Company Registration Number 04589169.
Operating Address Ground Floor 10 Lindal Road, London SE4 1EJ
The new EU General Data Protection Regulation (GDPR) comes into force on the 25th May 2018 and will impact every organisation, which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties that the current Data Protection Act (DPA) which will supersede.
In essence the GDPR puts into practice its six underlying principles to protect the individual and the personally identifiable information (PII) or data.
Lawfulness, fairness and transparency. Lawful: Processing must meet the tests described in GDPR (article 5, clause 1(a) Fair: What is processed must match up with how it has been described. Transparency: Explain to the subject what data processing will be done.
Purpose limitations: Define what it is being used for and not be used for other purposes.
Data Minimisation: Only store what is required.
Accuracy: The data is accurate
Storage Limitations: No longer than necessary
Integrity and confidentiality: it is held securely and, if stored online or in the cloud encrypted by default.
Upbeat Management is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards.
Upbeat Management has been working to meet the GDPR requirements.
To date the company has:
– Trained management and staff on what GDPTR entails and ensured that they understand what data on individuals should be held or not.
– Reviewed all client data held by and on behalf of the company.
– Ensured the data is held behind security wall and that the cloud servers provide adequate encryption
– Reviewed all passwords and security on all computers and ensured that passwords are strong enough to protect data as far as reasonably possible.
– Committed to regular password changes to ensure breaches do not occur
– Upbeat Management will perform regular data reviews to identify what date is no longer needed and will delete it if necessary.
This is the Data Breach Policy of UPBEAT MANAGEMENT LTD.
Background
The General Data Protection Regulation (GDPR) is based around six principles of handling of personal data. We must comply with all six principles as a business; otherwise we’ll be in breach of the GDPR. We understand that the principles give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.
Aim
The GDPR requires that we must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. This policy sets out how we deal with a data security breach.
What is a personal data breach?
The Information Commissioner’s Office states that a personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
Action to be taken in the event of a data breach
1. Containment and recovery
The immediate priorities are to:
Contain the breach;
Assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen; and
To limit the scope.
In the event of a security incident or breach, staff must immediately inform YVONNE WHITE.
YVONNE WHITE will take the lead on investigating the breach.
Steps to take where personal data has been sent to someone not authorised to see it:
Inform the recipient not to pass it on or discuss it with anyone else;
Inform the recipient to destroy or delete the personal data they have received and get them to confirm in writing that they have done so;
Explain to the recipient the implications if they further disclose the data; and
Where relevant, inform the data subjects whose personal data is involved what has happened so that they can take any necessary action to protect themselves.
2. Assessing the risk
Perhaps most important is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen.
Examples of the type of questions to consider:
What type of data is involved?
How sensitive is it?
If data has been lost or stolen, are there any protections in place such as encryption?
What has happened to the data?
i.e. If stolen, could it be used for purposes which are harmful to the individuals to whom the data relate?; if it has been damaged, this poses a different type and level of risk
Estimate how many individuals’ personal data are affected by the breach
Who are the individuals whose data has been breached?
Whether they are staff, customers, clients or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions in attempting to mitigate those risks
What harm can come to those individuals?
Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?
Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide?
Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause
3. Notifying the ICO and individuals, where relevant
a) Who is responsible?
In our business, YVONNE WHITE is the point of contact for staff and the ICO on this policy and on all matters relating to data protection.
YVONNE WHITE is also responsible for notifying the ICO and individuals (where applicable) of relevant personal data breaches.
b) What breaches do we need to notify the ICO about?
When a personal data breach has occurred, we need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then we must notify the ICO; if it’s unlikely then we don’t have to report it.
If we decide we don’t need to report the breach, we need to be able to justify this decision, and we should document it.
c) When to notify the ICO and dealing with delays
Notifiable breaches must be reported to the ICO without undue delay, but not later than 72 hours after becoming aware of it.
If we don’t comply with this requirement, we must be able to give reasons for the delay.
In some instances it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. Where that applies we should provide the required information in phases, as long as this is done without undue further delay.
d) Breach information to the ICO
When reporting a breach, we will provide the following information:
a description of the nature of the personal data breach including, where possible:
the categories and approximate number of individuals concerned;
and the categories and approximate number of personal data records concerned;
our contact person, YVONNE WHITE 0208 668 3332
a description of the likely consequences of the personal data breach; and
a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
e) Individuals
Where notification to individuals may also be required, YVONNE WHITE will assess the severity of the potential impact on individuals as a result of a breach and the likelihood of this occurring. Where there is a high risk, we will inform those affected as soon as possible, especially if there is a need to mitigate an immediate risk of damage to them.
g) Information to individuals
YVONNE WHITE will consider who to notify, what we are going to tell them and how we are going to communicate the message. This will depend to a large extent on the nature of the breach but will include the name and contact details of our data protection officer (where relevant) or other contact point where more information can be obtained; a description of the likely consequences of the personal data breach; and a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
The breach need not be reported to individuals if:
We have implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach;
We have taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
It would involve disproportionate effort (in this case a public communication may be more appropriate).
