Company Policy on General Data Protection Regulation and Privacy (GDPR) May 2020
This policy applies to Technology Within Limited (“the Company”) as approved by the Board of Directors (the “Board”) on 1st May 2018.
The appointed Privacy Officer (PO) will ensure the implementation of this policy in addition to their other responsibilities.
This policy shall be distributed to all staff on its adoption, and on each occasion when it is updated. It shall be distributed to new staff when they join.
Goal of this Policy
This Policy implements organisational and reporting structures to give reasonable assurance that the Company complies with all applicable UK and European Union (“EU”) legislation on privacy, including the EU’s General Data Protection Regulation (“GDPR”), and with applicable legislation on privacy in any other jurisdictions where the Company carries out activities.
This Policy applies to all organisational units and to all permanent, temporary, and subcontracted employees.
In this Policy “Article” means the relevant Article of GDPR and “HR” means Human Resources. The “Supervisory Authority” in the UK is the ICO (“Information Commissioner’s Office”).
Section 2 – Roles and responsibilities. 4
Employees with responsibilities to manage or supervise staff 4
3.1 Maintaining the GDPR Inventory of processes, systems, and data. 5
3.2 Publishing disclosures to data subject of how their data will be used. 6
3.3 Actioning data subject requests. 6
Arrangements to support the 72-hour reporting of breaches. 7
Procedures in the event of an actual or suspected breach. 8
3.5 Change management including Data Protection Impact Assessment 9
3.6 Embedding GDPR requirements in contracts. 9
3.8 Establishing lawfulness and purpose for holding personal data. 10
3.9 Establishing a holding period for personal data and scheduling deletion. 10
3.10 Interaction with CP Holdings Limited. 10
Number and status of data subject requests and complaints. 11
Annual report to the Board of Directors. 11
Section 1 – Overview
GDPR distinguishes between a “controller” which “determines the purposes and means of the processing of personal data” and a “processor” which processes personal data only under the direct instruction of a controller. The Company is predominantly a processor in its business activities. The assumption in this Company Policy is that all of the Company’s business activity is as a processor. This assumption should be kept under review by the PO, and should be part of his or her annual report to the Board.
The Company does act as a controller in its processing of data about staff, and in some other minor activities such as maintaining details of business contacts.
Article 5 requires that that a “controller” must process personal data in line with the following principles as summarised in the bullet points below. Article 28 requires that a “processor” must make available to the controller all information to demonstrate that it ensures “the protection of the rights of the data subject” under GDPR; this will include these principles.
- Personal data must be processed lawfully, fairly, and in a transparent manner
- Data must be collected for specified and legitimate purposes and processed only for those purposes
- Data collected must be relevant and limited to what is necessary in relation to these purposes (“data minimisation”)
- Data must not be kept longer than is necessary for these purposes (unless all linkage to identifiable individuals is removed)
- Data must be accurate and, where necessary, kept up to date
- The physical, organisational, and technical control environment must ensure appropriate security of the personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Article 5 states that the controller must be able to demonstrate that processing is performed in accordance with these principles. Article 24 extends this obligation of “accountability” to cover all of the requirements of GDPR. Article 28 effectively requires the same from a processor.
This Company Policy puts in place organisational and reporting structures to provide accountability so as to give reasonable assurance of such compliance, and, in addition, to fulfil the responsibilities of the PO detailed in the Board Policy.
Section 2 – Roles and responsibilities
All staff shall comply with all aspects of GDPR and privacy legislation by applying the training they are given by the Company and by following the procedures laid down by the Company in handling data and respecting privacy. They shall inform their manager or the PO where they know or suspect a breach of GDPR has taken place and shall assist the PO as required to support the Company’s compliance with GDPR and privacy legislation.
Employees with responsibilities to manage or supervise staff
All such employees (“managers”) shall monitor that their staff are applying the requirements of GDPR and privacy legislation as above. They should also understand the general principles of GDPR through the training they are given by the Company, and shall be alert to situations where the Company may not be complying with legislation, and they shall escalate these to the PO for review.
