Data Protection

As part of your role with Wholegrain,, you’ll come into contact with a lot of important, sensitive and confidential information about our clients, suppliers, business contacts, employees, and anybody else with whom we have a working relationship.  Whilst we all know the importance of keeping information that is explicitly stated as “confidential” private, with other types of information it can be less obvious as to how we should treat that information and what safeguards (if any) should be in place to manage it and keep it secure.  The various data protection laws that exist in the UK provide that clarification and the contents of this policy come directly from those laws.  

It’s essential that you treat any information pertaining to our clients, suppliers, business contacts, employees and anyone else whom we have a working relationship with, with the utmost care and confidentiality. Furthermore, such information, as well as the “personal data” as referred to in the Data Protection Act 1998 and defined below, must be treated in accordance with the rules, requirements and boundaries stipulated within this policy.  At the end of this policy is a list of roles and accountabilities that summarise our expectations of all stakeholders of this policy.  Anybody found to have violated this policy could be liable for action, up to and including termination of their employment or the cessation of their contract for/of services. It is that serious.

This policy applies to all employees and contractors of Wholegrain.  It does not form part of your contract of employment or contract for services and may be amended from time to time.   It should be read in conjunction with our ‘Confidentiality Policy’ which references what Wholegrain classifies as confidential information and how it must be managed.  

Any, and all, personal data used in conjunction with this policy shall be collected, held, and processed in accordance with this ‘Data Protection Policy.’

This policy should be read in conjunction with the relevant appendices to it:

Appendix 1 (Employee personal data);

Appendix 2 (Contractor personal data)

Definitions

There are a number of important definitions in data protection law that will be referred to in this policy.  We’ve included these here at the start so that you have the background info before we dive into the specifics of data protection: 

“consent”- this refers to the consent of the “data subject” (see below for definition). Consent in the context of data protection must always be freely given (i.e. not connected with some other action. For example, requested at the same time and part and parcel of signing a new employment contract which might prevent the individual from withdrawing their consent to any provisions within the data protection policy); specific (so that people are clear on what they are consenting to); informed (so that folk know what their entitlement is in relation to their data and the ongoing processing of it); and unambiguous in its indication of the data subjects wishes by which they signify their agreement (or not as the case may be) to the “processing” of “personal data” relating to them. 

“data controller”- this refers to the person or organisation which, alone or jointly with others, determines the purposes and means of the “processing” of personal data.  For the purpose of this policy, Wholegrain Digital is the “data controller” of all “personal data” relating to employees, contractors, clients, suppliers, and business contacts used within our business for commercial purposes.

“data processor”- refers to the person or organisation who “processes” “personal data” on behalf of Wholegrain.  Further details of the current data processors who work with Wholegrain are contained in the relevant appendices to this policy.

“Data Protection Audits”- means an audit to assess how an organisation handles “personal data” and whether it complies with the relevant data protection legislation. A data protection audit helps identify and address any risks or gaps in data protection practices. 

“Data Protection Impact Assessment” or “DPIA”- refers to a process undertaken to identify and minimise the data protection risks of a project, especially if the “processing” is likely to result in a high risk to individuals.  A DPIA should be undertaken for any project which requires the processing of “personal data.” 

“data subject”- refers to a living, identified, or identifiable person about whom the company holds “personal data.” Within Wholegrain, our data subjects are our employees, contractors, suppliers, clients, and anyone else who we work in conjunction with, provide services to or obtain services from. 

“personal data”- means any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject. When people think of personal data they often think this is referring to an individual’s name, phone number, address etc… However, personal data covers a range of identifiers including, but not limited to: email address; date of birth; race; gender; religion or belief; credit card numbers; data held by a hospital or doctor; a photograph where an individual is identifiable etc….

“personal data breach”- refers to a breach of security leading to the accidental and/or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise “processed.”

“processing;” “process;” or “processed”- means any operation or set of operations performed on personal data or sets of personal data. This is whether or not that processing is by automated or manual means, and includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data. 

“pseudonymisation”- refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. For pseudonymisation to exist, that additional information must be kept separately and furthermore is also subject to technical and organisational measures to ensure that such personal data is not attributed to an identified or identifiable person.

