General Data Protection Regulation Act 2018 Policy
Policy statement
KPM Accounts Ltd is committed to a policy of protecting the rights and privacy of individuals and others in accordance with The General Data Protection Regulation Act 2018. The policy applies to all employer / employees. Any breach of The General Data Protection Regulation Act 2018 or The KPM Accounts Ltd Policy is an offence and, in that event, disciplinary procedures apply.
As a matter of good practice, other organisations and individuals working with KPM Accounts Ltd, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that any staff who deal with external organisations will take responsibility for ensuring that such organisations sign a data sharing sheet agreeing to abide by this policy.
Legal Requirements
All data we hold is protected by The General Data Protection Regulation Act 2018, which came into effect on 25th May 2018. Its purpose is to protect the rights and privacy of individuals and to ensure that personal data are not processed without their knowledge, and, wherever possible, is processed without their consent.
The Act requires us to register the fact that we hold personal data and to acknowledge the right of ‘subject accesses – Employers / Employees and customers must have the right to copies of their own data.
Managing Personal Data breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. A personal data breach can be defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed. When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk, then KPM Accounts Ltd will notify the ICO (within 72 hours where feasible). Any breaches are not required to be reported to ICO it will however still be logged on KPM Accounts internal breach log.
A breach of personal data must be reported to KellyDee Bennett or the Director within 24 hours via a statement detailing the breach of data, all parties involved and any action all ready taken. KPM Accounts Ltd will act immediately by launching an investigation. All relevant parties will be notified where required within 48hours of the investigation being launched.
Purpose of data held by the KPM Accounts Ltd
Data may be held by us for the following purposes:
- Staff Administration
- Accounts & Records
- Payroll and Booking
- Managed bank accounts
- Corporate and Deputy-ship services
- Nominated Agent
- To prepare and produce all relevant paperwork held by KPM Accounts for Medway council audit team when requested.
The General Data Protection Regulation Personal Data Principles
In terms of The General Data Protection Regulation Act 2018, we are the ‘data controller’, and as such determine the purpose for which, and the way, any personal data are, or are to be, processed. We must ensure that we have:
Article 5 of the GDPR requires that personal data shall be
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
How we gain consent
Every new customer will be given a Letter of engagement which will include a consent form and a privacy statement. each new customer will be made aware of their rights regarding giving consent, how to withdraw, the right to be forgotten, data portability and why KPM Accounts Ltd can process data without their consent in our privacy statement.
For customers with PA’s they will be required to fill out a New PA Form which includes a consent form. It is stated on the form that a copy of our Privacy statement can be found on our website.
Managing requests for copies of personal data/ to be forgotten / consent to be withdrawn
All staff, customers, PA’s have the right to request a copy of their personal data, as stated in the consent form KPM Accounts Ltd have 30 days to respond to any “subject access requests). Any subject access requests will be managed by KellyDee Bennett.
Staff/ customers and PA’s have a right withdraw part of full consent at any time, this will need to be done in writing as stated in the Letter of Engagement. KPM Accounts Ltd have a legal obligation to hold and disclose information that is required on a legal basis. (please refer to The General Data Protection Regulation Act 2018- Article 6)
Any staff/ customer or PA who wishes to withdraw consent or request to be forgotten they are made aware of any implications this may have on a service being provided. This will be at the Directors authority.
Any requests are to be requested via email or in writing to the following:
Please be advised that KPM Accounts Ltd have 30 days in which to respond to any requests, in the mean time no information will be given. We will respond to your request in writing to the last known address we have on file via recorded delivery.