GDPR (General Data Protection Regulation) – Policy

John F White Ltd is fully committed to prepare for and, after 25 May 2018, to comply with the General Data Protection Regulation (GDPR). The GDPR applies to all organisations that process data relating to their employees, potential employees as well as to others including, clients, potential clients, contractors, and suppliers. It sets out principles which should be followed by those who process data; it gives new and extended rights to those whose data is being processed.

To this end, the organisation endorses fully and adheres to the six principles of data protection, as set out in the Article 5 of the GDPR.

  1. Data will be processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Data will be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

These principles must be followed at all times when processing or using personal information. Therefore, through appropriate management and strict application of criteria and controls, John F White will:

Individual Responsibilities

Individuals, clients, contractors & suppliers are responsible for:

Data Security

John F White Ltd is responsible for ensuring that:

Disaster Recovery

  1. The organisation backs up data weekly. A monthly back up is also taken.
  2. Backups are kept off site. Any kept on site are stored in steel cabinets.
  3. Firewalls and virus checkers are kept up to date and running and users are trained in virus avoidance and detection.
  4. Computers are protected from physical harm, theft or damage, and from electrical surges using protective plugs.
  5. The organisation plans for how to deal with loss of electricity, external data links, server failure, and network problems. It uses paper forms where necessary for temporary record keeping.

Subject Consent

The GDPR sets a high standard for consent and requires a positive opt-in. Neither pre-ticked boxes nor any other method of default consent are allowed. As required by the GDPR, the organisation takes a "granular" approach ie it asks for separate consent for separate items and will not use vague or blanket requests for consent. As well as keeping evidence of any consent, John F White Ltd ensures that people can easily withdraw consent.

It should be noted, however, that consent is only one of the lawful bases on which data processing depends. In brief, the others include the following.

Note that the GDPR provides for special protection for children's personal data and the organisation will comply with the requirement to obtain parental or guardian consent for any data processing activity involving anyone under the age of 16.

Subject Access

An individual, contractor, client or supplier may request details of personal information which John F White Ltd holds about him/her or the organisation under the GDPR by writing to John F White Ltd or via email requesting a copy of the information held.

If an individual, client, contractor or supplier believes that any information held on him/her or the organisation is incorrect or incomplete, then they should write to John F White Ltd as soon as possible, at the above address or via email. The organisation will promptly correct any information found to be incorrect.

Right to be forgotten

John F White Ltd recognizes that individuals or organisations have the right to erasure, also known as the right to be forgotten, laid down in the GDPR. Individuals should contact John F White Ltd in writing or email with requests for the deletion or removal of personal data. These will be acted on provided there is no compelling reason for continued processing and that the exemptions set out in the GDPR do not apply. These exemptions include where the personal data is processed for the exercise or defence of legal claims and to comply with legal obligation for the performance of a public interest task or exercise of official authority.

Conclusion

This policy sets out this organisation's commitment to protecting personal data and how that commitment is implemented in respect of the collection and use of personal data.