“special category personal data”- means personal data that reveals racial or ethnic origin, religion or belief, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric or genetic data.  This information is considered particularly sensitive and as such has additional safeguards in place for it to be processed.

Scope

Our policy applies to all team members whether you’re working from home or our offices, as well as subcontractors, suppliers and anybody else that we collaborate with or who acts on our behalf and may require occasional access to the data that we hold, store and process.

This policy relates to the personal data that the company holds, stores and processes relating to identifiable individuals or data subjects that have a connection to Wholegrain in one way or the other. 

The Company’s Data Protection Officer is Chris Lewis, Managing Director, who is responsible for administering this policy and for developing and implementing any applicable policies, procedures, and guidelines necessary to support the adherence to this policy by all employees, contractors and other parties working on behalf of Wholegrain.  Where applicable, the Data Protection Officer will implement such practices, processes, controls, and training as are reasonably necessary to ensure compliance.

Data Protection Principles

The purpose of the Data Protection Act 1998 (as amended) is to safeguard any information held by an organisation about an individual and that is classified as either personal or sensitive information or data.   This is regardless of whether that data exists electronically, on paper, or on any other materials. The Act states that personal information must be collected and used fairly, stored safely, and not disclosed unlawfully and is  underpinned by the following principles that specify that personal data must:

• be processed fairly, lawfully and in a transparent manner in relation to the data subject;
• be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.  Note that further processing for archiving or statistical purposes is not considered to be incompatible with the initial purposes so long as the data was obtained for valid purposes in the first place and that such was explained clearly to the data subject, and that it is not used in any way that is incompatible with those original purposes; 
• be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
• be accurate and kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified, without delay;
• not be held for any longer than is necessary;
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

The Rights of Data Subjects

Data subjects have the following key rights with respect to their personal data:

1. the right to be informed about the purpose of processing their personal data;
2. the right to have access to their personal data;
3. the right to have their personal data rectified/corrected in the case of errors/out of date information etc;
4. the right to the erasure of their personal data (a.k.a as the right to be forgotten about);
5. the right to restrict the processing of their personal data;
6. the right to data portability, or the transfer of their personal data, without that transfer altering the data or preventing its accessibility;
7. the right to object to their personal data being processed; and
8. rights with respect to automated decision-making (i.e. using machines and algorithms to make decisions based on an individual’s personal data) and profiling in connection with a data subject’s personal data.

Lawful, fair, and transparent processing of data

Data protection laws seek to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject.  For the processing of personal data to be lawful, at least one of the following needs to apply:

1. the data subject has given their explicit consent to the processing of their personal data for one or more specific purposes; 
2. the processing is necessary for the performance of a contract to which the data subject is a party to, or in order to take steps at the request of the data subject prior to entering into a contract;
3. the processing is necessary to protect the vital interests (i.e. the life) of the data subject or of another individual;
4. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
5. the processing is necessary for the purposes of the legitimate interests, and reasonable interests, pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Processing of “Special Category Personal Data”

If the personal data in question is special category personal data, then at least one of the following conditions must be met:

1. the data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless the law prohibits them from doing so);
2. the processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (insofar as it is authorised by law or a collective agreement pursuant to law which provides for appropriate safeguards for the fundamental rights and interests of the data subject);
3. the processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent;
4. the processing relates to personal data which is made public by the data subject;
5. the processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;
6. the processing is necessary for substantial public interest reasons and proportionate to the aim pursued.  It must respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject; 
7. the processing is necessary for the purposes of preventative or occupational medicine; for the assessment of the working capacity of an employee; for medical diagnosis; for the provision of health or social care or treatment; or the management of health or social care systems or services further to a contract with a health professional and always subject to the conditions and safeguards referred to Article 9 (3) of the UK GDPR (the obligation of professional secrecy);
8. the processing is necessary for public interest reasons in the area of public health which provides for suitable and specifics measures to safeguard the rights and freedoms of the data subject; or
9. the processing is necessary for archiving purposes in the public interest, scientific, statistical, or historical research purposes which will be proportional to the aim pursued as well as respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Explicit Consent

