General Data Protection Regulation (GDPR) Compliance Policy for Rhics Ltd
- Data Protection Officer (DPO)
Policy:
- Rhics Ltd appoints a qualified Data Protection Officer responsible for overseeing data protection strategies and ensuring compliance with GDPR requirements.
- The DPO acts as the point of contact for supervisory authorities and data subjects.
Procedure:
- The DPO conducts regular GDPR compliance audits, advises on data protection impact assessments, and monitors data management and security practices.
- The DPO provides training and awareness sessions for all staff members.
- Data Protection Impact Assessments (DPIA)
Policy:
- Rhics Ltd will conduct a DPIA for new projects or processes that pose a high risk to individuals’ personal data rights and freedoms.
- The DPO will lead the DPIA process with assistance from relevant departments.
Procedure:
- Identify data processing activities requiring a DPIA.
- Assess the necessity and proportionality of the processing.
- Evaluate risks to the rights and freedoms of data subjects.
- Consult with stakeholders and document outcomes.
- Data Incident Management
Policy:
- Rhics Ltd has established a process for managing data incidents, defining clear responsibilities, notification requirements, and a scale of severity.
Procedure:
- On identifying a data incident, staff must immediately notify the DPO and IT Security Team.
- The DPO assesses the incident and determines the severity and notification obligations.
- Incidents are reported to supervisory authorities within 72 hours and to affected data subjects without undue delay.
- Data Protection Governance
Policy:
- A nominated Director, accountable for personal data management, reports to the board/CEO.
- The Data Protection Assurance Committee reviews data protection practices, including incidents, on a quarterly basis.
Procedure:
- The Director ensures GDPR compliance is integrated into strategic business decisions.
- The Committee oversees the implementation of data protection policies and monitors compliance.
- Privacy Notice
Policy:
- Rhics Ltd maintains a comprehensive privacy notice, accessible via the company’s website, explaining how personal data is handled.
Procedure:
- The privacy notice outlines the purposes for processing personal data, data retention periods, and data subject rights.
- The notice is reviewed annually and updated as necessary to reflect changes in processing activities or laws.
- Retention Schedule
Policy:
- Rhics Ltd has a data retention schedule detailing retention periods for various categories of personal data and procedures once those periods expire.
Procedure:
- The retention schedule is communicated to all employees.
- Personal data is securely deleted or anonymised when it is no longer necessary for the purpose for which it was collected.
- Training
Policy:
- All employees of Rhics Ltd must complete GDPR and data protection training at induction and at regular intervals thereafter.
Procedure:
- The DPO arranges and records attendance at training sessions.
- Training content is reviewed and updated annually to reflect changes in data protection practices and laws.
- Risk Assessment
Policy:
- Rhics Ltd regularly assesses risks associated with personal data processing and implements controls to mitigate identified risks.
Procedure:
- The DPO, in collaboration with IT Security, conducts biannual risk assessments.
- Risks are prioritised based on severity and reported to senior management with action plans.
- Data Transfer Security
Policy:
- Personal data transfers, both internal and external, are conducted securely and in compliance with GDPR requirements.
Procedure:
- Data transfers utilise encryption and are documented.
- Data transfer agreements with third parties stipulate security obligations.
- Data Subject Access Requests (DSARs)
Policy:
- Rhics Ltd has a defined process for handling DSARs promptly and within the legal timeframe.
Procedure:
- Requests are logged, verified, and managed by the DPO or designated staff.
Rights of Data Subjects
- Right to Access: Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data.
- Right to Rectification: Data subjects have the right to have inaccurate personal data corrected and incomplete personal data completed.
- Right to Erasure (‘Right to be Forgotten’): Data subjects have the right to have their personal data erased under specific conditions.
- Right to Restrict Processing: Data subjects have the right to restrict the processing of their personal data under certain circumstances.
- Right to Data Portability: Data subjects have the right to receive the personal data concerning them, which they have provided, in a structured, commonly used, and machine-readable format.
- Right to Object: Data subjects have the right to object to the processing of their personal data in certain cases, including for direct marketing purposes.
Procedures
- Requests Submission: Data subjects can submit requests in writing or electronically. Contact details for such requests are provided in Rhics Ltd’s privacy notice.
- Identification: Rhics Ltd will verify the identity of the requesting party before processing the request to protect the personal data from unauthorised access.
- Response Time: Rhics Ltd will respond to the data subject’s request without undue delay and, in any event, within one month of receipt of the request.
- Extension of Time: If necessary, the period may be extended by two further months considering the complexity and number of the requests. Rhics Ltd will inform the data subject of any such extension within one month of receipt of the request, along with the reasons for the delay.
- Fees: Requests will be addressed free of charge. However, Rhics Ltd may charge a reasonable fee if the requests are unfounded, repetitive, or excessive.
- Refusal of Requests: If Rhics Ltd does not take action on the request of the data subject, Rhics Ltd will inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority.