EU Regulation 2016/679 – General Data Protection Regulation (GDPR)
1. Policy statement:
Forensic Surveys Ltd t/a Brennan Associates (“the Practice”) is fully committed to the principles of securing personal data and privacy by default as required by the GDPR.
We have amended our Terms and Conditions to include information about the type and amount of personal data we store on our servers, and which is needed for administrative and financial purposes, including taxation records and professional indemnity requirements.
Our clients are notified at the outset of the need to collect certain data and their specific written consent is obtained before works can be progressed. Our clients are advised of their rights to inspect any data we hold on them and are given an opportunity to have erroneous data corrected or deleted if no longer required. The statement in the Terms and Conditions of Contract advises clients who is their primary contact in this respect, and of their rights to lodge a complaint with the Information Commissioner’s Office.
The Practice does not routinely manipulate or process client data for any sales purposes, and we do not share this data with third parties excepting as strictly required to progress the brief, and more specifically in seeking Local Authority and other statutory bodies’ information and approvals, and in the tendering and administration of projects where we are required to disclose client names and contact details.
Access to such data, held in job files on our servers, is limited to our designated personnel and service providers alone, and we have robust rules in place about removing job files from the office.
All personal laptops and portable devices are encrypted, and are password secured so that in the event of loss, no disclosure or breaches of security ensue.
In sending sensitive data packets across the internet or on USB memory stick or CDRom or DVD disks, we encrypt files and send the encryption key by other means, e.g. text or surface mail, so that even if intercepted, data security is not breached.
We have stipulated that any external agency, subcontractors or service providers which delivers any service to the business is required to abide by the same rules and ensure that similar robust measures are in place at their locations. All such external agencies will be required to report any data breaches within their remit to us promptly, and provide us with access to details of the breach to enable us to make an effective notification to the regulator.
2. Review and audits:
The Practice will undertake a regular review of data protection practices, including systems and training, with a view to assessing compliance and data privacy by default.
3. Breach Response Procedure:
In the event of a breach being discovered, we will notify the data protection regulator without undue delay and, where feasible within 72 hours.