Data Protection

Context and overview

Key details
  • Policy prepared by:                                           Geoff Parker
  • Approved by board / management on:         23/07/2019
  • Policy became operational on:                        01/08/2019
  • Next review date:                                               Periodically
Introduction needs to gather and use certain information about individuals.

These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.

Personal Information Definition

‘Personal information’ means any detail about a living individual that can be used on its own, or with other data, to identify them.

Why this policy exists

This data protection policy ensures

  • Complies with data protection law and follows good practice
  • Protects the rights of staff, customers and partners
  • Is open about how it stores and processes individuals’ data
  • Protects itself from the risks of a data breach
Data protection law

The Data Protection Act 1998 describes how organisations must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

1. Be processed fairly and lawfully

2. Be obtained only for specific, lawful purposes

3. Be adequate, relevant and not excessive

4. Be accurate and kept up to date

5. Not be held for any longer than necessary

6. Processed in accordance with the rights of data subjects

7. Be protected in appropriate ways

8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection 

People, Risks & Responsibilities
Policy scope

This policy applies to:

  • The head office
  • It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:
  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • …plus any other information relating to individuals
Data protection risks

This policy helps to protect from some very real data security risks, including:

  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
  • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Everyone who works for has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

  • The board of directors is ultimately responsible for ensuring that meets its legal obligations.
  • The Company is responsible for:
  • Keeping the board updated about data protection responsibilities, risks and issues.
  • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
  • Arranging data protection training and advice for the people covered by this policy.
  • Handling data protection questions from staff and anyone else covered by this policy.
  • Dealing with requests from individuals to see the data holds about them (also called ‘subject access requests’).
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
  • Approving any data protection statements attached to communications such as emails and letters.
  • Addressing any data protection queries from journalists or media outlets like newspapers.
  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
Data Protection Impact Assessments

From time to time, will conduct Data Protection Impact Assessments

DPIAs will be conducted, if:

  • conducts extensive profiling using personal data
  • Integrates new technologies
  • Profiling Individuals on a large scale

A DPIA has been conducted at the time of implementing GDPR in relation to all the personal data of our customers

General Staff Guidelines
  • The only people able to access data covered by this policy should be those who need it for their work.
  • Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
  • will provide training to all employees to help them understand their responsibilities when handling data.
  • Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
  • In particular, strong passwords must be used and they should never be shared.
  • Personal data should not be disclosed to unauthorised people, either within the company or externally.
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
  • Employees should request help from their line manager or a board member if they are unsure about any aspect of data protection.
Data storage

These rules describe how and where data should be safely stored. Questions about storing

data safely can be directed to the IT manager or data controller.

There is to be NO data stored on paper.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

  • When not required, the paper or files should be kept in a locked drawer or filing cabinet.
  • Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
  • Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

  • Data should be protected by strong passwords that are changed regularly and never shared between employees.
  • If data is stored on removable media (like a CD or DVD), these should be kept locked away in the office securely when not being used.
  • Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing service.
  • Servers containing personal data should be sited in a secure location, away from general office space.
  • Data is backed up frequently. Those backups are tested regularly.
  • Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
  • All servers and computers containing data should be protected by approved security software and a firewall.
Data use

Personal data is of no value to unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

  • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
  • Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
  • Data must be encrypted before being transferred electronically.
  • Personal data should never be transferred outside of the European Economic Area.
  • Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
Data accuracy: Rectification Rights and Quality

The law requires to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort should put into ensuring its accuracy.

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

  • Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
  • Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
  • will make it easy for data subjects to update the information holds about them. For instance, via the company website.
  • Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
  • Any individual who wants their personal data to be corrected can contact our office asking for the data controller and a request will be actioned within the timescales permitted for the necessary access request.
  • Any data accuracy issues identified will be communicated in learnings to staff on an ongoing basis.
Subject access requests: Rights to access

All individuals who are the subject of personal data held by are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request.

Subject access requests from individuals must be made by email, addressed to the data controller at [] with the specific subject request “SUBJECT ACCESS REQUEST”. The data controller can supply a standard request form, although individuals do not have to use this.

Individuals will be charged £35 per subject access request. The data controller will aim to provide the relevant data within 30 days from the date of which the requester has been accurately identified.

The data controller will always verify the identity of anyone making a subject access request before handing over any information.

Individuals have the right to obtain:

  • confirmation that their data is being processed;
  • access to their personal data; and
  • other supplementary information
Disclosing data for other reasons

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.

