top of page
​
GDPR POLICY
Scope
 
The scope of this policy is to provide Data Subjects with an overview of GDPR
and an understanding of how it applies in our organisation.

 

 

The General Data Protection Regulation (GDPR)

​

The purpose of the GDPR is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed in line with the requirements under the GDPR.

 

We as an organisation have identified that we do process personal data and therefore we aim to be GDPR compliant on an on-going basis.

 

 

Definitions under the GDPR

​

Material scope - the GDPR applies to the processing of personal data wholly or partly by computer and to the processing via other means such as paper records that form part of a filing system or are intended to form part of a filing system.

 

We hold personal data in both our automated systems, hard-copies and storage systems therefore we must be at all times GDPR compliant.

 

 

Territorial scope – the GDPR will apply to all controllers that are established in the EU (European Union) who process the personal data of data subjects within Europe. It will also apply to controllers outside of the EU that process personal data in order to offer goods and services (paid or unpaid) or monitor the behaviour of data subjects who are resident in the EU.

 

We operate in the UK and sell goods/services to nationals within the EU and outside the EU therefore we must at all times be comply with GDPR.

 

Establishment – the main establishment of the controller in the EU will be the place in which the controller makes the main decisions as to the purpose and means of its data processing activities. The main establishment of a processor in the EU will be its administrative centre. Our organisation’s main establishment will be in the UK.

 

Personal data – any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

We do hold emails, names, addresses including on occasion some sensitive data of individuals therefore we must be GDPR compliant at all times.

 

Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, bio-metric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

 

We do hold copies of individual’s ID etc  therefore we must be GDPR compliant at all times.

 

Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

 

Our data controller is Luke James of 3TL Consulting Ltd - gdpr@3tlconsulting.com

 

Data subject – any living individual who is the subject of personal data held by an organisation.

 

Our data subjects are: our employees; sub-contractors, customers, suppliers or any other person from whom we collect personal data

 

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

We may on a number of occasions hold/record personal data of data subjects which means we must be compliant at all times.

 

Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.

 

Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.

 

Data subject consent - means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

 

Child – the GDPR defines a child as anyone under the age of 16 years old, although this may be lowered to 13 by Member State law. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.

 

Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

 

 

Privacy Statement

​

  1. We are all committed to complying with all relevant EU and Member State laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information our organisation collects and processes in accordance with the General Data Protection Regulation (GDPR).

  2. We will at all times ensure that our security measures are appropriate to the risks as indicated in our ‘Security Policy’.

  3. This policy applies to personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ personal data, and any other personal data the organisation processes from any source.

  4. We have carried out an information audit, gap-analysis and privacy impact assessment to find out any shortfalls and those shortfalls have been rectified.

  5. The Controller is responsible for reviewing any breach registers,

  6. This policy applies to all Employees/Staff of our organisation and our customers/clients.

  7. Any breach of the GDPR will be dealt with under our organisation’s disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.

  8. Third parties, including any partners and shareholders working with or for our organisation, will be expected to have read, understood and to comply with this policy.

  9. No third party may access personal data held this organisation unless (a) they are GDPR compliant; and (b) they have the respective ‘controller-processor’ contract in place; and (d) they have signed a confidentiality agreement.

 

 

Our Mission – GDPR

 

Our mission is to ensure that we are GDPR compliant by or before 25th May 2018 and we aim to carry out the following to ensure that we are compliant:

​

  1. Ensure all our employees, sub-contractors (including our board) are trained on GDPR and that our organisation retains evidence of training;

  2. Conduct a privacy impact assessment (refer to ICO’s website);

  3. Carry out an information audit to ascertain where the personal data is held;

  4. Carry out a gap analysis and complete the required gaps;

  5. In the event that the processing of personal data leads to ‘High Risk’ to carry out a Data Protection Impact Assessment;

  6. Appoint a DPO if necessary (this depends upon the law);

  7. Ensure that all the ‘Policies & Procedures’ are in place;

  8. Ensure that personal data (in particular sensitive data) is kept securely and that we have in place appropriate security measures adequate to the risks involved;

  9. To only work with third parties, third countries or international organisations that are GDPR compliant;

  10. If personal data is transferred to third parties, third countries or international organisations, that the relevant ‘processor-controller’ contracts are in place;

  11. Ensure that we on a daily basis adhere to the 6 key principles by every member of staff;

  12. Ensure that personal data breaches are taken seriously, and the correct procedures are followed by all members of staff.

bottom of page