The General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It comes into effect on 25 May 2018.
B) ROLE OF BREYER GROUP PLC
For most of our Clients, Breyer Group PLC operates as a Data Processor, meaning we work using data provided to us by our Clients. This data typically includes Resident name, address and contact information. We also store Commercial data on our Clients to invoice for works carried out.
If we are required to fulfil the role of Data Controller, we will only collect data that is required to carry out our instructed works. We will also conduct full Data Risk Assessments for any new collection requirements and new projects/client mobilisations.
C) HOW WE USE PERSONAL DATA
The personal data we maintain, hold and use is listed within an internal data asset register and its legitimate Business purpose is documented and catalogued. The data is only used for the purposes of completing work orders issued from a Client, ensuring the safeguarding of our Staff and managing the expectations of the Resident.
All data is subject to a life-expectancy and this too is decided and catalogued as part of the data risk assessment. We routinely audit and delete data that we no longer have a legitimate reason for storing.
D) SHARING OF PERSONAL DATA
Breyer Group PLC do use subcontractors to assist in carrying out their function and we pass the required Personal Data on a case by case basis. Our Contractors are expected to provide their own proof of GDPR compliance before work is undertaken by them on our behalf, and the data passed to them is controlled and only relevant for the work they are asked to carry out. This typically only includes the Resident contact details to facilitate the delivery of a service.
E) PROTECTION OF PERSONAL DATA
Breyer Group PLC use numerous methods to ensure Personal Data is kept secure such as:
- User Access/Domain Controlled Network Drives
- Encrypted SQL databases
- Cloud Based Systems
- Encryption by default on Laptops and mobile devices
- Encrypted USB drives
- A robust communications policy.
F) INVESTIGATION INTO SUSPECTED BREACH
If we become aware of a breach, or a potential breach, an investigation will be carried out. This investigation will be carried out by the Data Governance Team
([email protected]) who will make the decision whether the breach is required to be notified to the Information Commissioner. A decision will also be made over whether the breach is such that the individual(s) must also be notified.
G) RESIDENT AND CLIENT RIGHTS UNDER GDPR
As per the GDPR, we ensure that our Clients and their Residents rights under the new act are protected. These include the rights listed (where there is no overriding legitimate, legally recognised interest):
- The Right of Access
- The Right of Erasure
- The Right to Rectification
- The Right to Data Portability
- The Right to be Informed
- The Right to Restrict Processing
- The Right to Object
H) DATA SUBJECT ACCESS REQUESTS
Data Subject Access Requests can be made through any contact point within the business, however, ideally they should be made by emailing [email protected]