As part of your role with Wholegrain Digital, you’ll come into contact with a lot of important, sensitive and confidential information about clients, suppliers, business contacts, employees, and anybody else with whom we have a working relationship.

It’s essential that you treat this information with the utmost care and confidentiality. Anybody found to have violated our security rules could be liable for disciplinary action, up to and including termination of employment. It is that serious.


Our policy applies to all staff members whether you’re working from home or our offices, as well as sub-contractors, suppliers and anybody else that we collaborate with or who acts on our behalf and may require occasional access to data.

It applies to all data the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:

  • Name of individuals
  • Postal Addresses
  • Email Addresses
  • Telephone Numbers
  • Plus any other information relating to individuals

Data Protection Act

We comply with the Data Protection Act 1998 at all times, regardless of whether data exists electronically, on paper, or on any other materials. The act states that personal information must be collected and used fairly, stored safely, and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

  • Be processed fairly and lawfully
  • Be obtained only for specific, lawful purposes
  • Be adequate, relevant and not excessive
  • Be accurate and kept up to date
  • Not be held for any longer than necessary
  • Be processed in accordance with the right of data subjects
  • Be protected in an appropriate way
  • Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

Our Commitment

Wholegrain’s Data Protection Policy exists to ensure that we:

  • Comply with data protection law and follow good practice
  • Protect the rights of staff, clients and partners
  • Are open about how we store and process people’s data
  • Protect ourselves from risks of a data breach

Our data will not be:

  • Communicated informally
  • Stored for longer than a specified time
  • Transferred to organisations, states or countries that don’t have adequate data protection policies
  • Distributed to anybody other than those specifically agreed by the data’s owner

We’re also committed to:

  • Advising people how we collect their data
  • Informing people how we process their data
  • Informing people who has access to their data
  • Having adequate provisions in case of lost, corrupted or compromised data
  • Allowing people to request that we modify, erase, reduce, or correct data that’s stored in our databases


Everybody who works for or with Wholegrain is responsible for ensuring data is collected, stored and handled appropriately.

Team Genie Rachael and the People Manager have key areas of responsibility, while the Directors are ultimately responsible for ensuring that Wholegrain meets its legal obligations.

To exercise data protection we’re committed to:

  • Restricting and monitoring access to sensitive data
  • Developing transparent data collection procedures
  • Training employees in online privacy and security measures
  • Building secure networks to protect online data from hackers
  • Establishing clear procedures for reporting privacy breaches or data misuse
  • Establishing data protection practices (shredding confidential documents, secure locks, encryption, access authorisations, etc.)
  • Dealing with subject access requests – requests from individuals to see any data that we hold about them
  • Including contract clauses or communicating statements on how we handle data
  • Protecting online data with strong passwords that are changed regularly
  • Backing data up regularly and testing those backups
  • Reviewing data regularly, and updating or deleting anything that’s no longer relevant

The General Data Protection Regulation (GDPR)

The EU’s new General Data Protection Regulation came into force on 25 May 2018. The new regulations supersede current data protection guidelines and will mark a wide-ranging and significant change to the way we must protect personal data.

In order to prepare for these changes, Wholegrain has:

  • Taken steps to ensure all team members are aware of the new regulations.
  • Carried out an information audit to document all the personal data we hold.
  • Reviewed our privacy notices in preparation for the new regulations.
  • Checked our procedures to ensure we’re processing data in line with individuals’ rights, including how we delete data and provide data electronically.
  • Updated our procedures for dealing with subject access requests.
  • Identified the lawful basis for processing personal data and ensuring this is documented in our privacy notice.
  • Considered whether we need to put procedures in place for collecting data from children.
  • Ensured we have procedures in place for reporting any data breaches.
  • Familiarised ourselves with the ICO’s code of practice on Privacy Impact Assessments.
  • Assigned a designated Data Protection Officer.
  • Ensured we follow regulations on international data transfers.