SDPC (NW) Ltd GDPR – Compliance

GDPR (General Data Protection Regulations) is Europe’s new framework for data protection laws. It went live on 25th May 2018.
These rules introduce new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines. The rules have come about as a result of some very public breaches of personal data security by large corporate companies.

SDPC will be more accountable for our handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed. Under GDPR there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place. As well putting new obligations on the companies and organisations collecting personal data. GDPR also gives individuals a lot more power to access the information that’s held about them.

Everyone has the right to get confirmation that an organisation has information about them, access to this information and any other supplementary information. One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that don’t comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. If there’s a security breach, it can be fined.

What data is covered? GDPR requires companies to identify all “Personal Data” which it processes Personal data is any data that enables the identification of a “Natural Person”. A “Natural Person” is an individual human being. In addition Personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Examples of personal data are: –

1. Full and Last name

2. Personal Email address

3. Business email address

4.Personal telephone number

5. Date of birth

6. Next of kin information

7. National Insurance Number

8. Educational Information

9. Passport

10. Payroll Information

11. Employment History

12. Photograph

13. Mother’s maiden name

14. Work based performance information.

What does this mean for SDPC? The company must identify all personal data that the business processes and identify the basis on which it does so. [Note: processing includes storage] The main sources of personal data in SDPC are as follows (non-exhaustive): – • Employees •

Unincorporated suppliers/subcontractors

Consent—The individual has given the organisation clear consent to process their personal data for a specific purpose.
Contract—The data processing is necessary for a contract with the individual, or because they asked for specific steps before entering into a contract.
Legal obligation—The data processing is necessary for the organisation to comply with the law—not including contractual obligations.
Vital interests—The data processing is necessary for the organisation to protect an individual’s life.
SDPC data processing is necessary to perform a task in the public’s or organisation’s interest
and the task or function has a clear basis in law.
Legitimate interests—The data processing is necessary for the organisation’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests. (Note: This cannot apply if the organisation is a public authority processing data to perform own official tasks.)
Although SDPC may have a legitimate basis on which to process the personal data, it is still required to take all necessary steps to protect this data, to centralise and control its storage and to record its location. Should the company receive a “subject access request”, the ability of the company to provide details of the data held within the deadlines required will be dependent on this storage and locational recording.
Procedures To ensure compliance with GDPR SDPC will adapt and expand its procedures and data storage facilities. Meetings with relevant staff have been held to explore existing and proposed processes with respect to data protection and the requirements of GDPR.
New/Amended procedures regarding the use of email, mobile phones, Health and Safety, client resident information, suppliers and employees, will be issued and communicated to employees as appropriate.
3rd Party Processors: Where necessary SDPC will share personal data with 3rd parties. If this is required, data will be shared securely. SDPC will require 3rd party processors to confirm full compliance with GDPR themselves. Client Data SDPC has received correspondence from clients requesting confirmation from the company of its GDPR compliance, its policy and its adherence to the client’s requirements regarding personal data. Confirmation that personal data will only be shared with “reliable” persons • That those persons are trained in GDPR, confidentiality, security and the care of personal data • That we obtain consent from the client before data is shared with 3rd parties • That all personal data will be returned or deleted when the contract is “terminated” • That we report any security breaches to the client immediately All client requirements will be saved within a folder on the company SD Drive under General Information/GDPR/Client requirements. It is up to the relevant staff (whether this be business development or delivery teams) to make themselves aware of and to ensure compliance with client requirements. These client requirements should be discussed in the tender handover meeting, the permission to proceed meeting and in the internal pre-contract meeting. Data from the General Public As a largely business to
business organisation (B2B), SDPC doesn’t have the same level of interaction with the general public as business to customer (B2C) businesses. However, any interaction with members of the public should observe the same level of rigorous care with data protection. Wherever possible, the obtaining of personal data for members of the public should be kept to the very minimum.
Customer information should be stored in secure locations such as within our IT systems and in appropriate restricted access folders on the head office network. Customer account personal data where we have not transacted since 31/07/13 is being deleted unless required for legitimate purposes.  SDPC uses a wide variety of suppliers, consultants, agencies and subcontractors. Although most of these are businesses and therefore not “natural persons”, they may still provide contact details to us to aid communication. These should always be business contact details and any personal contact details, if required, should be stored securely. Where the Group sources supply/services from natural persons, personal data should be kept to a minimum and restricted to only those details that the Group requires for its legitimate interests, legal compliance and contractual obligations.
Training for GDPR has already commenced with review sessions with Contracts/Project managers and Supervisors and will provide appropriate training to employees regarding data protection and GDPR, via in-house sessions and tool-box talks, however, employees should at all times be vigilant and alert appropriate authorised personnel to any personal data that is not stored securely.
Subject Access Requests & Data rectification Under GDPR, individuals will have the right to request:

1. confirmation that their data is being processed;  2. access to their personal data;and 3. other supplementary information – this largely corresponds to the information that should be provided in a privacy notice These are similar to existing subject access rights under the Data Protection Act. GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing. Any subject access request will generate a response from the company and the company will verify the identity of the person making the request, using reasonable means. Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If SDPC has disclosed the personal data in question to third parties, we will inform them of the necessary rectification where possible. SDPC will also inform the individuals about the third parties to
whom the data has been disclosed where appropriate.  Individuals have a right to have personal data erased and to prevent processing in specific circumstances: 1. Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. 2. When the individual withdraws consent. 3. When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing. 4. The personal data was unlawfully processed (i.e. otherwise in breach of GDPR). 5. The personal data must be erased in order to comply with a legal obligation. 6. The personal data is processed in relation to the offer of information society services to a child.  Under the Data Protection Act, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under GDPR, this threshold is not present.
However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger. There are some specific circumstances where the right to erasure does not apply, where the personal data is processed for the following reasons:
1. to exercise the right of freedom of expression and information;
2. to comply with a legal obligation or for the performance of a public interest task or exercise
of official authority;
3. for public health purposes in the public interest;
4. archiving purposes in the public interest, scientific research historical research or statistical
5. the exercise or defence of legal claims. Data Breaches

The GDPR introduces a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. Notification of a breach is required where the breach is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. For example, notification would be required to the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, SDPC must notify those concerned directly

SDPC (NW) GDPR – Employee Personal Data

All processing of employee personal data by the SDPC payroll departments and by site management. These departments process employee personal data for several key purposes (detailed below) and do so to meet the contractual, legislated and legitimate interests of the company and the vital interests of the employee. The personal data is obtained from employees via employment starter forms, contracts of employment, pension joiner forms,
timesheets, site attendance and induction sheets and vehicle fleet management information requests. The data is stored in appropriate locations on the Group’s IT and administration facilities.
The personal data includes the following: –
1. Title
2. Name
3. Nationality & Ethnicity
4. Gender
5. Marital Status
6. Date of birth
7. Address
8. Contact details (telephone number/email address)
9. National Insurance Number
10. P45/P46
11. Bank account details
12. Driving licence
13. Next of Kin
14. Right to work/residency proof
15. Qualifications/permits
16. Expenses & mileage claims
17. Curriculum Vitae (CV)/Resume
18. Passport
The Group processes the above data for the following purposes;
1. To process pay
2. To make payment of net salary/wage
3. To report PAYE/NI to HMRC
4. To reimburse legitimately claimed business mileage and expenses
5. To create individuals’ business email addresses and email signatures
6. To provide employee mobile phones and landline extensions when required
7. To record site attendance and inductions and to provide information in the event of an emergency