The responsible manager in an area shall inform the PO in advance of any material change to business activities, processes, or systems which may impact privacy or GDPR compliance, and shall not implement such changes until the PO or GM gives positive consent, as defined in section 3.5.
All managers shall report data protection breaches to the PO as soon as they are detected or as soon as there is a reasonable expectation that a breach may have happened.
The Privacy Officer (PO)
The PO shall:
- Create and maintain this Company Policy, and, as appropriate, associated procedures, and shall monitor its implementation, in order to give reasonable assurance of compliance with GDPR and other privacy legislation
- Through periodic training or by other means, maintain a level of knowledge of all aspects of GDPR and other relevant privacy legislation which enables effective exercise of his/her responsibilities under this Policy
- Update this Policy whenever there is a change in relevant legislation or evidence that enhancement is needed for another reason
- Annually, review this Policy and update it as necessary, and include this review in his/her annual report to the Board as described in section 4 below
- Put in place organisational and reporting structures so that compliance with GDPR and privacy is managed, with issues identified to allow effective management intervention
- Coordinate the keeping of adequate records to demonstrate compliance with this Policy
- In particular, where the legal basis of processing is “consent”, ensure that records are maintained to give reasonable assurance that consent has been given by each data subject
- Put in place a process whereby requested exemptions to this Policy can be reviewed, to ensure that risks to the rights of data subjects are understood and justified by reasons of proportionality, and to document and approve such exemptions, or if not approved to follow up to a resolution
- Manage all communication with the Group GDPR Executive on issues regarding GDPR and privacy
- Manage all communication with the Supervisor Authority, including any reporting of breaches
- Coordinate with the Managing Director and other senior managers to ensure that all of the processes described in section 3 work effectively.
- Delete the records of unsuccessful job/role application candidates after 3 months unless the individual has waived their rights in the interest of “being kept on file” for future roles.
Managing Director (MD)
The MD shall:
- Allocate adequate resources to enable the PO and the other individuals and organisational units named in this Policy to carry out their responsibilities as defined in the Policy
- Receive periodic reporting from the PO containing Key Performance Indicators and Key Risk Indicators regarding compliance with GDPR and privacy legislation, and intervene as appropriate
- Support the PO as necessary in all processes as described in section 3. In particular:
- As per section 3.1 ensure that the Company maintains “A general description of the ‘technical and organisational security measures’ in place to meet the requirements of Article 32”. This should include documentation of measures to give assurance of IT security
- As per section 6, ensure that the PO is informed in good time of any contract being negotiated by the Company (including renewals) which might impact compliance with GDPR, and facilitate the PO being involved in negotiations to ensure that the contract maintains compliance
- Ensure that the Company’s HR processes, as necessary with the involvement of the PO, achieve the following:
- Incorporate the requirements of GDPR and privacy in role descriptions and in HR processes, including disciplinary processes
- Maintain standard role titles across the Company
- Maintain a system of assigning staff rights to access to computer systems which is aligned with the needs of the staff roles and with the requirements of GDPR
- Establish initial and annual training for GDPR and privacy for each staff member appropriate to their role.
Section 3 – Processes
3.1 Maintaining the GDPR Inventory of processes, systems, and data
The Company’s central record for GDPR is a spreadsheet (“the GDPR Inventory”) listing all processes managed and systems used, together with details of the data fields held by each system. This spreadsheet contains the following information required by Article 30:
- The purposes of the processing
- Categories of data subjects and categories of personal data
- Categories of recipients to whom the personal data are disclosed
- Any transfers of personal data to a third country
- Envisaged time limits for erasure of the different categories of data.
Of the information required by Article 30, the GDPR Inventory does not contain:
- Name and contact details of the Company. This is implicit in the Company’s core records.
- Safeguards in place for transfers of data to third countries. Section 2 above lists the responsibility of the PO to ensure that contractual safeguards are in place.
