General Data Protection Regulation (GDPR) Policy and Procedures
Purpose
This General Data Protection Regulation (GDPR) Policy outlines GTi Driving’s commitment to ensuring personal data protection, privacy, and security. It establishes guidelines and procedures to comply with GDPR requirements and safeguard the rights of individuals whose data we process.
Scope
This policy applies to all employees, contractors, volunteers, and GTi Driving Ltd representatives. It covers collecting, processing, storing, and disposing of personal data relating to employees, clients, learners, and other stakeholders.
Policy Statement
1. Commitment to Data Protection:
o GTi Driving Ltd is committed to complying with the GDPR and ensuring personal data's lawful, fair, and transparent processing.
o We respect the privacy rights of individuals and take appropriate measures to safeguard their data.
2. Legal Compliance:
o This policy complies with GDPR and any applicable data protection laws.
o The organisation will implement appropriate technical and organisational measures to ensure data security.
3. Data Minimisation and Accuracy:
o Personal data will be collected only for specific, explicit, and legitimate purposes and will not be processed in a manner incompatible with those purposes.
o We will ensure that personal data is accurate, complete, and up-to-date.
4. Accountability and Transparency:
o GTi Driving Ltd will document data processing activities and ensure they are conducted in compliance with GDPR principles.
o We will provide clear information to individuals about how their data is processed and their rights.
Procedures
1. Data Collection and Processing
• Personal data will only be collected when necessary for legitimate business purposes.
• Individuals will be informed of the purposes for which their data is collected and processed through privacy notices.
• Explicit consent will be obtained where required.
2. Data Storage and Security
• Personal data will be stored securely, using appropriate technical measures such as encryption and access controls.
• Access to personal data will be restricted to authorised personnel only.
• Regular audits will be conducted to ensure data security.
3. Data Retention and Disposal
• Personal data will only be retained for as long as necessary to fulfil the purposes for which it was collected.
• Data that is no longer required will be securely deleted or destroyed.
4. Individual Rights
• Individuals have the right to:
o Access their data.
o Request correction or deletion of their data.
o Object to or restrict data processing.
o Data portability.
o Withdraw consent at any time (where consent is the basis for processing).
• Requests related to these rights will be handled promptly and in compliance with GDPR.
5. Data Breach Management
• All data breaches must be reported immediately to the Data Protection Officer (DPO).
• The DPO will assess the breach and, where necessary, report it to the relevant supervisory authority within 72 hours.
• Affected individuals will be informed if the breach poses a high risk to their rights and freedoms.
6. Training and Awareness
• All employees will receive training on GDPR principles and data protection practices during induction and at regular intervals.
• Awareness campaigns will be conducted to ensure ongoing compliance.
7. Third-Party Data Sharing
• Personal data will only be shared with third parties where necessary and subject to appropriate data-sharing agreements.
• Third parties must demonstrate GDPR compliance before data sharing is approved.
Roles and Responsibilities
• Data Protection Officer (DPO):
o Oversees GDPR compliance and advises on data protection obligations.
o Monitors data processing activities and investigates data breaches.
o Acts as the main point of contact for data subjects and regulatory authorities.
• Managers and Supervisors:
o Ensure their teams comply with this policy and follow data protection procedures.
o Report any data breaches or non-compliance to the DPO.
• All Employees and Representatives:
o Understand and comply with this policy in their daily activities.
o Report any data protection concerns or breaches to their supervisor or the DPO.
Monitoring and Review
This policy will be reviewed annually or in response to changes in GDPR or organisational practices. Feedback from staff and stakeholders will inform updates and improvements.
Approved by:
Gary H Turner
Director
11 Dec 2024