The Company shares personal data with 3rd party processors when necessary in order to meet its obligations as follows;
1. To comply with legal obligations and HMRC requirements to report PAYE deductions,
P60 and P11D information.
2. To meet its contractual obligations to provide information to pension providers & administrators
3. To meet its contractual obligations to provide information to life insurance providers & administrators
4. To meet its contractual obligations to provide information to Health Scheme administrators
5. To meet its legal obligations by providing information to Auditors of the company payroll and pension schemes

In the case of an emergency, for the vital interests of the employee, the company will provide next of kin information to emergency services, life insurance, pension and health trust administrators and to contact next of kin, as appropriate. In addition, also for the vital interests of the employee, details where relevant are kept on its sites and at its offices for the purposes of health and safety compliance and emergency purposes and to meet the needs of visits by the Health & Safety Executive (HSE). Further requirements and procedures regarding the processing of personal data for Health and Safety purposes are described in separate specific documents. Consent with employee consent, the company may use employee names, Job Title, CV and photographic images in its internal newsletters, on its website, social media, in promotional materials and in its contract tendering documentation.
A consent form will be provided by the Corporate Services Department for these purposes but is available on S:/ Drive under General Information/Company Forms/Personnel Forms/Consent Forms. For the avoidance of doubt, your consent is optional.
If you consent, the company will record that you have consented. You may withdraw your consent at any time but please be aware that previous consented use of your image, name and job title cannot be erased from issued hard copy formats.3 Retention of data To meet legal obligations and for Health & Safety and insurance purposes, SDPC will retain relevant employee data for appropriate periods of time. These include; • 3 years for PAYE purposes        •6 years for accounts purposes • Between 6 and 12 years for contract purposes • Health & Safety/Insurance – indeterminant timeframes Data is kept secure within SDPC IT servers and archive facilities and will only be referenced for the purposes of answering the enquiries of statutory bodies, company auditors and insurers. Employee rights Employees have the right to request that data is rectified (in the case of erroneous data) or erased. Whereas the company will always seek to maintain accurate data records and will rectify incorrect data, it may refuse to erase data where in its opinion, this compromises its legal, Health and Safety and Insurance requirements. Employees have the right to lodge a complaint with a supervisory authority which in the first instance should be the Group Data Controller.

SDPC recognises that a fully effective data protection environment will require all employees to follow relevant policies and procedures. SDPC GDPR compliance requires personal data to be secure. The requirements apply to Employees, unincorporated customers, unincorporated suppliers/subcontractors and members of the general public.
Non-adherence to the policies and procedures required to meet SDPC data protection responsibilities under GDPR could lead to significant financial penalties to SDPC, loss of work and work opportunities and has the potential to allow personal data to be obtained by those that could use it to cause harm to the data subject. The adherence to these data protection policies is therefore mandatory.
SDPC also requires all employees to be always vigilant and to be alert to the need to protect personal data. All employees are expected to follow these guidelines.
1. Personal data should not be unprotected, if you see personal data in plain view contact the relevant authority immediately to establish whether it is appropriate that this is on view (there may be exceptional circumstances that require this).
2. If you see personal data on or near a printer or photocopier immediately remove this and take it to the relevant authority and tell them where you found it.
3. Personal data secure storage should be locked except when being appropriately accessed.  If personal data storage is found in an unsecure state, raise this immediately with the relevant authority.
4. If you are concerned that there may be a risk of personal data being unprotected, contact the relevant authority.
5. Be alert and do not assume that someone else either has or will deal with the issue.
6. Regularly review your workspace and check that personal data is secure – remove phone lists and any other personal data from walls.
7. Password protect documents that contain personal data – keep a separate record of the password (securely).
8. Be extra careful to protect personal data. Avoid sending personal data by email if possible.  If this cannot be avoided ensure the document has been password protected (see above) before sending and separately email/verbally communicate the password.
9. Do not share personal data with anyone without confirming that the sharing has been approved.
10. Report any suspected data breaches to Group Data Controller 11. Adhere to procedures and policies when they are issued including guide notes the relevant authority: • Site manager • Project/Contracts Manager • Director • Group Data Controller or their representative.