You may have heard of legislation regarding data protection known as The General Data Protection Regulation or more commonly GDPR. It effectively provides an update to the Data Protection Act, bringing in new requirements and increasing the penalties for breaches. Any organisation that is required by law to comply with GDPR must do so by the 25th May 2018 at the latest. This law doesn’t only cover large businesses but also sole traders such as myself who handle sensitive personal data on behalf of clients.
GDPR imposes strict controls on how all organisations collect and process personal data within the EU and/or personal data of EU citizens. The UK is expected to enforce the full range of GDPR requirements. There are several aspects to GDPR, but can be summarised as follows:
- Removal of information from any source that is no longer needed and ensure it is securely destroyed
- Ensure the right data can only be accessed by the right people
- Ensure data is transferred in the most appropriate manner
- Ensure data is stored appropriately and securely
- Ensure data is only kept as long as it is needed
My formal fair processing statement is as follows: The regulation outlines six key principles for organisations that process individuals’ personal information. These are:
This Fair Processing Notice (or Privacy Notice) is issued in accordance with the EU General Data Protection Regulation and the Data Protection Act 2018. It covers all data processing activity undertaken by myself operating as a sole trader consultant.
- Data Controllers
The Data Controller is:
- Why am I processing your data?
So that I can deliver advice to my client under my consultancy contract with them in relation to the project(s) for which your organisation and the individuals associated with the organisation/project(s) have or may receive grant support – “the Data Subject(s)”.
I will use this information as needed to enable me to carry out my consultancy duties.
- What data will I process?
The data I will process will include:
- Telephone numbers
- Email addresses
- Organisation and project related information including financial and personnel information
- Who will have access to this data?
Access to your organisations’ and project information is governed by the contract between your organisation and my client or directly with me. Generally, only my client and I will have access to this information. However, it may also be made available to any other consultants appointed by my client or yourselves with whom I may need to exchange information. Information may also be shared with other organisations as set out in the contract between your organisation and my client.
- Who else will have access to the data I process?
No one else will have access to the data I process unless authorised by my client, yourselves or required by law. In the case of Lottery Funded projects this will include the National Audit Office.
- Where will the data be held?
Your data will be processed and stored in the following manner:
- Physical (paper/CDs) information will be stored securely and destroyed securely when no longer required.
- Electronic documents will be held on encrypted, restricted access online or back up disc storage and deleted when no longer required.
- Online using HLF portal. This is a bespoke, secure online application for the management of funded projects.
- How long will I retain the data for?
I will keep your information for as long as I have a commission or prospect of a further commission in relation to your organisation/project and/or am required to do so under the terms of a contract with my client or your organisation. At the end of that time, I will generally delete your data within a reasonable time span unless I request, and you give me permission to retain it. All consultation contact lists will be deleted two years after the completion of the contract. There may however be circumstances where I will retain information for longer which I may need for my own and my client’s legitimate purposes e.g. to help me respond to outstanding queries. I will only use your data for legitimate, work-related purposes permitted by law. Inline with GDPR, I will not be requesting your consent to communicate with you as this is an intrinsic aspect of enabling me to carry out my contractual responsilbilities which are also covered by my client’s contract with your organisation.
- What is my Legal Basis for processing your data?
I must have a legal basis to process your personal data.
Generally, the legal basis is:
|Contract necessity||Carrying out the obligations of a contract or legal agreement between two or more parties|
Occasionally the legal basis may be
|Legitimate Interest||Balancing test shows that processing data is in the shared interest of controller and data subject. The controller must demonstrate “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject”.|
- Your rights
Should you have any questions relating to your data protection rights, please contact the person listed in point 2.
Version 1 – 25th May 2018