Prepared by: Jennifer Higgins
Approved on: 14/09/2025
Next Review Date: 14/09/2026

1. Purpose & Scope

This policy outlines how personal data must be handled, stored, processed, and protected in compliance with UK GDPR.

2. Principles

Personal data must be:

• Lawfully, fairly, transparently processed

• Collected for specified, explicit purposes

• Limited, adequate, relevant, not excessive

• Accurate and up to date

• Not kept longer than necessary

• Processed in line with data subject rights

• Secure and protected against breach

• Not transferred outside UK / EEA without safeguards

3. Roles & Responsibilities

• Directors: ensure legal compliance, review risks

• Data Protection Lead / Officer: oversee data policy, handle subject requests, training, audit

• Staff / Contractors: comply with policy, protect data, use secure systems

4. Data Processing & Storage

• Data stored on secure servers or approved cloud providers

• Backups maintained, tested

• Encryption used for sensitive data

• Access only for authorised personnel

• Mobile / local copies avoided

5. Data Sharing & Third Parties

• Only share with necessary third parties (hosting, accounting, legal)

• Contracts in place to enforce data protection obligations

• Audits of third-party security

6. Subject Access Requests & Rights

• Respond to SARs within statutory timeframe (usually 1 month)

• Verify identity before disclosure

• Log requests and actions

7. Data Breach & Incident Handling

• Procedures for detection, reporting, and recovery

• Report to ICO within 72 hours if required

• Notify affected individuals if high risk

8. Training & Awareness

• Regular training for all staff and contractors

• Updates when policy or legislation changes

9. Review & Audit

• Annual reviews of data processes

• Audits of security, third parties, access logs

10. Enforcement & Compliance

• Disciplinary measures for policy breaches

• Regular reporting to leadership