If consent is relied upon as the lawful basis for collecting, holding and/or processing personal data, then the following must apply:

• consent is a clear indication by the data subject that they agree to the processing of their personal data. Such a clear indication may take the form of a statement or a positive action.  Silence, pre-ticked boxes, or inactivity do not amount to consent;
• where consent is given in a document which includes other matters (for example a contract for services or employment), the section dealing with consent must be kept clearly separate from such other matters so as to not influence those other matters;
• data subjects are free to withdraw consent at any time and it must be made easy for them to do so. Consent that is withdrawn by a data subject must be honoured promptly; 
• if personal data is processed for a different purpose that is incompatible with the purpose(s) for which the personal data was originally collected and that was not disclosed to the data subject when they first provided their consent, then consent for the new purpose(s) must be obtained;
• in all cases, where consent is relied upon as the lawful basis for collecting, holding, and/or processing personal data, records must be kept of all consents obtained in order to ensure that Wholegrain can demonstrate its compliance with consent requirements.

Accuracy of data and keeping data up to date

Wholegrain will ensure that all personal data collected, processed, and held by us is kept accurate and up to date. This includes, but is not limited to, the rectification of personal data at the request of a data subject.  

The accuracy of personal data will be checked when it is collected and at regular intervals thereafter. If any data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

Data retention

Personal data will not be kept for any longer than is necessary in the context of the purpose(s) for which that personal data was originally collected, held, and processed. When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.  Please refer to the company’s ‘Data Retention Policy’ for further information. 

Secure Processing

The company will ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.  To achieve this, all technical and organisational measures that are taken to protect personal data will be regularly reviewed and evaluated to ensure their ongoing effectiveness and the continued security of personal data. 

Data security will be maintained at all times by protecting the confidentiality, integrity, and availability of all personal data as follows:

1. only those with a genuine need to access and use personal data and who are authorised to do so may access and use it;
2. personal data must be accurate and suitable for the purpose(s) for which it is collected, held, and processed; and
3. authorised users must always be able to access the personal data as required for the authorised purpose(s).

Accountability and record-keeping

The company will follow a privacy-by-design approach (i.e. the incorporation of data privacy protections into the design of information systems, products, and services) at all times when collecting, holding, and processing personal data. Data Protection Impact Assessments (a.k.a DPIAs) will be conducted if any processing presents a significant risk to the rights and freedoms of data subjects; for any and all new projects; and for new uses of personal data which involve the use of new technologies and where the processing involved is likely to result in a high risk to the right and freedoms of data subjects.  DPIA’s will be overseen by the Data Protection officer and will address:

1. the nature, scope, context, and purpose(s) of the collection, holding and processing;
2. the technical and organisational measures to be taken; 
3. the type(s) of personal data that will be collected, held, and processed;
4. the purpose(s) for which the personal data is to be used;
5. the company’s objectives and how they are achieved in relation to the personal data to be collected;
6. how the personal data is to be used;
7. the parties (internal and/or external) who are to be consulted about the personal data to be collected;
8. the necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed and the alternatives that have been considered; 
9. the risks posed to data subjects, including their likelihood and severity; 
10. the risks posed both within and to the company, including their likelihood and severity;
11. the proposed measures to minimise and handle any identified risks; and
12. the cost of implementing such measures.

In addition, data protection compliance will be regularly reviewed and evaluated by means of Data Protection Audits which will include: 

1. the details of any third-party data transfers (including data processors and other data controllers with whom personal data is shared);
2. the purposes for which the company collects, holds, and processes personal data;
3. the legal basis for collecting, holding, and processing personal data;
4. the mechanism(s) for obtaining consent and the records of such consent;
5. details of the categories of personal data collected, held, and processed by the company, and the categories of data subject to which that personal data relates;
6. details of any transfers of personal data to non-UK countries including all mechanisms and security safeguards;
7. details of how long personal data will be retained for;
8. details of personal data storage, including location(s); and
9. detailed descriptions of all technical and organisational measures taken by the company to ensure the security of personal data.

Keeping data subjects informed

Where personal data is collected directly from data subjects, those data subjects must be informed of its purpose at the time of collection. 

