Data Protection Policy

Organisation

The Marketing Farm Limited including subsidiary The Software Farm Limited

Scope of Policy

This policy applies to all Personal Data controlled or processed by the Organisation.

Purpose of Policy

This policy is to protect Personal Data in compliance with data protection law and ensuring good practice, protecting the organisation, clients, staff and other individuals

Responsibilities

The Board and Company Directors have overall responsibility to ensure that the organisation complies with its legal obligations.

Policy Approval and Review

This policy was approved by the board of on 23/05/2018 and became operational on 23/05/2018. The policy will be reviewed every 3 years.

The Data Protection Co-ordinator

The Organisation has appointed a Data Protection Co-ordinator to: ensure full briefing is given to company directors, the board and all staff of data protection responsibilities. The Data Protection Co-ordinator is also responsible for reviewing and updating where required, all Data Protection related policies. Advising other staff on any Data Protection issues and ensuring necessary Data Protection inductions and training takes place. The Data Protection Co-ordinator will also be responsible for approving any unusual or controversial disclosures of personal data, approving contracts with Data processors and handling any data access requests from subject individuals and sending any relevant notifications to the ICO.

Managing Data

Data Categories

Personal Data is grouped into categories in order to record the lawful purpose and create Data Retention Schedules. Example categories include; personal contact details, work contact details, home address, work address, payroll data, training records etc.

Data Subject Groups

Data subjects have been identified and recorded in groups such as employees, clients and contacts.

Lawful Purpose

A schedule is maintained detailing the lawful purpose of processing by Data Categories and Data Subject Groups.

Data Retention Schedule

Using ‘Data Categories’ and ‘Data Groups’ a retention schedule is held which records how long Data is retained.

Data Lawful Purpose Schedule

Using ‘Data Categories’ and ‘Data Groups’ a Lawful Purpose Schedule is maintained.

Data Processor / Sub Processor

Where the organisation acts as a processor or sub-processor, Personal Data will be retained for periods as specified by the Data Controller.

Departmental Heads

Departmental Heads will monitor compliance within their area of responsibility. They will also be responsible for overseeing.

Departmental Managers

Departmental Managers will be responsible for ensuring that their teams follow agreed procedures. This includes:

  • Data Breaches – reporting / investigating
  • Overseeing the archiving /deletion of Data in accordance with the Retention Schedule
  • Data requests by Data subjects
    • Right to erasure
    • Right to access
    • Right to rectification
    • Right to restrict processing
    • Right to data portability
    • Right to be informed
    • Rights related to automated decision making including profiling
  • Protection of Data
  • Recording the lawful purpose to process data such as consent and legitimate interest
  • Departmental Audits

Employees

All employees have a responsibility to protect personal Data as outlined in this policy and Data Protection guidance.

Training

The organisation provides staff with Data protection training.

Enforcement

Employees who infringe Data Protection policies and related guidance will be subject to additional training or, where appropriate, disciplinary action.

Requests from Data Subjects

The organisation has guidelines for managers to ensure an appropriate response to Data Subjects requests.

Data Breaches

The organisation has procedures in place to investigate Data breaches and where appropriate report to the ICO and to inform the Data subject.

Where the organisation is the Data Processor or Sub Processor the Data breach will be reported to the Data Controller within the timescales detailed in the Controller / Processor agreement.

Data Protection by Design

The organisation has adopted a Data protection by design approach. Any new procedures will be created with the protection of Personal Data in mind.

Data Impact Assessments

When new procedures or software are introduced, a Data impact assessment will be carried out as laid out in the ICO guidance.

Data Security

Cyber security is kept up to date.

Risk

The organisation has identified the risks associated with the management of Personal Data. This includes:

  • Loss of IT equipment, smartphones, tablets, laptops, memory sticks and DVDs
  • Data accessed by unauthorised persons or organisations
  • Inappropriate use of Data
  • Inappropriate sharing of Data

Data Protection Audits

The organisation will undertake regular Data protection audits.