Providing information aims to ensure that individuals are aware that their data is being processed,

and that they understand:

  • How the data is being used
  • How to exercise their rights

To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company. This is also available on our website 

Erasure Policy, Data Retention and Disposal

An individual has the right to erase, retain or dispose of their personal data in the event that:

  • The data is no longer necessary for the purpose it was originally collected or processed
  • The individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
  • It was unlawfully processed (ie otherwise in breach of the GDPR);
  • It has to be erased in order to comply with a legal obligation; or
  • It is processed in order to offer information society services to a child.

Erasure Requests from individuals must be made by email, addressed to the data controller at [] with the specific subject request “ERASURE REQUEST”.

The data controller will aim to action the request within 30 days from the date of which the requester has been accurately identified.

Right to Restrict Processing

Individuals have a right to block or restrict the processing of their personal data.

When processing is restricted, are permitted to store the personal data, but not process it further. can retain just enough information about the individual to ensure that we respect the restriction in the future.

We may restrict processing on request of the individual in the event that:

  • An individual contests the accuracy of the personal data;
  • An individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and the controller is considering whether their legitimate grounds override those of the
  • individual;
  • Processing is unlawful and the individual opposes erasure and requests restriction instead; and
  • We no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.

Restrict Processing Requests from individuals must be made by email, addressed to the data controller at [] with the specific subject request “RESTRICT PROCESSING REQUEST”.

The data controller will aim to action the request within 30 days from the date of which the requester has been accurately identified.

Right to Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

Individuals can receive personal data or move, copy or transfer that data from one business to another in a safe and secure way, without hindrance.

The right to data portability only applies:

  • to personal data an individual has provided to a controller;
  • if the processing is based on the individual’s consent or for the performance of a contract; and
  • if the processing is carried out by automated means.

Data Portability Requests from individuals must be made by email, addressed to the data controller at [] with the specific subject request “DATA PORTABILITY REQUEST”.

The data controller will aim to action the request within 30 days from the date of which the requester has been accurately identified.

Data will be provided in in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.

If the individual requests it, we may transmit the data directly to another business where this is technically feasible.

Right to Object

Individuals have a right to object to the processing of their personal data in certain circumstances. Individuals can object verbally or in writing, however we must receive written communication in order to identify the person making the request.

Right to Object Requests from individuals must be made by email, addressed to the data controller at [] with the specific subject request “RIGHT TO OBJECT”.

The data controller will aim to action the request within 30 days from the date of which the requester has been accurately identified.

We have the right to extend this period by a further two months for complex or numerous requests, in which case we will notify the individual and give an explanation.

Individuals have an absolute right to object to any processing (including profiling) undertaken for the purposes of direct marketing.

As soon as we receive a request to stop marketing to an individual, will make reasonable endeavours to immediately stop marketing.

Individuals can object to the processing of personal data if:

  •’s legitimate interests are not legitimate as defined by GDPR
  • the performance of a task in the public interest
  • exercise of official authority.

Individuals can not object to the processing of their personal data if:

  • you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims.
Data Security Policy

It is important for that data is secure.

An internal Data Security Policy is in operation

Sub Processors

We do not transfer personal data to any sub processors.

Operational Base only operates business inside the EU.

No personal data is transferred outside of the EU

Breach Notification Procedure

It is’s duty to notify a board director in the event of a personal data breach, immediately.

The company has identification and reporting procedures in place.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

All staff have been trained on data breaches and the processes in which they should follow in such an event.

Data Consents retains and uses information on tenants, landlords, trades people and staff.

Data is only retained and used where we have consent to do so.

Consent means offering people genuine choice and control over how we use the data.

On Going Consent continues to review consents on an ongoing basis. Any marketing activity by email and text have an option to update your consents.

Assigning of a Data Protection Officer have assigned the Company Director as the DPO

Legitimate Interests Assessment relies on Legitimate Interests to process 90% of it’s personal data, and have verified this through the LIA from a usage, necessity and balancing perspective. Details are as follows.

We use people’s data in ways they would reasonably expect and which have a minimal privacy

impact; or

There is a compelling justification for the processing.

The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as legitimate interests.

Automated Decision Making processes all data manually and is not subject to automated decision making.

Data Protection By Design

Data is stored securely in our cloud based system

Only relevant members of staff have access to information that they require

International Transfer

No personal data is transferred outside of the EU