The company will provide the following information to every data subject at the point of collection:

1. the details of the company including the contact details, names and contact details of any applicable representatives and its Data Protection Officer;
2. the purpose(s) for which the personal data is being collected and will be processed and the lawful basis justifying that collection and processing;
3. where applicable, the legitimate interests upon which the company is justifying its collection and processing of the personal data; 
4. where the personal data is not obtained directly from the data subject, the data subject must be advised of the categories of personal data collected and processed as well as the source of that personal data;
5. where the personal data is to be transferred to one or more third parties, the details of those parties must be provided;
6. where the personal data is to be transferred to a third party that is located outside of the UK, the details of that transfer must include, but are not limited to, the safeguards that are in place;
7. the details of applicable retention periods;
8. the details of the data subject’s legal rights under the UK GDPR and Data Protection Act 1998;
9. the details of the data subject’s rights to withdraw their consent to the company’s processing of their personal data at any time;
10. the details of the data subject’s right to complain to the Information Commissioner’s Office;
11. where applicable, the details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and the details of any consequences of failing to provide it; and
12. the details of any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences. 

In the event that personal data is obtained from a third-party, those data subjects must be informed of its purpose at the time of collection and that it is to be transferred to another party. This must occur before that transfer is made or as soon as possible afterwards.  In any event, the notification cannot occur more than one month after the personal data is obtained.

Data Subject Access 

Data subjects may make a subject access request (a.k.a. “SAR”) at any time to find out more about the personal data which the company holds about them, what it is doing with that personal data and why.  A SAR request should be submitted to the Data Protection Officer who will normally respond within one month of receipt. If additional time is required in order to respond to the request, the data subject will be advised accordingly. 

The company does not charge a fee for the handling of normal SARs however, may impose a fee for additional copies of information and for requests that are manifestly unfounded or excessive, particularly where requests are repetitive.

Rectification and erasure of personal data

Data subjects have the right to require the company to rectify any of their personal data that is inaccurate or incomplete.  The company will rectify the personal data in question within one month of being informed of the issue. If additional time is required, the data subject will be advised accordingly. 

With respect to the erasure of personal data, data subjects have the right to request that the company erases their personal data in the following circumstances:

1. it is no longer necessary for the company to hold that personal data with respect to the purpose(s) for which it was originally collected or processed; 
2. the data subject wishes to withdraw their consent to the company holding and processing their personal data;
3. the data subject objects to the company holding and processing their personal data and there is no overriding legitimate interest to allow the company to continue doing so;
4. the personal data has been processed unlawfully; or
5. the personal data needs to be erased in order for the company to comply with a particular legal obligation.

Unless the company has reasonable grounds to refuse to erase personal data, all requests for erasure will be complied with within one month of receipt of the data subject’s request. If additional time is required, the data subject will be advised accordingly.

Restriction of personal data processing

Data subjects may request that the company ceases processing the personal data it holds about them.  If a data subject makes such a request, the company will retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.  In the event that any affected personal data has been disclosed to third parties, those parties will be informed of the applicable restrictions on processing it unless it is impossible or would require disproportionate effort to do so.

Objections to personal data processing

Data subjects can object to the company processing their personal data based on legitimate interests for direct marketing (including profiling).  In such an event, the company will cease processing the data subject’s personal data immediately, unless it can demonstrate that the company’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims. 

In the case of direct marketing, where a data subject objects to the company processing their personal data for direct marketing purpose, the company will cease such processing promptly. 

Complaints about personal data processing

If you believe that Wholegrain has not complied with your data protection rights, you can complain to the Data Protection Officer via [email protected] or the Information Commissioner’s Office via www.ico.org.uk.

Personal data collected, held, and processed by Wholegrain Digital

Please refer to the following relevant appendices in relation to the specific personal data that Wholegrain collects, holds and processes in respect of: 

1. Employees;
2. Contractors;
3. Clients;
4. Suppliers;
5. Other business contacts.

Data security

We have comprehensive guidelines for ensuring the security of personal data. Please refer to the ‘Data and IT Security Policy’ for further information.

