DATA PROTECTION POLICY
Table of Contents
Principles of Data Protection.
Types Of Personal Data Collected.
Introduction
Technology Desking considers data protection and information security as paramount to the global success of our business. For a global SME, the size of Technology Desking, it is important to achieve the essential balance between the ease of collating and processing information and the necessary security controls. As such we have taken the view that both these issues should be treated as one and managed at the board level. We have implemented several protection measures within all our global locations that we feel will enable us to comply with our client’s data protection and information security policies.
This Policy has been drafted to show how Technology Desking complies with the following regulations:
General Data Protection Regulation (GDPR)
Data Protection Act 2018 (DPA 2018)
Scope
This Policy applies to all employees, contractors, and third parties who handle personal data during the company’s operations, including data relevant to clients, suppliers and employees.
Definitions
Personal Data – Information that relates to an identifiable person (e.g. name, contact details, employee records.)
Data Subject – Any individual whose personal data is processed by the company.
Data Controller – The Company, who is responsible for determining the purposes and means of processing personal data.
Data Processor – Any person or third party who processes personal data on behalf of the company.
Processing – Any operation or set of operations performed using personal data (e.g. collection, storage, use, sharing and deletion).
Principles of Data Protection
Technology Desking adheres to the following data protection principles, as required by GDPR:
Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner.
Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes
Data Minimisation: Only the personal data necessary should be collected and processed.
Accuracy: Personal data must be accurate and kept up to date where necessary
Storage Limitation: Data must not be kept for longer than necessary
Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security
Types Of Persona Data Collected
Technology Desking collects the following types of information:
Client Data: Name, company name, business contact details, delivery address and project specifications for desk fitting
Employee Data: Personal details for employment such as name, address, tax information, payroll data and emergency contact details
Supplier Data: Contact information, bank details for payments and service agreements
Legal Basis for Processing
The company processes personal data under the following lawful bases:
Contractual Obligations: To fulfil contracts with clients (e.g. installing desks)
Legal Obligation: For employment law purposes (e.g. payroll, tax purposes)
Legitimate Interests: To conduct business activities such as managing relationships with suppliers and following up with clients
Consent: For specific activities like marketing where relevant
Data Collection and Processing
Personal data is collected through various means such as online enquiries, client contracts, phone calls, emails and employment forms.
Data collected is processed during the operation of our services as follows:
Client Data – In client communication, invoicing and the delivery of services
Employee Data – For payroll, HR management, and health and safety compliance
Supplier Data – For contract management, procurement and payment processing
Data Storage and Security
Technology Desking has an IT Security Policy which should be read in conjunction with this Policy.
Personal Data is stored in both physical and digital environments, each secure. Security measures include:
Locally stored data which is mirrored over 3 x company sites behind current specification Watch Guard firewalls using VPN tunnelling with AES-256 encryption.
Data backup which occurs daily and weekly using 2 x onsite and 2 x offsite backups.
Access control whereby all users have 8-digit alphanumeric passwords that are kept strictly confidential.
All endpoints, servers and the 365-email environment are protected and monitored using the Huntress Security Operations Centre (SOC) management software. All endpoints (apart from servers) have disabled administrator rights.
Twin factor authentication with strong password protection on all endpoints and a cyber education & awareness program for our employees.
All premises are fully alarmed with 24-hour monitoring.
All premises have fingerprint door entry systems with full traceability of staff movement and ID.
Keys are limited to senior managers only.
Paper documents are kept to a minimum, documents are filed electronically, and sensitive information is always password protected.
User profiles restricted to allow access to sensitive management information to senior management only.
Data Sharing
Personal data is shared internally only with employees who require access to carry out their duties.
The company may share personal data with third-party service providers e.g. delivery firms, IT service providers. Where this is a requirement to carry out business, the company will ensure that the third-party has a GDPR Policy and is complaint, and that a Data Processing Agreement is in place with any company handling personal data on behalf of Technology Desking.
We ensure compliance by third parties by robust supplier vetting and regular factory inspections.
Data Retention
Personal data will be retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
The following data retention periods apply:
Client Data – Retained for 12 years after project completion to allow for any follow up work or warranty issues (10-year warranties)
Employee Data – Retained for the duration of employment and for specific information as follows:
Payroll, tax and NI records – 3 years
Pension records – 6 years
Accident records – 3 years
Maternity/paternity records – 3 years
Supplier Data – Retained for 6 years
Data Subject Rights
Individuals have the following rights regarding their personal data:
Right to access – individuals can request access to the personal data the company holds on them
Right to rectification – individuals can request that inaccurate or incomplete data be corrected
Right to erasure – individuals can request deletion of their personal data where it is no longer necessary or where consent has been withdrawn
Right to restrict processing – individuals can request the company to stop processing their personal data in certain circumstances
Right to data portability - individuals can request that their data be transferred to another data controller
Right to object - individuals can object to certain types of processing, such as marketing
Data Breach Management
Technology Desking has appointed an IT Manager who is responsible for IT and Data Security. This Manager is effectively the Data Lead at Technology Desking and monitors the activity of users to ensure compliance with this policy and the IT Security Policy.
All breaches of information and data security are taken very seriously. Employees are trained in data handling and are expected to report any breaches immediately to the IT Manager/Data Lead who will take the following steps:
Assess the breach
Notify the ICO if applicable
Notify any individuals affected by the breach
Take steps to mitigate any harm and prevent future breaches
Oversight and Monitoring
Oversight of this Policy is provided by the IT Manager/Data Lead.
Data and Information Security are agenda items on the monthly Senior Management Meetings.
This Policy will be reviewed regularly (at least annually) to ensure continued compliance with relevant regulations and to reflect any changes in company operations.