This policy details how Concept Automotive Ltd (the Firm) will manage data protection and data security and ensure a consistency of approach within the Firm and adherence to the Data Protection Act 2018 (DPA). The Firm recognises that failure to protect personal data poses a risk to employees and clients and to the reputation and good standing of the company, as well as the risk of incurring financial penalties.
Data Protection is regulated and enforced in the UK by the Information Commissioners Office (ICO) (https://ico.org.uk/).
The Firm is authorised by the Financial Conduct Authority (FCA) and complying with some of the FCA rules requires the Firm to process personal data.
While the ICO will regulate data protection, the FCA will also consider compliance with these regulations under their rules, in particular the Senior Management Arrangements, Systems and Controls standards in the FCA handbook (https://www.handbook.fca.org.uk/handbook).
This policy will be reviewed by the Management Body on an ongoing basis in line with any regulatory changes but at least once a year.
The Management Body are responsible for the compliance with data protection and ensuring that the Firm is able to produce evidence to demonstrate the steps that it has taken to comply.
The Management Body will ensure that it appoints a Data Protection Officer that reports directly to the Management Body, is an expert in data protection, and is independent and adequately resourced. The Management Body will ensure that:
The Firm is not required to appoint a Data Protection Officer because it is not a public authority and its core activities do not consist of large scale, regular or systematic monitoring of individuals or large scale processing of special categories of data or data relating to criminal convictions and offences. The Management Body has decided not to voluntarily appoint a Data Protection Officer due to: the current size of the Firm.
All employees, volunteers, and business associates, such as Appointed Representatives, are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
All employees who deal with personal information are required to handle that information confidentially and sensitively. Employees who undertake to process personal data supplied by the Firm must do so only in accordance with the Firm’s instructions.
Employee obligations in respect of the Data Protection Act form part of their contract of employment.
Personal data is any information relating to an, directly or indirectly, identified, or identifiable natural person (also known as a data subject).
Special category or sensitive personal data refers to data relating to racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, genetic data, or biometric data.
A controller determines the purpose of processing, that is when, why and how to process personal data. The Firm is the controller of all personal data relating to its employees, clients, and others whose personal data is used in its business for its commercial purposes.
A processor is responsible for processing personal data on behalf of a data controller and should act only on the controller’s instructions. Processing is any activity that involves the use of personal data such as obtaining, recording, holding, amending, using, transferring, erasing, or disclosing it.
The Data Protection Principles
The DPA sets out 6 principles which define the obligations of the Firm as a processor of personal data. These principles are as follows: -
The DPA states that the Firm shall be responsible for, and be able to demonstrate compliance with, these principles.
The Firm will ensure that it has a lawful basis to process personal data. The Firm will ensure that the processing is necessary for its purpose of processing and that there is no other reasonable way to achieve that purpose.
The Firm will determine and document the lawful basis before beginning processing. There may be more than one lawful basis that applies to the processing and, if this is the case, the Firm will document it. The Firm will ensure that it can justify its reasoning for the lawful basis chosen.
The six lawful bases for processing personal data are:
When choosing the lawful basis for processing, the Firm will consider what it is trying to achieve, can it reasonably be achieved in another way and whether it has a choice to process the data.
The Firm has reviewed its lawful bases for processing in the light of GDPR and updated them where necessary.
If there is a change in circumstances or a new purpose for processing the data, then the Firm will review the lawful basis and make any changes ensuring that the data subjects are informed and the change documented.
When requesting consent, the Firm will:
The Firm will record when, how and from whom it obtained consent and what they were told at the time of consent.
The Firm has reviewed its existing consents in light of GDPR and obtained fresh consent where necessary.
When using contract as the lawful basis for processing personal data, the Firm will ensure that the processing is necessary to deliver its side of the contract and that it could not reasonably do what was required without processing the personal data.
When using legal obligation as the lawful basis for processing personal data, the Firm will ensure that the processing is necessary to comply with a law or statutory obligation and that it could not reasonably do what was required without processing the personal data. The Firm will identify the specific legal provision or appropriate source of advice that sets out its obligation.
The Firm is unlikely to use vital interests as a lawful basis for processing personal data.
When using vital interests as the lawful basis for processing personal data, the Firm will ensure that the processing is necessary to protect someone’s life and that it could not reasonably do what was required without processing the personal data. The Firm will not use vital interests as the lawful basis if the data subject is capable of giving their consent.
The Firm is unlikely to use public task as a lawful basis for processing personal data.
