DBH BUSINESS SOLUTIONS
DATA PROTECTION POLICY & SOPs
Abbreviations & Definitions used in this document;
DBH = DBH Business Solutions
CPD = Company Personal Data
DC = Data Controller
DPIA = Data Protection Impact Statement
S-P = Sub-Processor
Written – includes electronically generated documents
SOPs = Standard Operating Procedures
GDPR = General Data Protection Regulations
ICO = Information Commissioners Office
Find below the data protection policy / SOPs of DBH in respect of Company Personal Data (CPD) supplied by a Data Controller (DC) for the purposes of provision of services, storage and processing by DBH acting as a Processor.
DBH undertake to implement the systems, procedures and policies listed below together with meeting all obligations contained therein with a view to keeping such data secure and confidential.
The Law when handling CPD provided by the DC, DBH will;
> Comply with all current and future Data Protection Legislation.
> Abide by all EU, National, International, Rules, Regulations and Statues governing the handling of personal data especially the GDPR.
> Observe and comply will any lawful directions issued by the ICO.
When processing, storing or providing services in respect of CPD, DBH will;
- Only handle CPD in a manner which is consistent with Data Protection Legislation.
- Only deal with CPD as instructed in writing by the DC.
- If authorised by the DC to appoint or employ a sub-processor ensure that CPD is only handled and processed under the terms and conditions allowed.
- Take all reasonable steps to ensure the trustworthiness and reliability of any employee, agent, or contractor authorised by the DC to have access to CPD.
- Act on any further written instructions issued by the DC with regard to CPD.
- Not permit the use of any CPD for unauthorised purposes.
- Not allow any unauthorised access to CPD.
- Ensure that only personnel have access to CPD who really need to know its content to perform their duties under the agreement between DBH and the DC.
- The ultimate manner in which CPD is handled and processed is to be found in the written signed agreement between DBH and the DC.
- Deal with CPD fairly and transparently.
- Maintain a record of all processing activities.
Security of CPD Article 32 GDPR, DBH will discharge its legal obligation to ensure the safe custody and the confidential integrity of the content of any CPD entrusted to its care by taking following actions;
- Ensure that an appropriate level of technical and organisational security measures are put in place to safeguard the confidentiality of all CPD, and ensure that no unauthorised access takes place. In assessing the appropriate level of security, the risk presented by any processing activity and the degree of possible harm that would be caused by any breach will be taken into account as referred to in Article 32(1) GDPR.
- Where CPD is held in hard copy suitable security arrangements will be put in place to ensure its safe custody and confidentiality.
- Where CPD is stored electronically only suitable devices and sites will be used.
- Appropriate passwords and entry codes will be used, reviewed and changed if and when necessary. Encryption will be considered where the sensitivity of CPD warrants its use.
- Install appropriate counter measure to prevent viruses and hacking.
- Report any loss, theft or breach of CPD to the DC and appropriate authorities’.
- Report any loss or theft of devises containing CPD.
- Cooperate in the investigation and mitigation of CPD breaches.
- Put in place a CPD audit trail and make this available if requested.
- Put in place a system to retrieve CPD in the event of technical failure.
- Only transfer CPD by secure means.
- Never leave devises containing CPD unattended in a mode that would facilitate unauthorised access to CPD contained therein.
- Carry out a Data Protection Impact Assessment if and when required to do so by the criteria contained in Article 35 or 36 GDPR.
- Assist the DC in producing a DPIA if one is required.
Appointment of Sub-processors, Article 28 GDPR, DBH will follow the below procedures when authorised to employ sub-processors;
- Assess and ensure that sub-processors are suitable, competent and trustworthy to handle CPD.
- If considered necessary obtain references and testimonials.
- As far as practicable ensure that they adhere to the terms and conditions contained in the sub-processors written agreement.
- Will not divulge any CPD until the written agreement has been signed.
- On request provides copies of the terms and conditions of the written agreement to the DC.
- Provide DC with details of what access to and how they will process CPD.
- On request provide details of the sub-processors appointed.
- If the DC objects to the use of a particular sub-processor no CPD shall be divulged to them until the situation is resolved.
- As far practicable DBH will ensure that any sub-processor keeps all CPD secure and only processes it as specified in the agreement .
- The details of sub-processors will only be provided where there is a legitimate or legal reason to do so. Subject to an agreement that such information will not be used to the prejudicial or detrimental effect with regard to the commercial or financial interests of DBH.
Data Subject Right and requests for disclosure of CPD, DBH undertakes to;
- Assist the DC in its obligations to respond to any data subjects rights requests.
- Notify the DC if any requests have been made for disclosure under the Data Protection Legislation.
- Do not respond to any request except on documented instructions from the DC.
- If required to disclose by law notify the DC prior to disclosure.
- Not to infringe any individuals rights as listed in the GDPR.
Removal of CPD, DBH;
- Will remove delete or return CPD in the manner directed by the DC.
- Will not retain any CPD unless authorised by the DC and allowed by law.
- Will supply the DC with a certificate of removal if requested.
- At the request of the DC allow an audit of any of their CPD being held.
Details and Reasons for possessing and processing PCD, DBH will only Possess, Store and Process CPD in accordance with the GDPR as follows;
- Only on the documented instructions of the DC.
- Only transfer CPD to an international body or a third country on the instructions of the DC and as allowed by law.
- Inform the DC of any legal requirement prior to transfer.
- If DBH considers that any instructions infringe any Data Protection Legislation they will bring this to the attention of the DC and not process any CPD until the issue is resolved.
- Only process CPD in respect of children where there is parental consent.
The Overarching Principles which DBH will impose on itself when dealing CDP are as follows:
- Only deal with CDP as allowed under current and future Data Protection Legislation in a fair and transparent manner.
- Abide by all Articles of the GDPR.
- Do all in its power to ensure the security of CPD with which it is entrusted.
- Ensure the content integrity of any CPD in its possession.
- Only appoint suitable Sub-Processors under a written agreement.
- Only deal with CPD in a manner consistent with documented instructions from the DC.
- Allow no third party unauthorised access to any CPD in its possession.
- Prevent any unauthorised or improper use of CPD in its custody.