In the case of a breach affecting individuals in different EU countries, we are aware that the ICO may not be the lead supervisory authority. Where this applies, [INSERT NAME/DPO] should establish which European data protection agency would be the lead supervisory authority for the processing activities that have been subject to the breach.
h) Third parties
In certain instances YVONNE WHITE may need to consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals.
i) Document all decisions
YVONNE WHITE must document all decisions that we take in relation to security incidents and data breaches, regardless of whether or not they need to be reported to the ICO.
4. Evaluate our response and mitigation steps
We investigate the cause of any breach, decide on remedial action and consider how we can mitigate it. As part of that process we also evaluate the effectiveness of our response to incidents or breaches. To assist in this evaluation we consider:
What personal data is held, where and how it is stored
Risks that arise when sharing with or disclosing to others
This includes checking the method of transmission to make sure it‘s secure and that we only share or disclose the minimum amount of data necessary
Weak points in our existing security measures such as the use of portable storage devices or access to public networks
Whether or not the breach was a result of human error or a systemic issue and determine how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps
Staff awareness of security issues and look to fill any gaps through training or advice
The need for a Business Continuity Plan for dealing with serious incidents
The group of people responsible for reacting to reported breaches of security
5. Review
This document is dated 11TH MAY 2018 and will reviewed by us every 24 months.
This is the Data Retention Policy of UPBEAT MANAGEMENT LTD
Introduction
We recognise that in the running of our business, we collect and process personal data from a variety of sources. This personal information is collated in several different formats including letters, emails, legal documents, employment records, operations records, images and statements. The personal data is held in both hard copy and electronic form.
Aims of the policy
Our business will ensure that personal data that we hold is kept secure and that it is held for no longer than is necessary for the purposes for which it is being processed. In addition, we will retain the minimum amount of information to fulfill our statutory obligations and the provision of goods or/and services – as required by the data protection legislation, including the General Data Protection Regulation (GDPR).
Retention
This retention policy (with its schedule), is a tool used to assist us in making decisions on whether a particular document should be retained or disposed of. In addition, it takes account of the context within which the personal data is being processed and our business practices.
Decisions around retention and disposal should be taken in accordance with this policy.
Where a retention period of a specific document has expired, a review should always be carried out prior to the disposal of the document. This does not have to be time-consuming or complex. If a decision is reached to dispose of a document, careful consideration should be given to the method of disposal.
Responsibility
YVONNE WHITE is responsible to keep this retention schedule up to date, to reflect changing business needs, new legislation, changing perceptions of risk management and new priorities for our business.
YVONNE WHITE is responsible for determining (in accordance with this Policy) whether to retain or dispose of specific documents.
YVONNE WHITE may delegate the operational aspect of this function to N/A.
YVONNE WHITE makes the decision about minimum retention periods or if the retention of a document is necessary for a potential claim.
Disposal
We must ensure that personal data is securely disposed of when it’s no longer needed. This will reduce the risk that it will become inaccurate, out of date or irrelevant.
The method of disposal should be appropriate to the nature and sensitivity of the documents concerned and includes:
Non-Confidential records: place in waste paper bin for disposal
Confidential records: shred documents
Deletion of Computer Records
Transmission of records to an external body
Cloud storage
The table below contains the retention period that we have assigned to each type of record. This will be adhered to wherever possible, although it is recognised that there may be exceptional circumstances which require documents to be kept for either shorter or longer periods.
Exceptional circumstances should be reported to [YVONNE WHITE – DATA REPRESENTATIVE] without delay.
Date created: 18.05.18
[Date of review: 18.05.2020
Appendix 1: Document retention schedule
| Type of record | Retention period | Where is it stored? | Reason | Method of deletion |
|---|---|---|---|---|
| Employment records: | NO EMPLOYEES | |||
| Commercial contracts: | ||||
| Contracts with suppliers | 6 years after last action | ON COMPUTER | Supply contract | Deletion of Computer Records |
| Purchase orders and invoices | 7 years after last action | ON COMPUTER | Supply contract | Deletion of computer records |
| Tax and Accounting Records: | NO THIRD PARTY TAX RECORDS KEPT | |||
| Marketing records: | ||||
| Mailing lists | 1 year after last action | COMPUTER | To assist with audit | Deletion of computer records |
| Operational records: | ||||
| Fire Risk Assessments | Retain until superseded | COMPUTER | To assist with audit | Deletion of computer records |
| Policies/Procedures | 6 years | |||
| Complaints | 2 years from end of fiscal year | COMPUTER | Issue is generally resolved | |
| Website FAQs | 6 months from last action | COMPUTER | Issue is generally resolved upon response | |
| Email records: | ||||
| Email correspondence | Archive emails after 1 Year | COMPUTER | Audit trail | Deletion of computer records |
| BANKING RECORDS | ||||
| Name & Account numbers | Delete after making final payment | COMPUTER | Deletion of computer records |
