Orkney Consulting – General Data Protection Regulation Policy
Orkney Consulting is committed to the safe and legal processing and retention of your personal data and we have a GDPR policy that all clients should make themselves aware of. Whilst the policy has been split into smaller elements to ease reading, we advise you to open and read every element of our policy. Should you wish further clarification, please don’t hesitate to get in touch so we can discuss it further.
Orkney Consulting GDPR policy
As part of daily business, Orkney Consulting will receive, use and store personal information about our clients, suppliers, business contacts, and other people that Orkney Consulting has a professional relationship with or may need to contact in a professional capacity.
It is important that this information is handled lawfully and appropriately in line with the requirements of the UK’s Data Protection Act 2018 and the EU Regulation 2016/679, the General Data Protection Regulation (which will collectively be referred to as ‘Data Protection Requirements’ throughout this policy).
About This Policy
This policy, and any other documents referred to in it, sets out the basis by which Orkney Consulting will process personal data.
Simon Brodie is responsible for ensuring compliance with the Data Protection Requirements and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred to Simon Brodie (firstname.lastname@example.org) in the first instance.
What is Personal Data
Personal data refers to data relating to a living individual who can be identified directly or indirectly from that data (or part of it). This data can be stored electronically, on paper, or any other storage means.
Processing is any activity that involves the use of personal data. It includes obtaining, recording or holding the data, organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring of personal data to third parties.
Sensitive personal data includes personal data about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, physical or mental health condition, sexual orientation or sexual life. It can also include data about criminal offences or convictions. Sensitive personal data can only be processed under strict conditions, one of which includes the specific consent of the individual.
Our Data Protection principles
In processing your personal data, Orkney Consulting will:
- Always tell you why we are gathering your data and what we are going to do with it, to ensure that it is processed fairly, lawfully and in a transparent manner, under your Right to be Informed
- Never knowingly gather data beyond that which is needed to work with you to ensure that the data gathered is relevant and limited to what is necessary under your Right to be Informed.
- Stop processing your data if required to do so under your Right to Restrict Processing.
- Never knowingly gather or retain false information and will work with you to resolve any inaccuracies to ensure that your data is accurate and up-to-date. You have a right to ensure that the data we hold is accurate under your Right to Rectification.
- Take all reasonable steps to destroy, or erase from our systems, all of your personal data after the agreed retention period or when you formally request that we do so under your Right to Erasure.
- Process your personal data in line with your Individual Rights, and also your Right to Object.
- Keep your personal data in an appropriately secure manner.
- Let you know what data we hold about you under your Right to Access and also your Right to Data Portability. To do so, please contact Orkney Consulting and we will provide you with the information.
- Not transfer your personal data to people or organisations situated in countries without adequate protection, or without firstly having advised you.
What we do with your data
Fair and Lawful Processing
In accordance with the Data Protection Requirements, Orkney Consulting will only process personal data, where required, for lawful purposes. The lawful purposes include (amongst others): whether the individual has given their consent, the processing is necessary for performing a contract with the individual, for compliance with a legal obligation, or for the legitimate interest of the business. When sensitive personal data is being processed, additional conditions must be met.
Processing for Limited Purposes
In the course of our business, Orkney Consulting may collect and process personal data set out in Schedule 1 of the GDPR. This may include data received directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data receive from any other sources.
Orkney Consulting will only process personal data for the specific purposes set out in the Schedule 1 or for any other purposes specifically permitted by the Data Protection Requirements. We will notify those purposes to the data subject when we first collect the data, or as soon as possible thereafter.
Disclosure and Sharing of Personal Data
Orkney Consulting does not plan to, or intend to, share any of your personal data with any other organisations (outside of our legal requirements or sharing data with the company that provided us with the data). Should this ever change, we will inform you prior to such sharing.
How we keep your data secure
Orkney Consulting will take appropriate security measures against unlawful or unauthorised processing of you personal data, and against the accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of, or access to, personal data we hold.
To ensure the security of your personal data, Orkney Consulting commits to:
- Keeping all personal data locked away when not in use.
- Only holding the minimum information about you necessary to provide you with our professional services.
- Encryption of data – electronic files are stored on Dropbox which has 256-bit encryption for stored files and 128-bit encryption for files in ‘transit’ and backed up to minimise the risk of accidental deletion. Furthermore Dropbox storage meets the requirements for GDPR, although Orkney Consulting is still responsible for this policy.
- Shred any paper documents containing personal data and destroying any digital storage devices when they are no longer required.
- Maintain client and individual confidentiality.
Data processing and retention
Data processing and retention
Orkney consulting expects to gather data to allow us to provide you with our professional consultation services. It is expected that data will be held mainly for reference, with little actual personal data being relevant for our reports to your organisation. We expect to retain your personal data for up to 12 months after we have finished working with you, unless we formally agree otherwise.
This document and the links provided to the ICO website details Orkney Consulting’s approach to processing your personal data. If you need further details, please contact us and we will be happy to discuss our processes and procedures with you.
Changes to this Policy
We reserve the right to change this policy at any time. Where appropriate, we will notify changes by mail or email.