PRIVACY POLICY
Passed by the European Union in April of 2016, the GDPR had far-reaching global impact on data security. No matter where you were based, any organisation that did business with EU citizens had to comply with the GDPR’s expanded and more stringent data protection rules by May 25th, 2018.
The UK voted to leave the EU in 2016 and officially left the trading bloc – its nearest and biggest trading partner – on 31st January 2020. However, both sides agreed to keep many things the same until 31st December 2020, to allow enough time to agree to the terms of a new trade deal.
The GDPR was an EU Regulation and from 1st January 2021 no longer applies to the UK. However, our organisation operates inside the UK, and so we will need to comply with UK data protection law. The GDPR has been incorporated into UK data protection law as the UK GDPR – so in practice, there is little change to the core data protection principles, rights, and obligations found in the EU GDPR. The EU GDPR is an EU Regulation and no longer applies to the UK. We operate inside the UK and need to comply with the Data Protection Act 2018 (DPA 2018).
On 28th June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED). This means data can continue to flow as it did before in the majority of circumstances. Both decisions are expected to last until 27th June 2025. Most EEA processors will be able to send personal data back to UK controllers with no restrictions.
The EU GDPR may also still apply directly if we operate in the European Economic Area (EEA), offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA. The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although they hope to continue working closely with European supervisory authorities.The Data Protection Act 2018 (DPA 2018) continues to apply. The provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period. The UK GDPR sits alongside the DPA 2018 with some technical amendments so that it works in a UK-only context.
The ICO will remain the independent supervisory body regarding the UK’s data protection legislation. The UK government will continue to work towards maintaining close working relationships between the ICO and other countries’ supervisory authorities once the transition period ends. The principles of the EU GDPR have been incorporated in UK Data Protection law, so we will continue to use our existing policies and procedures. We have updated this policy and procedure to reflect that the Brexit transition period has ended. We will continue to keep our policies under review and update them where necessary.
The Guide to the UK GDPR is part of the ICO’s Guide to Data Protection. It is for DPOs and others who have day-to-day responsibility for data protection. It explains the general data protection regime that applies to most UK businesses and organisations. It covers the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018. It explains each of the data protection principles, rights, and obligations and summarises the key points which are contained in this policy and procedure. Where relevant, this guide also links to more detailed guidance and other resources, including ICO guidance and statutory ICO codes of practice. Links to relevant guidance published by the European Data Protection Board (EDPB) are also included for reference purposes.
POLICY STATEMENT
The UK GDPR sets out seven key principles:
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy storage limitation
Integrity and confidentiality (security)
Accountability principle
Our company needs to collect personal information about the people we deal with to effectively and compliantly carry out our everyday business functions and activities and to provide the products and services defined by our business type. This information can include (but is not limited to) names, addresses, email addresses, dates of birth, IP addresses, identification numbers, private and confidential information, sensitive information, and bank details.
In addition, we may occasionally be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations. However, we are committed to collecting, processing, storing, and destroying all information in accordance with the UK General Data Protection Regulation and any other associated legal or regulatory body rules or codes of conduct that apply to our business and/or the information we process and store.
Our company has developed policies, procedures, controls, and measures to ensure continued compliance with the UK GDPR and its principles, including staff training, procedure documents, audit measures, and assessments. Ensuring and maintaining the security and safety of personal and/or special category data belonging to the individuals with whom we deal is paramount to our company ethos and adheres to the UK GDPR and its associated principles in every process and function.
We are proud to operate a 'Privacy by Design' approach and aim to be proactive, not reactive; assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business.
PURPOSE
The purpose of this policy is to ensure that our organisation is meeting its legal, statutory, and regulatory requirements under the UK GDPR and to ensure that all personal and special category information is safe, secure, and processed compliantly while in use and/or being stored and shared by us. We are dedicated to compliance with the UK GDPR’s principles and understand the importance of making personal data safe within our business.
To this end, we provide our staff with regular training sessions, including access to online e-learning courses and quizzes, compliance updates, and assessments regarding the UK GDPR rules, principles, and guidelines to ensure their knowledge and understanding of this area are adequate, effective, and relevant to their role. The measures in this policy are compliant with the UK GDPR rules and as such, support our staff and give them the confidence and competence to process personal information compliantly.
The UK GDPR includes provisions that promote accountability and governance and as such our firm has put comprehensive and effective governance measures into place to meet these provisions. The aim of such measures is to ultimately minimise the risk of breaches and uphold the protection of personal data.
SCOPE
This policy relates to all staff (meaning permanent, fixed-term, and temporary staff, any third-party representatives or sub-contractors, and agents engaged with our organization in the UK or overseas) within the organization and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual, and business expectations and requirements.
Transfers of data from the UK to the European Economic Area (EEA) are not restricted. The EU has agreed to delay transfer restrictions from the EEA to the UK (known as the bridge). This enables personal data to flow freely from the EEA to the UK until either adequacy decisions are adopted or the bridge ends.
Unless the EU Commission makes an adequacy decision before the bridge ends, EU GDPR transfer rules will apply to any data coming from the EEA into the UK. We therefore need to consider what safeguards we can put in place to ensure that data can continue to flow into the UK if required, which is unlikely.
About
FZ Consultancy Services Ltd., registered as a limited company in England and Wales under company number: 12965189
Contact Details
FZ Consultancy Services Ltd
253 Alcester road south
Birmingham
B14 6DT
0121 271 0660
The content on this website is owned by us and our licensors. Do not copy any content (including images) without our consent.
Copyright. All rights reserved. Powered by Digistromer.