As part of your role with Wholegrain Digital, you’ll come into contact with a lot of important, sensitive and confidential information about clients, suppliers, business contacts, employees, and anybody else with whom we have a working relationship.

It’s essential that you treat this information with the utmost care and confidentiality. Anybody found to have violated our security rules could be liable for disciplinary action, up to and including termination of employment. It is that serious.

Scope

Our policy applies to all staff members whether you’re working from home or our offices, as well as sub-contractors, suppliers and anybody else that we collaborate with or who acts on our behalf and may require occasional access to data.

It applies to all data the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:

  • Name of individuals
  • Postal Addresses
  • Email Addresses
  • Telephone Numbers
  • Plus any other information relating to individuals

Data Protection Act

We comply with the Data Protection Act 1998 at all times, regardless of whether data exists electronically, on paper, or on any other materials. The act states that personal information must be collected and used fairly, stored safely, and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

  • Be processed fairly and lawfully
  • Be obtained only for specific, lawful purposes
  • Be adequate, relevant and not excessive
  • Be accurate and kept up to date
  • Not be held for any longer than necessary
  • Be processed in accordance with the right of data subjects
  • Be protected in an appropriate way
  • Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

Our Commitment

Wholegrain’s Data Protection Policy exists to ensure that we:

  • Comply with data protection law and follow good practice
  • Protect the rights of staff, clients and partners
  • Are open about how we store and process people’s data
  • Protect ourselves from risks of a data breach

Our data will not be:

  • Communicated informally
  • Stored for longer than a specified time
  • Transferred to organisations, states or countries that don’t have adequate data protection policies
  • Distributed to anybody other than those specifically agreed by the data’s owner

We’re also committed to:

  • Advising people how we collect their data
  • Informing people how we process their data
  • Informing people who has access to their data
  • Having adequate provisions in case of lost, corrupted or compromised data
  • Allowing people to request that we modify, erase, reduce, or correct data that’s stored in our databases

Responsibilities

Everybody who works for or with Wholegrain is responsible for ensuring data is collected, stored and handled appropriately.

Team Genie Rachel and Team Admin Mohib have key areas of responsibility, while the Directors are ultimately responsible for ensuring that Wholegrain meets its legal obligations.

To exercise data protection we’re committed to:

  • Restricting and monitoring access to sensitive data
  • Developing transparent data collection procedures
  • Training employees in online privacy and security measures
  • Building secure networks to protect online data from hackers
  • Establishing clear procedures for reporting privacy breaches or data misuse
  • Establishing data protection practices (shredding confidential documents, secure locks, encryption, access authorisations, etc.)
  • Dealing with subject access requests – requests from individuals to see any data that we hold about them
  • Including contract clauses or communicating statements on how we handle data
  • Protecting online data with strong passwords that are changed regularly
  • Backing data up regularly and testing those backups
  • Reviewing data regularly, and updating or deleting anything that’s no longer relevant

Preparing for the General Data Protection Regulation (GDPR)

The EU’s new General Data Protection Regulation comes into force on 25 May 2018. The new regulations supersede current data protection guidelines and will mark a wide-ranging and significant change to the way we must protect personal data.

In order to prepare for these changes, Wholegrain is:

  • Taking steps to ensure all team members are aware of the new regulations.
  • Carrying out an information audit to document all the personal data we hold.
  • Reviewing out privacy notices in preparation for the new regulations.
  • Checking our procedures to ensure we’re processing data in line with individuals’ rights, including how we delete data and provide data electronically.
  • Updating our procedures for dealing with subject access requests.
  • Identifying the lawful basis for processing personal data and ensuring this is documented in our privacy notice.
  • Considering whether we need to put procedures in place for collecting data from children.
  • Ensuring we have procedures in place for reporting any data breaches.
  • Familiarising ourselves with the ICO’s code of practice on Privacy Impact Assessments.
  • Assigning a designated Data Protection Officer.
  • Ensuring we follow regulations on international data transfers.