The goal of the data protection policy is to depict the legal data protection aspects in one summarising document. It can also be used as the basis for statutory data protection inspections, e.g. by the customer within the scope of commissioned processing. This is not only to ensure compliance with the European General Data Protection Regulation (GDPR) and Data protection Act (DPA) 2018 but also to provide proof of compliance.
Hodfords Solutions Ltd is a supplier of software development capabilities & team team augmentation for our clients. We are oftentimes building software which requires us to be a data processor for the duration of the projects. We typically do not own the IP for the software and such are only ever in a data processing position within client relationships.
In our Security & risk management policy document there are detailed policies on; Information Systems Security & remote access control.
Within our role for GDPR in regards to being a data processor we process personal data on behalf of the controller (our clients). Processors act on behalf of the relevant controller and under their authority. We have obligations to follow as the data processor. They are below:
Accountability obligations - You have to keep records and appoint people responsible for data protection
International transfers - The UK’s prohibition on transferring personal data to other people aligns with the EU’s prohibition on transferring personal data to other people. You have to ensure that any transfer outside the UK is approved by the controller and complies with the UK GDPR’s transfer provisions.
Cooperation with supervisory authorities - You are obliged to help the authorities perform their duties by cooperating with them, such as the Information Commissioner’s Office (ICO).
Under GDPR we must have one of 6 legitimate reasons for lawful processing of data. The 6 purposes are below:
Purpose limitation. Processing of personal data must be limited to the legitimate purpose for which that personal data was originally collected from the data subject. This effectively forbids the processing of personal data outside of the legitimate purpose for which the personal data was collected.
Data minimisation. When collecting data, only the personal data absolutely required for that purpose may be requested. This means that no data other than what is necessary can be requested, or stored. This is of significance when your company is analysing data. It will be important to limit the analysis of data to a set of anonymised data, or to a set of data for which consent has been obtained or there is a clear legitimate processing purpose.
Accuracy. Personal data of data subjects must always be accurate and kept up to date. This is simple and straightforward, meaning that controllers are asked to ensure that data is kept accurate, and data subjects can update their data when required.
Integrity and confidentiality. Personal data must be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing. Also, controllers must ensure that data cannot be modified by unauthorised persons.
Storage limitation. Personal data should be retained only while necessary. That is, personal data should be deleted once the legitimate purpose for which it was collected has been fulfilled. This is not simple, and needs to be determined in line with applicable laws that may sometimes require personal data to be retained for a longer period than the originally envisaged processing purpose.
Fair and transparent. GDPR asks that all personal data processing should be fair; that is, companies do not perform processing that is not legitimate. Also, companies should be transparent regarding the processing of personal data, and inform the data subject in an open and transparent manner. This means that personal data should be processed if, and only if, there is a legitimate purpose for the processing of that personal data. EU GDPR requires companies to practice transparency so that data subjects will be sufficiently informed regarding the processing of their personal data.
Hodfords aims to achieve the highest data protection levels associated with being a data processor. We are committed to continuous improvement of data protection management within the business and will review processes annually.
goals are to be defined and documented. Data protection goals are based on data protection principles and must be individually modified for every company.
Roles and responsibilities
At Hodfords we do not have a DPO as we are a small business and only process data. The designated person who will deal with GDPR & Data protection with Hodfords Solutions Ltd is Charlotte Ford.
Charlotte Ford is responsible for:
Ensuring all employees have read the Security & Data protection policies
Training on GDPR for employees who request it
Ensuring that the work we undertake has a clear & defined Data processor & controller agreement in place
Supplier relationships: Noting regular inspection and evaluation of data processing, especially the efficacy of the implemented technical and organisational measures.