTIES
- Personal Data will not be shared with third parties unless certain safeguards or contractual arrangements are in place or where there is a legal or statutory obligation to disclose.
- In dealing with a request, the Company will be sensitive to and give proper consideration to the data subjects' rights and privacy in relation to any ‘third party information contained in the response. Personal data will only be disclosed to a third party where a lawful basis exists.
- Special Category personal data will only be disclosed where a lawful basis specific to Special Category data, as defined by Data Protection Legislation, is met.
- Personal data will only be disclosed outside of the EEA (the EU Member States together with Iceland, Liechtenstein and Norway) where additional conditions as defined by Data Protection Legislation are met.
- DISCLOSURES TO THE POLICE
In certain circumstances, the Company may be required to disclose Personal Data to the police for the purposes of the prevention or detection of crime, the apprehension or prosecution of offenders.
- DATA BREACH
- In the event of an actual, suspected, or potential breach, the Company will take immediate action to secure the information and mitigate any further or possible compromise of data.
- If a data security breach occurs, the Company will respond to and manage the breach effectively by means of a 5-part process:
- Reporting a Breach
- Containment and Recovery
- Assessing the Risks
- Notification of Breaches
- Evaluation and Response
- If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately and without delay, contact the Chief Executive. You should preserve all evidence relating to the potential Personal Data Breach.
- Suspected or confirmed breaches which may cause damage/distress to the data subjects must be reported to the ICO within 72 hours by the Company from when the Company becomes aware of it. In the event of a sufficiently serious data breach, the Company will notify the public without undue delay.
APPENDIX 1
Glossary of Terms and Definitions
Consent
- any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.
Data Breach
- a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Data Controller
- the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law,
Data Processor
- a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Data Subject
- Data subject means an individual who is the subject of personal data.
Information Asset
- A body of information is defined and managed as a single unit so it can be understood, shared, protected and exploited efficiently. Information assets have recognisable and manageable value, risk, content, and lifecycles.
Information Commissioner’s Office (ICO)
- The ICO is the supervisory and regulatory authority responsible for upholding individuals' rights and ensuring all Data Controllers process personal data within the provisions of the legislation. The ICO contact details are Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone 0303123113 or 01625545745.
Personal Data
- any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Process, Processing and Processed
- any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Special Category Data
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Third-Party
- a natural or legal person, public authority, agency, or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
APPENDIX 2
UK GDPR Principles
Article 5(1) of the UK GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject - (transparency)
The first UK GDPR principle states that personal data must be processed fairly and lawfully. As a means to demonstrate fairness, the Company will actively communicate our processing activities to data subjects. This will be visible by means of Privacy Notices, Privacy Impact Assessments (PIA’s), website information and information updates if there is an unforeseen change to how we use personal data. Communications will be concise, easily accessible and written in clear and plain language. This commitment will be compliant with Articles 13 and 14 of UK GDPR.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes – (Purpose limitation).
The second principle of UK GDPR signifies the Companys responsibility to only use information for the purposes for which it was provided.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed - (data minimisation).
The third principle of UK GDPR means the Company will not ask for more information than is necessary to conduct its overall business and statutory obligations. The Company may process personal data for the purposes of Public interest, or scientific/historical/research/statistical purposes however consideration will be paid to safeguarding the rights and freedoms of the data subjects.
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay – (Accuracy).
The fourth Principle places responsibility on the Company to ensure the integrity and accuracy of its data. Employees must ensure a high level of accuracy when inputting personal data onto any system. Data is only valuable and decisions accurate where the information is correct and up to date. Each data subject has a responsibility to inform the Company of any changes to their personal information for records to be updated. The Company cannot be held accountable if it receives data which is inaccurate.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject – (Storage Limitation).
The fifth principle relates to storage limitation and the Company responsibility to archive or dispose of data in line with this principle. The Company will not keep information for longer than is necessary with the exemption of Public interest, or scientific/historical/research/statistical purposes. Personal Data that is no longer needed for specified purposes, should be deleted or anonymised.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures - (Integrity and Confidentiality).
The sixth principle places responsibility on all employees, workers, contractors, consultants, delegates, directors, and any third parties authorised to access the Company’s personal data sets to ensure that those data, whether held electronically or manually, are kept secure and not disclosed or processed unlawfully, in accordance with UK GDPR.
Article 5(2) of the UK GDPR requires that:
- The controller shall be responsible for and be able to demonstrate compliance with the data protection principles listed above.
The Company will demonstrate compliance with the above principles by means of both appropriate organisational and technical measures. These measures may include relevant policies and standard operating procedures and Privacy Notices.