GDPR – Data Protection Policy Statement

*This is the Data Protection Policy of Expert Security written to   comply with the General Data Protection Requirements (GDPR) and the Data Protection Act 1998 (DPA).

Expert Security is committed to the following eight principles of the Data Protection Act:

 

1)     Personal data is only processed for lawful purposes

2)     Personal data is only obtained for lawful purposes

3)     Personal data is adequate, relevant and not excessive in relation to the purposes for which they are processed

4)     Personal data is accurate and, where necessary, kept up to date

5)     Personal data is not kept longer than is necessary

6)     Personal data is processed in accordance with the rights of data subjects in accordance with the DPA

7)     Appropriate measures are taken to prevent against unauthorised or unlawful processing and against accidental loss of, destruction of, or damage to, personal data

8)     Personal data is not transferred outside the European Economic Area

 

Additionally, to comply with GDPR. Expert Security:

 

·        Assesses the operational risks relating to compliance with GDPR and the DPA

·        Maintains registration with the ICO

·        Publishes a Privacy Notice on its website and on office notice boards.

·        Personal data is kept secure in locked files

·        The office is secure and adequately protected with intruder alarms

·        Does not keep special category or sensitive data

·        Does not pass personal data to 3rd parties without their express consent

·        Has arrangements in place whereby an individual can request access to their personal data, request correction and deletion

·        Ensuring that queries about data protection are dealt with effectively and promptly

·        Laptops, computers, mobile devices and business systems holding personal data are password protected

·        Ensures updates to applications and business systems are installed as soon as possible

·        Protects against viruses, cyber-attacks, phishing, malware, DDOS attacks by installing and maintaining appropriate software on devices

·        Has defined the retention period for personal data and disposes personal data in a secure manner

·        Maintains a log and assesses the root cause of data breaches or attempted breaches and take appropriate action to correct the situation and prevent recurrence

·        Controls access to files and systems to ensure that only authorised personnel can access or modify personal data

·        Only transfers personal data by secure means

·        Trains staff on this policy and their individual responsibilities

·        Reviews data protection arrangements at least annually to ensure continued effectiveness.