The Marketing Farm Limited including subsidiary The Software Farm Limited
This policy applies to all Personal Data controlled or processed by the Organisation.
This policy is to protect Personal Data in compliance with data protection law and ensuring good practice, protecting the organisation, clients, staff and other individuals
The Board and Company Directors have overall responsibility to ensure that the organisation complies with its legal obligations.
This policy was approved by the board of on 23/05/2018 and became operational on 23/05/2018. The policy will be reviewed every 3 years.
The Organisation has appointed a Data Protection Co-ordinator to: ensure full briefing is given to company directors, the board and all staff of data protection responsibilities. The Data Protection Co-ordinator is also responsible for reviewing and updating where required, all Data Protection related policies. Advising other staff on any Data Protection issues and ensuring necessary Data Protection inductions and training takes place. The Data Protection Co-ordinator will also be responsible for approving any unusual or controversial disclosures of personal data, approving contracts with Data processors and handling any data access requests from subject individuals and sending any relevant notifications to the ICO.
Personal Data is grouped into categories in order to record the lawful purpose and create Data Retention Schedules. Example categories include; personal contact details, work contact details, home address, work address, payroll data, training records etc.
Data subjects have been identified and recorded in groups such as employees, clients and contacts.
A schedule is maintained detailing the lawful purpose of processing by Data Categories and Data Subject Groups.
Using ‘Data Categories’ and ‘Data Groups’ a retention schedule is held which records how long Data is retained.
Using ‘Data Categories’ and ‘Data Groups’ a Lawful Purpose Schedule is maintained.
Where the organisation acts as a processor or sub-processor, Personal Data will be retained for periods as specified by the Data Controller.
Departmental Heads will monitor compliance within their area of responsibility. They will also be responsible for overseeing.
Departmental Managers will be responsible for ensuring that their teams follow agreed procedures. This includes:
All employees have a responsibility to protect personal Data as outlined in this policy and Data Protection guidance.
The organisation provides staff with Data protection training.
Employees who infringe Data Protection policies and related guidance will be subject to additional training or, where appropriate, disciplinary action.
The organisation has guidelines for managers to ensure an appropriate response to Data Subjects requests.
The organisation has procedures in place to investigate Data breaches and where appropriate report to the ICO and to inform the Data subject.
Where the organisation is the Data Processor or Sub Processor the Data breach will be reported to the Data Controller within the timescales detailed in the Controller / Processor agreement.
The organisation has adopted a Data protection by design approach. Any new procedures will be created with the protection of Personal Data in mind.
When new procedures or software are introduced, a Data impact assessment will be carried out as laid out in the ICO guidance.
Cyber security is kept up to date.
The organisation has identified the risks associated with the management of Personal Data. This includes:
The organisation will undertake regular Data protection audits.