The Firm is aware that when it uses legitimate interests as the lawful basis for processing personal data that it takes on extra responsibility for protecting the people’s rights and interests.
The Firm will avoid using legitimate interests as the lawful basis where individuals would not reasonably expect the processing or where their interests are likely to override the Firm’s legitimate interests.
The Firm will use a legitimate interests assessment (LIA) to check whether it is appropriate to rely on legitimate interests as the lawful basis for processing personal data and will record this and the outcome to demonstrate compliance with accountability obligations. The LIA consists of 3 parts:
Considerations for these 3 tests are listed in Annex 1 – Legitimate Interests Assessments. If the LIA identifies significant risks, then the Firm will consider performing a Data Protection Impact Assessment (DPIA) to assess the risks and potential mitigation in more detail.
When the Firm uses legitimate interests as the lawful basis, the individual’s right to data portability does not apply.
The Firm will ensure that it meets at least one of the following conditions before processing special category data:
The Firm will record any special category conditions that are applicable to the personal data it is processing.
Personal data on criminal convictions or offences can only be processed if the Firm has an official authority to do so, is processing the data in an official capacity or meets one of the specific conditions in Schedule 1 of the Data Protection Act 2018, which includes; preventing or detecting unlawful acts, protecting the public against dishonesty, regulatory requirements relating to unlawful acts and dishonesty, preventing fraud, suspicion of terrorist financing and money laundering and legal claims . The Firm has no official authority to process criminal offence data but does meet one or more of the specific conditions in Schedule 1 for the criminal offence data that it may process.
The Firm recognises that the data subjects/individuals have the following rights:
The Firm will provide individuals with the following privacy information:
The Firm will provide this information to individuals at the time they collect the data from them. If the data is obtained from another source, then the Firm will provide this information within a reasonable time and no later than a month after receiving the data. If the Firm is planning to communicate with the individual, it will provide the privacy information when it communicates for the first time. If the Firm is disclosing the information to a third party, the Firm will provide the individual with the privacy information at the latest when the data is disclosed.
The Firm will regularly review and update its privacy information. Any new uses of personal data will be brought to the data subject’s attention before the new processing starts.
The Firm recognises that individuals have the right to obtain confirmation that their data is being processed, access to their personal data and the information provided in the privacy information.
The Firm will provide this information free of charge. The Firm may charge a fee, based on the administrative costs of processing the request, for requests for further copies of the same information.
Where an individual makes a request for a copy of their information, this should be managed by a Board Director.
The Firm will respond to any request for rectification of inaccurate or incomplete data within one month, or within three months if the request is complex. If the personal data has been disclosed to third parties, the Firm will inform them of the rectification.
The Firm recognises that individuals have the right erasure in certain circumstances, and will erase the data without undue delay, contacting any third parties, to whom the data has been passed, to inform them to erase the data.
The circumstances in which the right to erasure exists are as follows:
The Firm can refuse the request for erasure for the following reasons:
The Firm will restrict the processing of personal data on request from an individual where one of the following applies:
When the processing has been restricted, the Firm will, except for the storage of the data, only process the data with the individual’s consent. The Firm will inform individuals before a restriction on processing is lifted.
Where individuals have provided personal data to the Firm based on consent or for the performance of a contract and the processing is carried out by automated means, the individual has the right to data portability. The Firm will provide the personal data, without undue delay and within one month, in a structured, commonly used, and machine-readable form. The Firm will provide this information free of charge.
The Firm recognises that individuals have the right to object to direct marketing (including profiling), processing for the purposes of scientific or historical research and statistics and processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority.
If an objection is received, the Firm will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the individual or the processing is for the exercise or defence of a legal claim. For direct marketing, the Firm will stop the processing as soon as the objection is received.
The Firm will inform individuals of their right to object at the point of first communication and in the privacy notice.
The Firm does not carry out automated individual decision-making or profiling.
The Firm will document the following information:
As part of the processing activities, the Firm will also document:
Employees will be trained on their data protection and security responsibilities at induction and given the necessary ongoing training to perform their roles in line with the Firm’s policy and the data protection law.
The Firm will use DPIAs to help it identify the most effective way to comply with its obligations and meet individuals’ expectations of privacy.
The Firm will use DPIAs when using new technologies and when the processing is likely to result in a high risk to the rights and freedoms of individuals.
