The General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It comes into effect on 25 May 2018.
For most of our Clients, Breyer Group PLC operates as a Data Processor, meaning we work using data provided to us by our Clients. This data typically includes Resident name, address and contact information. We also store Commercial data on our Clients to invoice for works carried out.
If we are required to fulfil the role of Data Controller, we will only collect data that is required to carry out our instructed works. We will also conduct full Data Risk Assessments for any new collection requirements and new projects/client mobilisations.
The personal data we maintain, hold and use is listed within an internal data asset register and its legitimate Business purpose is documented and catalogued. The data is only used for the purposes of completing work orders issued from a Client, ensuring the safeguarding of our Staff and managing the expectations of the Resident.
All data is subject to a life-expectancy and this too is decided and catalogued as part of the data risk assessment. We routinely audit and delete data that we no longer have a legitimate reason for storing.
Breyer Group PLC do use subcontractors to assist in carrying out their function and we pass the required Personal Data on a case by case basis. Our Contractors are expected to provide their own proof of GDPR compliance before work is undertaken by them on our behalf, and the data passed to them is controlled and only relevant for the work they are asked to carry out. This typically only includes the Resident contact details to facilitate the delivery of a service.
Breyer Group PLC use numerous methods to ensure Personal Data is kept secure such as:
If we become aware of a breach, or a potential breach, an investigation will be carried out. This investigation will be carried out by the Data Governance Team
() who will make the decision whether the breach is required to be notified to the Information Commissioner. A decision will also be made over whether the breach is such that the individual(s) must also be notified.
As per the GDPR, we ensure that our Clients and their Residents rights under the new act are protected. These include the rights listed (where there is no overriding legitimate, legally recognised interest):
Data Subject Access Requests can be made through any contact point within the business, however, ideally they should be made by emailing