Pragmatiq needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has or may need to contact.
This policy describes how this potential data must be collected, handled, stored and disposed of to meet GDPR requirements and comply with the Law.
This GDPR policy ensures Pragmatiq:
- Complies with the regulations and follows good practice
- Protects the rights of staff, clients and partners
- Is open and transparent about how it collects, stores and processes individual’s data
- Protects itself from the risks of data breach
Data Protection Law
The Data Protection Act 1998 was replaced by the General Data Protection Regulations in May 2018 (following an EU directive). The regulations describe how a company including Pragmatiq must collect, handle, store and dispose of personal information.
The Regulations apply whether the data is stored electronically or as hard copy.
Data kept will be:
- Collected fairly and legally
- Individuals will be made aware and must actively give permission
- Data must be relevant.
- Data will be accurate and current
- Not be held for longer than necessary
- Be protected appropriately
- Destroyed on request – right to be forgotten
- Be supplied on request to the relevant individual FOC
This policy applies to:
- All staff of Pragmatiq
- All contractor’s, supplier’s associates and others working on behalf of Pragmatiq
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside GDPR 2018. This data will include:
- Names of individuals
- Postal addresses
- E-mail addresses
- Telephone numbers – landline and mobile
- And any other information relating to individuals
Data Protection Risks
This policy helps to protect Pragmatiq Solutions from security risks including:
- Breaches of confidentiality e.g., divulging information by mistake
- Failing to offer choice e.g., preventing the individual from giving permission on holding data, what is held and how it is stored
- Reputational damage e.g., servers being hacked and sensitive data being stolen
All staff have some responsibility for ensuring that data is collected handled stored and disposed of appropriately. Each team must ensure that data is handled in line with GDPR 2018.
Key stakeholders are:
Co-Founder/Director – Stuart Goldwater is responsible for ensuring the company meets its legal requirements under GDPR 2018
Data Controller/Officer – Stuart Goldwater is responsible for:
- Ensuring GDPR are applied with
- Reviewing GDPR procedures
- Arranging GDPR training for people covered by this policy
- Handling data protection questions from staff and anyone else covered by the policy
- Dealing with requests from individuals who request to see data Pragmatiq Solutions holds on them
- Ensure any third party conforms with Pragmatiq Solutions GDPR policy
- The only staff accessing data should need to do it for their work
- Data must not be shared informally
- Pragmatiq will provide training to staff where appropriate
- Staff should keep all data secure and take sensible reasonable precautions
- Staff should use strong passwords and change regularly
- Personal data must not be disclosed to unauthorised people either internally or externally
- Where on review data is found to be no longer needed it should be disposed of appropriately
- Staff should request help from their manager or Data Protection Officer if they are unsure of any aspect of GDPR
Collection & Storage
- When data is collected it must be with the permission of the individual, freely given, clear and transparent
- Data will be stored in a secure place either electronically or as a hard copy
- Staff should ensure that they do not leave hard copy records where unauthorised people could see them
- Data should be disposed of securely – e.g., shredded when no longer required
- Where data is stored electronically it must be protected from unauthorised access, accidental deletion, and malicious hacking attempts
- Data should be protected by strong passwords, changed regularly and never shared between staff
- Data collected could include e-mail, phone number, postal address, etc
- Subjects will have the right to access, rectify, erase, port the data and object to the processing of the data. Requests should be emailed to firstname.lastname@example.org
Data is at the highest risk of loss corruption or theft when it is being used:
- Staff should ensure no data is visible on screens when they are unattended and laptops and PC’s should be left locked when unattended
- Personal data should not be shared informally, where possible it should not be sent by email which is not secure
- Staff should not save copies of personal data to their own computer
Pragmatiq will take reasonable steps to ensure data is kept up to date and it is accurate and relevant:
It is the responsibility of staff to take reasonable steps to ensure data kept is accurate and up to date
- Data will be held in as few places as possible. Unnecessary additional sets will not be created.
- Staff should take the opportunity to update client personal data – by confirming client details when speaking to a client
- Data will be updated as inaccuracies are discovered e.g. if the client can no longer be reached on a specific phone number it should be deleted from the database
Subject Access Request
The person whose data is held is referred to under GDPR as the subject.
The subjects of Pragmatiq are entitled to:
- Ask what information is held on them
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed of how the company is meeting its legal obligations under GDPR 2018
Subject access requests should be made to the Data Controller (Stuart Goldwater) formally in writing. Information will be supplied free of charge within 1 month of the request.
The Data Controller will always verify the identity of the person making the subject access request before handing over any information.
Disclosing Data for Other Reasons
In certain circumstances, Pragmatiq may be required to provide personal data to certain authorised agencies e.g., police, HSE etc. Under these circumstances, the data controller will ensure the request is legitimate seeking legal advice where necessary.