1.0 Introduction and background
The purpose of this policy is to outline how McConnel Limited, and it’s subsidiaries has established measures to maintain compliance with the EU General Data Protection Regulation.
The policy contains two components:
Section 2.0 – measures to re-enforce accountability and governance measures
Section 3.0 – measures to demonstrate the protection of information rights of the data subject.
This policy is reviewed and updated annually by McConnel Limited who can be contacted via firstname.lastname@example.org.
Article 5 of the GDPR requires that personal data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
In addition, there is a requirement that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
2.0 Accountability and governance
This policy outlines comprehensive but proportionate governance measures designed to achieve and maintain compliance with the General Data Protection Regulation. These measures have been designed to minimise the risk of breaches and uphold the protection of personal data.
This section on accountability and governance considers:
2.1 Roles and responsibilities
While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance. McConnel Limited is expected to put into place comprehensive but proportionate governance measures.
1. McConnel Limited has a ‘Data Compliance Officer’ (DCO).
2. The DCO’s responsibilities include:
3. The DCO reports to the Chief Executive on a quarterly basis.
4. The Chief Executive reports to Alamo Inc annually.
5. All employees of McConnel Limited and its subsidiaries are responsible for adhering to this policy.
The GDPR contains explicit provisions about documenting McConnel Limited’s processing activities. McConnel Limited must maintain records on several things such as processing purposes, data sharing and retention. McConnel Limited may be required to make the records available to the ICO (Information Commissioners Office) on request.
6. Where McConnel Limited is a controller for personal data, McConnel Limited maintains documentation in a manner consistent with Article 30(1) of the GDPR.
7. Where McConnel Limited is a processor for personal data, McConnel Limited maintains documentation in a manner consistent with Article 30(2) of the GDPR.
8. If McConnel Limited processes special category or criminal conviction and offence data, McConnel Limited documents:
9. McConnel Limited conducts regular reviews of the personal data processed and updates documentation accordingly.
2.3 Data protection by design and default
Under the GDPR, McConnel Limited has a general obligation to implement technical and organisational measures to show that it has considered and integrated data protection into processing activities.
10. McConnel Limited carries out a Data Protection Impact Assessment (‘DPIA’) when:
11. The decision of whether to conduct a DPIA is supported by a documented risk assessment and is endorsed by the Data Compliance Officer.
2.4 Lawful basis for processing
Under the GDPR, there are six available lawful bases for processing. McConnel Limited has documented the relevant lawful basis for processing and the purpose of that processing in its Information Asset Register.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever McConnel Limited processes personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
12. The lawful basis for processing must be considered and documented in line with the ‘Documentation’ section of this policy.
13. With new systems or processes, McConnel Limited must determine the lawful basis and purpose of processing before beginning processing (usually as a part of the DPIA).
14. The McConnel Limited public privacy notice includes the lawful basis for processing as well as the purposes of the processing.
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.
15. McConnel Limited has defined and implemented an Information Security Procedure and supporting management system to maintain effective and proportionate security.
The GDPR requires diligence and clarity in entering into third party relationships. Whether McConnel Limited is a processor or controller, there are mandatory requirements relating to the contracts that are in place.
16. Whenever McConnel Limited acts as a controller a written contract must be in place with the processors. Standards to be applied to the contracts have been defined by the Information Commissioner’s Office.
17. Whenever McConnel Limited acts as a processor, McConnel Limited must only act on the documented instructions of a controller (as specified in a valid written contract). Standards to be applied to the contracts have been defined and are documented by the Information Commissioner’s Office.
18. On an annual basis, the DCO will review third party relationships to determine the risk posed by processing. This will be documented as a part of a DPIA.
19. Based on this assessment, the DCO will determine the most appropriate means to validate that contractual obligations in relation to data processing are being adhered to.
20. The DCO will present this assessment, and the results of compliance visits, to the Chief Executive at least annually.
2.7 International transfers
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
McConnel Limited may transfer personal data where the organisation receiving personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. Adequate safeguards may be provided for by:
21. Requests for the international transfer of data must be submitted to the DCO.
22. The DCO must record requests for international transfer received.
23. The DCO will consider the DPIA in relation to this transfer and the appropriate means of adopting safeguards.
2.8 Data breaches
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority. In some cases, organisations will also have to report certain types of data breach to the individuals affected.
24. The DCO must be notified of all breaches to this policy as soon as possible.
25. The DCO must record breaches and work with the information owner to consider the likely impact of the breach.
26. Where a breach is considered notifiable to the Information Commissioner, the DCO must immediately inform the Chief Executive.
