GDPR - May 2018
Nova Group needs to gather and process certain personal information about individuals.
This information can include customers, suppliers, business contacts, employees and other people with whom we have a relationship with.
As such Nova Group undertakes to ensure is Data Protection operations comply in full with the General Data Protection Regulation (GDPR) which comes into effect in May 2018. This policy becomes effective immediately.
Simon Felstein (Managing Director) is the company’s Data Protection Office and is the appointed person to oversee compliance with the GDPR and he will ensure that the following steps are carried out. He is the appointed controller.
- Carry out an audit to identify the relevant Personal Information that will be processed by Nova Group.
- Once this audit is complete determine if the processing of Personal Information is necessary.
- If it is deemed necessary to process Personal Information then the controller will establish the lawful basis for processing this information.
- Issue a Privacy Notice informing all interested parties of the nature of the Personal Information to be processed, the reason for processing the information and the lawful basis on which the information is to be processed. Access, rectification, objection and erasure procedures will also be referenced in the Privacy Notice.
- Ensure that hard copy Personal Information is held securely and safely in locked filing cabinets and not communicated to third parties, except where legally required or authorised by the individual. Personal Information is not to be included on any document to be used outside of Nova Premises, eg resident names etc, customer contact details. If to be used in electronic form then must be password protected.
- Ensure that Personal Information is not used for any marketing purpose, either directly or by third party agencies.
- Ensure that Personal Information is not shared, sold or rented to third party agencies.
- Ensure that electronic systems are protected by the latest security software and that regular scans are carried out
- Facilitate access to Personal Information to the individual.
- Have clear procedures for information to be corrected in the event of errors.
- Where appropriate, provide opportunities for erasure. (Except where the lawful basis for processing is legal obligation)
- Ensure that Personal Information is reviewed periodically and any out of date or no longer required information is shredded and disposed of securely.
- Provide training for all staff connected with the processing of Personal Information.
This policy will be reviewed annually to ensure continued suitability.