- A general description of the “technical and organisational security measures” in place to meet the requirements of Article 32. Section 2 above lists the responsibility of the Head of IT to maintain such measures.
The PO is responsible for coordinating the creation and maintenance of the GDPR Inventory, working with the relevant senior managers for each area. The PO should review the inventory with the managers to identify where the nature of processing requires internal procedures to ensure compliance with GDPR and shall work with the relevant managers to implement such procedures; the GM shall give support as necessary in this.
The Inventory should be reviewed and updated at least annually, with the PO working with all senior managers to ensure that all organisational units review the processes or systems in their area and advise corrections as necessary. The review should ensure that there is no change which has created a breach or potential breach of compliance with GDPR.
3.2 Publishing disclosures to data subject of how their data will be used
The PO shall ensure that the Company provides to data subjects all of the information required by Article 13. This is required only where the Company is a controller. Where the Company is a processor, it has no requirement to provide such disclosure directly to data subjects.
The PO shall work with the manager in charge of HR to ensure that documentation is given to staff members at the time of employment and periodically as required thereafter so that they have all disclosures required by GDPR. As required by Article 12, as far as is reasonably possible, the information shall be given in a way which is concise, transparent, intelligible, and in an easily accessible form, using clear and plain language.
3.3 Actioning data subject requests
Under GDPR, a data subject has the following rights:
- Right to access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17) also called “right to be forgotten”
- Right to restriction of processing (Article 18)
- Right to object (Article 21)
The data subject has to contact the controller; technologywithin as processor has to support the controller on the exercise of the rights if it so requests.
The PO and the manager in charge of HR shall be the contact points for any such requests. In the event of a request, they shall:
- Confirm and document that the person making the request is identified as the data subject.
- Document the request in writing including all actions taken and all communications.
- Make the specific checks and actions for each type of request as detailed in GDPR
- Maintain a log of requests made and requests executed
- If possible, complete all requests within 30 days including informing the applicant of the actions taken. Otherwise, complete the requests as soon as possible, updating the data subject on progress at least every 30 days.
3.4 Reporting of breaches
GDPR article 33 requires that a controller reports any “personal data breach” to the Supervisory Authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
The article also requires that a processor “shall notify the controller without undue delay after becoming aware of a personal data breach”. As noted above, in most business activities, the Company is a processor of data. The processor must also support the controller in resolving breaches.
There is no reference to materiality in the definition of “breach”. Compliance with GDPR involves decisions of the proportionality of benefit to cost. The Company anticipates that the cost of reporting immaterial breaches to the Supervisory Authority would not be justified by the benefit to data subjects, particularly as the Supervisory Authority itself is unlikely to be able to cope if a large number of immaterial breaches is being reported by all the controllers and processors in the country. Accordingly, this Policy establishes a materiality threshold for reporting breaches of GDPR to the Supervisory Authority as follows:
A material breach is one in which a material number of records containing personal data are revealed to an unauthorised third party or are destroyed when the records are still needed for processing.
The decision on materiality should balance:
- the need to err on the side of over-reporting rather than under-reporting
- the need for simple decision criteria for establishing materiality
- the desire to cut out reporting of trivial incidents which may overload the supervisory authorities as well as impair the capacity of Group companies to focus on material issues
- the need to maintain proportionality of operational effort
- the rights of data subjects, and therefore the need for a substantially lower threshold for materiality where the impact of the revelation or loss on the data subjects is high.
Where there is any doubt about whether a breach is material, this should be discussed at once with the Group GDPR Executive.
All staff should be aware of the need to identify breaches and potential breaches of GDPR and to escalate these immediately to the PO, either directly or by escalation through their management line.
All managers and staff shall give any support required to enable the PO and MD to exercise their responsibilities as described below.
