Introduction
This Data Protection Policy sets out how G. H. Design Ltd (“the Company”) collects, processes, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other applicable data protection laws.
The purpose of this policy is to ensure that all personal data handled by the Company is managed lawfully, fairly, and transparently, and that appropriate technical and organisational measures are in place to safeguard the rights of individuals.
Scope
This policy applies to all employees, contractors, and third parties who have access to personal data processed by the Company. It covers all personal data relating to clients, employees, suppliers, and other stakeholders.
GDPR Compliance Programme
The Company is committed to maintaining ongoing compliance with the UK GDPR through the following actions:
- Maintaining a record of all data processing activities.
- Conducting regular data protection audits and risk assessments.
- Appointing a Data Protection Lead to oversee compliance.
- Reviewing this policy annually or as required by law.
- Responding promptly to data subject access requests (DSARs) and data breach incidents.
Responsibilities for Handling Sensitive Data
All staff are responsible for ensuring that personal data is handled with care and in accordance with this policy. Specifically:
- Only authorised employees may access personal data.
- Personal data must not be shared outside the Company unless required by law or with the individual's consent.
- Paper documents containing personal data must be stored securely in locked cabinets.
- Electronic files must be stores only on Company-approved systems with secure access controls.
- Sensitive or confidential data must be clearly marked and encrypted when sent electronically.
IT and Data Security Arrangements
The Company has implemented the following technical and organisational measures to protect data:
- All computers, laptops and mobile devices are password protected and use automatic screen locks.
- Firewalls and antivirus software are installed and regularly updated.
- Regular data backups are carried out and stored securely.
- Access to shared drives and databases is restricted to authorised personnel only.
- Emails containing personal data must be encrypted when sent externally.
- Lost or stolen devices must be reported immediately to management.
Staff Training and Awareness
All employees receive regular data protection training to ensure they understand their responsibilities under this policy. Training includes:
- Understanding GDPR principles and individuals' rights.
- Recognising and reporting data breaches.
- Correct handling and storage of personal and sensitive information.
- Access to shared drives and databases is restricted to authorised personnel only.
- Safe use of IT systems and strong password practices.
Refresher training is provided at least every 12 months or when significant legal operational changes occur.
Data Retention
Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected or as required by law. When no longer needed, data is securely deleted or destroyed.
Data Breach Procedure
Any suspected data breach must be reported immediately to the Data Protection Lead. The Company will assess the incident, take remedial action, and notify the Information Commissioner’s Office (ICO) within 72 hours if required. Affected individuals will be informed if their rights or freedoms are at risk.
International Data Transfers
The Company does not routinely transfer personal data outside the UK or European Economic Area (EEA). Where such transfers are necessary, they will be made only to countries that provide adequate protection, or under appropriate safeguards as defined by UK GDPR.
Contact and Complaints
If you have any queries about this privacy policy or how we process your personal data, or if you wish to exercise any of your legal rights, you may contact:
Post: GH Design Ltd, Suite 9 The Newhouse, Stuart Works, High Street, Wordsley, DY8 4FB
Telephone: 01384 270090
Email: mail@ghdesign.co.uk
If you are not satisfied with how we are processing your personal data, you can make a complaint to the Information Commissioner. You can find out more about your rights under applicable data protection laws from the Information Commissioner’s Office website: www.ico.org.uk.