Organisational measures

Wholegrain will ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:

1. All employees, contractors, or other parties working on behalf of Wholegrain shall be provided with a copy of this policy;
2. Only employees, contractors or other parties working on behalf of Wholegrain and that need access to, and use, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the company;
3. All sharing of personal data shall comply with the information provided to the relevant data subjects and, if required, the consent of such data subjects shall be obtained prior to the sharing of their personal data; 
4. All employees, contractors, or other parties working on behalf of Wholegrain handling personal data will be appropriately trained to do so and supervised; 
5. All employees, contractors, or other parties working on behalf of Wholegrain handling personal data will be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise; 
6. Methods of collecting, holding, and processing personal data will be regularly evaluated and reviewed;
7. All personal data held by the company shall be reviewed periodically, as set out in the company’s ‘Data Retention Policy;’
8. The performance of those employees, contractors or other parties working on behalf of Wholegrain handling personal data shall be regularly evaluated and reviewed;
9. All employees are required and bound by their contract of employment to handle personal data in accordance with this policy.  Likewise applicable contractors are bound by their contract for services. 
10. Contractors or other parties working on behalf of Wholegrain who are handling personal data and fail in their obligations under this policy shall indemnify and hold harmless the company against any costs, liability, damages, loss, claims, or proceedings which may arise out of that failure. 

Data breach notification 

All personal data breaches must be reported immediately to the company’s Data Protection Officer and for investigation by the Data Protection Officer only. Under no circumstances are employees or contractors to conduct their own investigations into a personal data breach. Any and all evidence relating to the personal data breach in question should be carefully retained.

If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (i.e. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office (www.ico.org.uk) is informed of the breach without delay, and in any event, within 72 hours after having become aware of it. In addition, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.

Roles and Accountabilities 

The Data Protection Officer is responsible for implementing the necessary policies, practices, procedures, processes, guidelines, controls, and training that are reasonably necessary to support, and ensure compliance to this policy. In addition, to ensuring that suppliers, clients and other business contacts have access to this policy and the relevant appendices. 

Line Managers, department heads and supervisors are responsible for ensuring that all employees, contractors, and other parties working on behalf of Wholegrain and within their sphere of responsibility, comply with this policy and the practices that exist within the company to support it. 

All employees, officers, contractors, and other parties working on behalf of Wholegrain Digital are responsible for:

1. collecting personal data only to the extent required for the performance of their job duties and only in accordance with this policy. Under no circumstances must excessive personal data be collected; 
2. referring any questions regarding the policy to the Data Protection Officer and for consulting with the Data Protection Officer regarding any uncertainty as to the lawful basis on which personal data is to be/has been collected, held and/or processed; 
3. consulting with the Data Protection Officer if consent is being relied upon in order to collect, hold, and/or process personal data that has not previously had consent given and thus requires any new or amended appendices/privacy notices; 
4. obtaining clarification from the Data Protection Officer in respect of the retention period for any type of personal data;
5. obtaining assistance from the Data Protection Officer in dealing with the exercise of a data subject’s rights, for example the handling of a subject access request;
6. making the Data Protection Officer of any personal data breach (suspected or actual) has occurred or is at risk of occurring. In addition to flagging any uncertainty regarding current or prospective security measures (for example, from a technical or organisational perspective) required to protect personal data;
7. obtaining approval from the Data Protection Officer if personal data is to be shared with third parties, regardless of whether such third parties are acting as data controllers or data processors.  Where personal data is to be transferred outside of the UK, this must be highlighted to the Data Protection Officer to ensure the correct legal basis exists in which to do so;
8. making the Data Protection Officer aware of any new significant processing activity that is to be carried out, or significant changes are to be made to existing processing activities. Both of which will require a Data Protection Impact Assessment (DPIA) to be conducted;
9. supporting the Data Protection Officer where requested in the completion of Data Protection Audits; 
10. obtaining approval from the Data Protection Officer when personal data is to be used for purposes different to those for which it was originally collected and/or if any automated processing, including profiling or automated decision making is to be carried out;
11. seeking assistance from the Data Protection Officer in complying with the law applicable to direct marketing campaigns and/or events.