Arrangements to support the 72-hour reporting of breaches
Because of the requirement for the controller to report breaches to the Supervisor Authority within 72 hours even if this period includes weekends or holidays, the Company needs the capacity to report breaches within this period whether it is acting as a controller or as a processor. Therefore:
- All staff shall report breaches or possible breaches immediately on discovery to both the PO and the MD.
- The PO and the MD shall each ensure that if they will not be contactable by email/phone for over 24 hours (including periods over weekends and holidays) that they appoint an alternate to receive notices of breaches or potential breaches, and circulate this to all managers. If the PO or MD is absent unexpectedly, the other shall appoint an alternate to receive notice of breaches.
The PO and MD shall escalate investigation and reporting of a breach quickly, even when this involves requiring staff to work on weekends or holidays. To enable this, they shall ensure that contact details of relevant staff are shared so as to enable contacting of people outside normal working hours for this purpose as necessary.
Procedures in the event of an actual or suspected breach
In the event of a breach or a suspected breach the PO and MD or their alternates shall:
- Work with the relevant organisational units to investigate the facts and evaluate whether the breach is material. While it is unclear whether the breach is material it shall be treated as being material.
- Treat breaches below the materiality threshold as less urgent, while still working to inform the individuals involved as soon as possible.
- Where a breach is suspected only, establish whether or not a breach has actually happened.
- Obtain a full description of the breach, including:
- Whether it involves unauthorised disclosure or giving access to personal data
- The categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- The likely consequences of the breach
- Work with the appropriate staff members to determine immediate measures taken or to be taken to address the personal data breach, including, where appropriate, measures to mitigate possible adverse effects of the breach
- For breaches above the materiality threshold, inform the Group GDPR Executive immediately and (i) where the Company is a processor of the data inform the controller immediately, or (ii) where the company is a controller of the data inform the Supervisory Authority “without undue delay” and certainly within 72 hours of the breach being identified originally within the Company, giving the information required by Article 33.
- After informing the controller or Supervisory Authority of a breach, work with it to provide all information required
- If the Company is a controller of the data, work with the relevant staff to inform the data subjects of the circumstances of the breach as soon as possible, giving the information required in Article 34, except that if any of the exemptions in that Article apply then the PO may decide not to inform the data subjects
- Work with the relevant staff to identify the root cause of the data breach and to implement improved controls to prevent recurrence
- Maintain full documentation of every stage of this process.
3.5 Change management including Data Protection Impact Assessment
All organisational units shall ensure that before they engage in any new business, process, or system, or in a change in existing activities, they review to see whether this might have an impact on data protection or privacy. Where there is a potential material impact they shall inform the PO, and shall not implement the proposed change until either (i) the PO gives positive assurance that the planned implementation maintains the Company’s compliance with GDPR and privacy legislation (ii) the MD in coordination with the PO confirms that although the planned implementation does not fully meet the requirements of GDPR, the Company should proceed with it since the benefits of the change outweigh the risks to the freedom of data subjects and there is no way to reduce these risks without disproportionate cost.
When the PO is informed of a proposed change, he/she shall work with the organisational unit directly concerned and, as appropriate, with other senior managers, to evaluate if the change has been correctly planned to maintain compliance with GDPR or if there are risks of non-compliance. The evaluation shall take into account all proposed controls and mitigations. If there are risks of non-compliance, the PO shall coordinate with the MD to decide whether to approve the change as above, to investigate potential mitigation, or to stop the proposed change.
The PO shall maintain a written record of the assessment, including proof of approval by the organisational units consulted. This written record shall contain a systematic description of the proposed change, an assessment of the necessity and proportionality of the processing in relation to its purpose, an explanation of the evaluation of risks as above, and the measures envisaged to address the risks. It shall also record where the MD approves a change which does not fully comply with GDPR.
Where the PO deems necessary, the organisational unit shall carry out a review following implementation of the change to ensure that the processing is performed as planned, and shall take corrective action as required. The organisational unit shall document this review and the PO will maintain this with his/her records.
The above process meets the requirements of the data protection impact assessment described in Article 35.
3.6 Embedding GDPR requirements in contracts
The MD shall ensure that the PO is informed as early as is practical of all contracts being negotiated, including existing contracts being renewed, which meet any of the following characteristics:
- They are for the provision of IT services
- They outsource services involving the supply of workers on the premises of the Company
- They involve handling paper documents
- They seem likely to impact compliance with GDPR or privacy legislation.
The PO shall work with appropriate legal support and with all necessary operational units in order to identify the issues regarding GDPR and privacy which are relevant to each contract.
The PO shall work with the head of the organisational unit negotiating the contract to embed terms in the contract which ensure that the contract will maintain the Company’s compliance with GDPR and privacy legislation. In particular, where the contract establishes a relationship where the Company is a controller and the other party is a processor, the contract shall comply with Article 28.
The PO may seek advice from the Group GDPR Executive on negotiation of the contract.
If it is not possible to resolve all issues regarding GDPR and privacy in the negotiations, the PO shall document the situation, and shall escalate a decision on the contract to the MD.
The PO shall maintain a written record of each step of the process above.
3.7 Training staff
The PO in coordination with the person in charge of HR shall work with the MD and senior managers in order to determine the training necessary for each category of staff so as to enable them to comply with GDPR and privacy legislation.
It is expected that this will involve (i) training as part of induction for new employees and (ii) an annual refresher. There is also a need to define the training to be given to all staff ahead of the implementation of GDPR in May 2018, although the expectation is that this will be the same as the training required for new staff.
3.8 Establishing lawfulness and purpose for holding personal data
The PO shall work from the GDPR Inventory (at its initial creation and on each annual review) to ensure that there is a basis of lawfulness and a purpose identified and recorded for every process where the Company receives or stores personal data. This will require the cooperation of the relevant senior managers.
3.9 Establishing a holding period for personal data and scheduling deletion
The PO, in cooperation with the heads of organisational units, shall ensure that there is a holding period identified in the GDPR Inventory for each holding of data. Usually this will be the longer of:
- The statutory requirements for holding certain items of data, and
- The time period for which the original purpose of holding the data extends.
The PO will work with the heads of organisational units to design and have implemented periodic deletion of personal data which has been held to its life cycle as determined above.
It is recognised that organisational practicality means that in many cases, “deletion” will be achieved by over-writing data fields with nonsense characters rather than by physical deletion of records.
3.10 Interaction with CP Holdings Limited
The Board Policy recognises that the Company’s ultimate holding company, CP Holdings Limited, has appointed a Group GDPR Executive (GGE) and will create a GDPR Centre of Excellence (“COE”), and it instructs the PO to work with the GGE and COE in certain areas. In accordance with the Board Policy:
- Where the GGE instructs the use of specific templates or processes to achieve GDPR compliance, the PO shall incorporate this in this Company Policy or in the associated procedure, unless he/she considers it is inappropriate for the Company, in which case he/she shall explain the reason for non-incorporation to the GGE and in the annual report to the Board.
- The PO will escalate technical questions on GDPR to the COE.
- Where there is a GDPR breach needing reporting to the supervisory authority, the PO will advise the full circumstances immediately to the GGE.
Section 4 – Reporting
Number and status of data subject requests and complaints
The PO shall maintain a log of all requests and complaints and the resolution.
Annual report to the Board of Directors
This should give the Board an understanding of the structures in place to give reasonable assurance of compliance with GDPR and privacy legislation, together with evidence of compliance, and an overview of areas where the Company has failed to comply or where there are risks or issues. It should include:
- A copy of the latest version of this Policy together with an explanation of key changes since the previous version approved by the Board.
- A report on the main changes to the GDPR inventory over the last year.
- A summary report of the number and status of data subject requests and complaints with outcomes.
- A review of breaches of GDPR through the year, both material and immaterial, and a comment on how the materiality limit is working.
- A review of how GDPR compliance has worked through the year, highlighting any particular risks and issues and giving an overall evaluation.