GDPR Data Protection Policy for Chartwell Recruitment Ltd
The “data processors” collects and stores personal. This can include; Customers, suppliers, business contacts, employees and other organisations the business may have a relationship with. This policy sets out how personal data must be collected, handled and stored to ensure compliance with data protection and to comply with law
PURPOSE OF THE POLICY
The data protection policy exists to ensure The Company:
Complies with data protection law and follow good practice
Protects the rights of staff, customers and partners
Is transparent about how it gains, stores and processes personal data
Protects itself against data breaches external and internal
DATA PROTECTION LAW
The data protection act 1998 describes how organisations including The Company must collect, store and process personal information.
Personal information must be processed lawfully, fairly and in an open, transparent manner.
Personal information must be collected for genuine and legitimate reason, unless this is outweighed by harm to the individual’s rights and interests and not in relation to any other purposes considered to be incompatible with the initial purpose
Accurate, relevant and up to date
Not held for any period longer than stated
Be processed in line the rights of the “data subject”
Stored safely and securely to prevent data breaches
Personal data will not be passed to any third party without the full, explicit consent of the “data subject”
THE RIGHTS OF A DATA SUBJECT
A data subject has a number of rights in relation to the storing and processing of their personal information by a “data processor”
To object to personal data being store
Request access to personal data (SAR) – All SAR must be forwarded in writing to the Director
Erasure or rectification of personal information
Right to restrict or object to the processing of personal information
Where a data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease processing
TYPES OF PERSONAL DATA WE MAY COLLECT AND PROCESS
Residential telephone and/or mobile numbers
Any such other similar personal data, in each case, as above for the legitimate purpose of the Company fulfilling its business as, primarily, a recruitment company
DATA PROTECTION SECURITY
The Company shall ensure that all its employees, agents, contractors, or other parties working on its behalf comply with the following when working with personal data
All emails containing personal data are encrypted;
Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;
All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet or similar;
Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, or other parties at any time;
Computer screens must be locked at all times when not in use
Systems and software containing personal data are stored on a secure network server
All electronic copies of personal data should be stored securely using passwords. All passwords used to protect personal data shall not be disclosed
DATA BREACH NOTIFICATION
The following actions must be taken in the event of a data breach
Data breaches must be reported immediately to the data protection officer in writing
If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of Data subjects, the data protection officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
Data breach notifications must contain the following information
The categories and approximate number of Data Subjects concerned
The categories and approximate number of personal data records concerned
The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained)
The likely consequences of the breach
Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects
The GDPR statements regarding our CRM and Cloud Providers can be supplied upon request, please contact us via email email@example.com
This policy is deemed effective as of 15thMay 2018
From the desk of Christoan Smit, Data Protection Officer
Thank you for contacting us about our GDPR compliance. The aim of this document is to explain to where we are in the process of GDPR compliance.
At this point in time, rather strangely, there is still no official GDPR compliance certificate to be obtained.
The best any business can do at this this stage is to look at what is required by the GDPR as end goals, and then use current systems and certifications to obtain that. Article 83 of the GDPR implies that adherence to approved codes of conduct and approved certification mechanism count towards compliance.
The GDPR affects three main aspects of business:
Organisational (e.g. segregation of data & access privileges, staff awareness training, data map, DPIA, etc – client responsibility)
Technical (e.g. local machines should be Cyber Essentials certified, zero data kept on local machines – client responsibility; cloud storage should be EU or UK based, cloud data centre should have ISO 27001 certification – cloud provider’s responsibility)
Venom IT is ISO 9001, ISO 27001 and Cyber Essentials Certified. We are currently in process of upgrading to ISO 27017.
Data security is of paramount concern and we have therefore implemented the following systems & certifications at our Data Centres:
We have 3 data centres, 2 of which are replicant data centres, located in Manchester to ensure Integrity and Continuity, with the third, London-based data centre being a 24-hour delayed redundancy facility.
All our data centres are ISO 27001 certified (the main component for GDPR Technical compliance), with IL4-level security
IP Ban – our unique, proprietary software – blocks repetitive login attempts and blacklists the attacking IP address across our entire network (prevention of unauthorised access)
2048-bit encryption (considered fit for banking, encryption is also part of GDPR requirements)
Auto-failover & rollback (preservation of data Integrity & prevention of data loss)
Depending on the service options selected, backups are done hourly and can be retained for up to 364 days, after which they are archived indefinitely.
UPS with 7-day battery backup (Continuity)
Fire protection using VESDA systems and FM200 gas suppression (physical security)
Secure gated access, with 24-hour security control (physical security)
All our data centres are UK-based and therefore more attractive from a GDPR-compliance point of view than US-based or third-country data centres
For security reasons we cannot divulge certain technical information. All our data centres are equipped with state-of-the-art anti-intrusion systems. All our data centres are independently audited and ISO 27001 certified, which ensures a minimum standard of data security. Our current systems either meet or exceed minimum ISO 27001 standards, which is accepted as GDPR-compliant from a technical perspective1.
I hope that this answers your question as to our current GDPR compliance. If you have any further questions, please free to contact us.
1 Article 5 requires, in part, the “…implementation of the appropriate technical and organisational measures … in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)” and that data should be “…processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”