This statement sets out Keeble Brown Ltd’s commitment to GDPR compliance and stance on data protection principles, rights and obligations.
This statement relates to the data protection regime that applies to most UK businesses and organisations. It covers the General Data Protection Regulation (GDPR) that applies in the United Kingdom and is tailored to the Data Protection Act of 2018.
The GDPR is made up 11 Chapters and 91 Articles that provide a detailed description of the regulation. Keeble Brown Ltd has followed Information Commissioner Office (ICO) guidance.
Keeble Brown Ltd is a registered data controller.
Registration number: Z3330986
Here are the steps that Keeble Brown has taken to ensure it complies with the UK’s GDPR 2018.
Keeble Brown Ltd will:
- Make sure that all people in the company, including those outside of the IT department, appreciate the importance of GDPR and compliance with it.
- Document the personal data held, where it came from, and who it is shared with. An information audit will be organised when necessary.
- Review current privacy notices and make any necessary changes.
- Check procedures to ensure that the accommodation of the rights of individuals are provided with their personal data in a commonly used format, and that deletion of data is possible on request.
- Update procedures so that requests can be handled in accordance within required timescales
- Identify the lawful basis for processing activity in the GDPR, document it, and update the company’s privacy notice to explain it.
- Review how consent is sought, recorded, and managed. The company will continually assess whether process changes are needed.
- Consider how to verify individuals’ ages and how parental or guardian consent can be obtained for any data processing activity.
- Implement procedures to detect, report, and investigate a personal data breach.
- Understand when to carry out a Data Protection Impact Assessments (DPIA)
- Designate someone to take responsibility for data protection compliance and consider whether a formal Data Protection Officer is required.
- Determine data protection supervisory authority.
In addition, Keeble Brown’s management has paid particular attention to the significance of:
- Articles 23 & 30 – Articles 23 and 30 requires companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
- Articles 31 & 32 – Article 31 specifies requirements for single data breaches: Keeble Brown, as a data controller, must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires Keeble Brown to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
- Articles 33 & 33a – Articles 33 and 33a requires companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
- Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs. Keeble Brown is not required to appoint a Data Protection Officer in accordance to these guidelines. However, we do require all employees to know and understand the GDPR in relation to the data we control.
- Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
- Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
- Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
Where Keeble Brown collects, uses, manages and retains personal information we do this on the basis of public task and following the principles of the ICO. These principles can be summarised as:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Storage limitation.
- Integrity and confidentiality (security)
The directors of Keeble Brown will continue to follow the advice of the ICO on matters of data protection. Changes to the regulations, including any changes arising following the UK’s departure from the European Union, will be adopted into Keeble Brown policy.
This statement was approved by the Directors of Keeble Brown on 31 January 2021