The Firm will ensure that any personal data held will be processed in a manner that ensures its security. It will ensure that its systems and processes include protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
The Firm will regularly review its procedures for ensuring that personal data held remains accurate and consistent. It will, in particular, ensure that:
The Firm has undertaken an assessment of its information risk to determine an appropriate level of security, reviewing the data held and how it is used as well as how the damage or distress it would cause if the data was compromised.
The Firm has considered confidentiality, integrity and availability when implementing its data security measures ensuring that:
The Firm’s security measures take into account both physical and cybersecurity, including the following:
The Firm will also ensure the resilience of its systems and services, to enable the systems to continue operating under adverse conditions and the ability to restore the systems to an effective state within a timely manner.
The Firm will carry out periodic checks to ensure that its security measures remain appropriate and up to date.
The Firm will only transfer personal data to third countries where the receiving organisations have provided adequate safeguards. Individuals’ rights must be enforceable.
Data Transfers from the Firm to EEA are not restricted. Transfers from the Firm to countries outside of EEA will be subject to the Firm obtaining adequate safeguards.
Adequate safeguards may be provided by:
In the absence of an adequacy decision, personal data can be transferred outside the EU where one or more of the following conditions are met:
Transfers from the EEA to the Firm will need to comply with EU GDPR transfer restrictions. Transfers from outside the EEA to the Firm will need to comply with the laws of the sender’s jurisdiction. The Firm will handle such data in line with UK data protection legislation.
The Firm will cooperate with the ICO when requested.
A personal data breach can be defined as a security incident that has affected the confidentiality, integrity, or availability of personal data.
If a security incident occurs, the Firm will establish whether a personal data breach has occurred and if so, establish the likelihood and severity of the resulting risk to people’s rights and freedoms.
The Firm will investigate the cause of the breach and determine what steps are required to correct it and prevent a recurrence.
Where a personal data breach occurs and it has been established that there is a likely risk to people’s rights and freedoms, the Firm will notify the ICO as soon as possible and within 72 hours of becoming aware of it. If the Firm takes longer than 72 hours to notify the ICO, it will provide the ICO with reasons for the delay.
The notification to the ICO will include:
The information may be provided to the ICO in phases as soon as possible if it is not all available within 72 hours. In these cases, the Firm will explain the delay to the ICO and advise when it expects to submit further information.
A failure to notify the ICO can result in a significant fine.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the Firm will inform those concerned as soon as possible.
The Firm will provide the following information to individuals when telling them about a breach:
The Firm will record all personal data breaches, documenting the facts of the breach, its effects and any remedial action taken. Decisions whether to report the breach to the ICO or inform individuals will also be recorded.
Any breaches of the Data Protection and Security Policy will be recorded on the Firm’s breach log in conjunction with its Regulatory Breach Policy.
A DPIA must:
DPIAs must be used if the Firm is planning to:
The description must include “the nature, scope, context and purposes of the processing”.
The nature of the processing is what the Firm plans to do with the personal data. This should include:
The scope of the processing is what the processing covers. This should include:
The context of the processing is the wider picture, including internal and external factors which might affect expectations or impact. This might include:
The purpose of the processing is the reason why the Firm wants to process the personal data. This should include:
The Firm should consult with individuals unless there is a good reason not to. If it is decided not to consult, then the decision and rationale must be documented.
Data processors and all relevant internal stakeholders should also be consulted.
The Firm should include how it ensures data protection compliance, in particular details of:
The Firm must consider the potential impact on individuals, in particular whether the processing will contribute to:
The Firm must include an assessment of the security risks, including sources of risk and the potential impact of each type of breach. To assess the level of risk, the Firm must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
The Firm should also consider its own corporate risks, such as the impact of regulatory action and reputational damage.
Against each risk identified, the Firm must record the source of that risk and then options for reducing that risk.
Options for mitigation can include:
The Firm must record whether the measure would reduce or eliminate the risk. Take into account the costs and benefits of each measure when deciding whether they are appropriate.
If a high risk is identified that cannot be mitigated, the Firm must consult the ICO before starting the processing. The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, the ICO may issue a formal warning not to process the data or ban the processing altogether.
The Firm should record:
As part of the sign-off process, the DPO should advise on whether the processing is compliant and can go ahead. If it is decided not to follow the DPO’s advice, the reasons for this should be recorded. Any reasons for going against the views of individuals or other consultees should be recorded.
The outcomes of DPIAs must be integrated back into project plans, identifying any action points and owners.
The Firm must monitor the ongoing performance of the DPIA.