27. A notifiable breach has to be reported by the DCO to the relevant supervisory authority within 72 hours of McConnel Limited and its subsidiaries becoming aware of it. The notification must contain:
28. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, McConnel Limited and its subsidiaries will notify those concerned directly.
29. The DCO must present an analysis of breaches and near misses to the Chief Executive at least annually.
30. All employees must be trained to recognise and escalate breaches.
2.9 Compliance and reporting
Monitoring compliance with the GDPR is a key role of the Data Compliance Officer (‘DCO’). The DCO must also report compliance with the Chief Executive.
31. The DCO is responsible for developing a compliance monitoring plan for this policy.
32. The compliance monitoring plan should be submitted to the Chief Executive for approval at least annually.
33. Progress to deliver the plan, exceptions noted, breaches and near misses and updates on progress to address material deviations from compliance with the policy must be reported to the DCO to the Chief Executive at least quarterly.
2.10 Training and awareness
Employee awareness of the GDPR, and their role to protect the privacy of data subjects, is core to McConnel Limited’s compliance programme.
34. Employees must be trained on the requirements of this policy at least annually.
3.0 Individual rights
The GDPR provides the following rights for individuals:
3.1 Right to be informed
The right to be informed encompasses McConnel Limited’s obligation to provide ‘fair processing information’, typically through a privacy notice.
35. McConnel Limited maintains a privacy notice and publishes this publicly.
3.2 Right of access
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
Under the GDPR, individuals will have the right to obtain:
36. All requests from subjects for access to their data should be submitted immediately to the Data Compliance Officer, (DCO). The DCO must log the request and will:
37. A response to the request must be provided without delay and at the latest within 30 days of receipt. In the event the request is particularly complex or numerous, the period of compliance can be extended by a further two months If this is the case, the DCO must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
38. Performance against the response target of one month must be reported to the Chief Executive at least annually.
3.3 Right to rectification
The GDPR gives individuals the right to have personal data rectified if it is inaccurate or incomplete.
39. Requests for rectification must be treated in the same way as requests for access. The following, additional, measures will apply:
3.4 Right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances. These include:
40. McConnel Limited can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
41. Requests for erasure of data should be submitted immediately to the DCO and will follow the same principles as for right to access and right to rectification.
42. If McConnel Limited has disclosed the personal data in question to third parties, the DCO must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
3.5 Right to restrict processing
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, McConnel Limited is permitted to store the personal data, but not further process it.
McConnel Limited is required to restrict the processing of personal data in the following circumstances:
43. Requests to restrict processing will be submitted to the DCO and will follow the same principles as for right to access and right to rectification, with the following additional requirements:
The DCO must inform individuals when McConnel Limited decides to lift a restriction on processing
3.6 Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability applies:
44. Requests for data under the right to data portability must be submitted to the DCO.
45. The DCO is responsible for recording these and requesting the information from the information owner(s).
46. The DCO will also review the data to ensure the privacy of other data subjects is not adversely impacted.
47. The DCO will provide the personal data in a structured, commonly used and machine readable form, submitted using a secure transfer mechanism.
48. The information will be provided within one month of the original request.
49. Performance against this timescale must be reported by the DCO to the Chief Executive at least annually.
3.7 Right to object
Individuals have the right to object to:
50. Requests that object to processing must be submitted to the DCO.
51. The DCO is responsible for recording and assessing these.
52. Where instructed by the DCO, McConnel Limited must immediately stop processing the personal data unless:
53. McConnel Limited must inform individuals of their right to object “at the point of first communication” and in its privacy notice.
3.8 Rights relating to automated decision making including profiling
The GDPR has provisions on:
The GDPR has additional rules to protect individuals if an organisation is carrying out solely automated decision-making that has legal or similarly significant effects on them. McConnel Limited can only carry out this type of decision-making where the decision is:
McConnel Limited must make sure that it:
54. McConnel Limited ensures it has a lawful basis to carry out profiling and/or automated decision-making and documents this.
55. McConnel Limited sends individuals a link to our privacy statement when we have obtained their personal data indirectly. In this communication, McConnel Limited explains how people can access details of the information we used to create their profile.
56. McConnel Limited informs people who provide their personal data how they can object to profiling, including profiling for marketing purposes.
57. McConnel Limited has procedures for customers to access the personal data input into the profiles so they can review and edit for any accuracy issues.
58. McConnel Limited only collects the minimum amount of data needed and have a clear retention policy for the profiles we create.
59. The DCO regularly checks McConnel Limited systems for accuracy and bias and feed changes back into the design process.