Introduction to Data Protection Policy
Purpose of the Policy
At Commercial Property Advisors LTD, we are committed to the responsible and secure management of personal data. This Data Protection Policy outlines our approach to data protection and ensures compliance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). The policy serves as a guide for our employees, contractors, and any third parties engaged in data processing on our behalf, emphasising the importance of respecting the privacy and rights of individuals whose data we handle.
Our Commitment
As a business rates company handling sensitive and personal information, including the names of directors, rateable values of properties, and contact details, we understand the significance of data protection in our operations. Our commitment extends to ensuring transparency in our data collection and processing activities, safeguarding data against unauthorised access and breaches, and upholding the rights of data subjects.
Policy Objectives
This policy aims to:
- Clearly articulate the principles of data protection that Commercial Property Advisors LTD adheres to.
- Provide a framework for collecting, processing, storing, and sharing personal data in a lawful and ethical manner.
- Outline the rights of individuals in relation to their personal data and the procedures to exercise these rights.
- Establish responsibilities and protocols for data protection, including responding to data breaches and ensuring ongoing compliance with relevant legislation.
Scope
This policy applies to all personal data processed by Commercial Property Advisors LTD, irrespective of where the data is held or who processes it. It encompasses all employees, contractors, and third parties who handle personal data in the course of their engagement with our company.
Through this policy, we demonstrate our unwavering dedication to data protection, ensuring not only legal compliance but also the maintenance of trust and integrity in all our business relationships.
Scope of Data Protection Policy
Applicability
This Data Protection Policy applies to Commercial Property Advisors LTD, encompassing all departments, units, and personnel within the organisation. It is relevant to all employees, including full-time, part-time, temporary staff, and contractors, as well as to any third parties engaged in processing data on behalf of the company.
Data Coverage
The policy covers all forms of personal data that Commercial Property Advisors LTD handles, including but not limited to:
- Personal details of directors, clients, and leads, such as names and contact information.
- Rateable values of properties and related business information.
- Any other personal data collected through online forms, customer interactions, or data obtained from company websites.
Data Processing Activities
This policy governs all activities related to the processing of personal data, including:
- Collection, recording, organisation, structuring, storage, adaptation, or alteration.
- Retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available.
- Alignment, combination, restriction, erasure, or destruction.
Geographical Scope
While Commercial Property Advisors LTD operates primarily within the UK, this policy applies to all data processing activities, regardless of where they occur, to ensure compliance with the Data Protection Act 2018 and UK GDPR.
Responsibility
Every employee and contractor of Commercial Property Advisors LTD is responsible for adhering to this policy during their engagement with the company. The Data Protection Officer (DPO), currently Daria Gavrilova, is tasked with overseeing compliance with this policy, providing guidance, and addressing any queries or concerns related to data protection.
Third-Party Engagement
When engaging third parties who handle personal data on behalf of Commercial Property Advisors LTD, it is essential that they are aware of and comply with this policy. Appropriate measures must be taken to ensure that these third parties process the data in a manner consistent with this policy and the Data Protection Act 2018 and UK GDPR.
Policy Enforcement
Non-compliance with this policy by any employee, contractor, or third party can have serious implications, including disciplinary action, termination of contract, and legal consequences where applicable.
Data Protection Principles
Compliance with Data Protection Laws
Commercial Property Advisors LTD is committed to complying with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). Our data processing activities adhere to the following key principles:
1. Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and in a transparent manner. Individuals are informed about how their data is used, ensuring clarity and accountability.
2. Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes. It is not further processed in a manner incompatible with those purposes, except as permitted by law.
3. Data Minimization: We ensure that the personal data collected and processed is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
4. Accuracy: Personal data is kept accurate and, where necessary, up to date. Reasonable steps are taken to ensure that inaccurate data, with regard to the purposes for which they are processed, are erased or rectified without delay.
5. Storage Limitation: Personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in accordance with safeguards required by law.
6. Integrity and Confidentiality (Security): Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
7. Accountability: Commercial Property Advisors LTD is responsible for, and able to demonstrate compliance with, these principles.
Individual Rights
In alignment with the Data Protection Act 2018 and UK GDPR, we recognize and facilitate the exercise of the following rights of individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (‘right to be forgotten’)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Ensuring Compliance
To ensure adherence to these principles, Commercial Property Advisors LTD will:
- Conduct regular training and awareness programs for staff.
- Implement and maintain data protection policies and practices.
- Engage in continuous monitoring and review of our data processing activities.
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk data processing activities.
- Maintain records of data processing activities and ensure transparency in all our data handling practices.
Data Collection and Processing
Collection of Personal Data
Commercial Property Advisors LTD collects personal data through various means, including but not limited to:
- Online forms on our website.
- Direct interactions with clients and leads.
- Research and data matching from company websites and public records.
The types of personal data collected include:
- Names and contact details of directors and company representatives.
- Rateable values of properties.
- Other business-related information which is not limited to: rental information, where needed turnover, credit score, amount of employees in the company
Purpose of Data Processing
The personal data collected is used for the following purposes:
- Service provision: To provide tailored business rates services to our clients.
- Marketing: To inform current and potential clients about our services, updates, and offers.
- Business Operations: To conduct internal business processes and management.
Legal Basis for Processing
Commercial Property Advisors LTD processes personal data based on one or more of the following legal grounds:
- Consent: Where individuals have provided explicit consent for the processing of their personal data for specific purposes.
- Contractual Necessity: Where processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
- Legal Obligation: Where processing is necessary for compliance with a legal obligation.
- Legitimate Interests: Where processing is necessary for the purposes of legitimate interests pursued by Commercial Property Advisors LTD or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Data Accuracy and Relevance
We take reasonable steps to ensure that:
- Personal data collected is accurate and, where necessary, kept up to date.
- Inaccurate data is rectified or deleted without delay.
- Data collected is relevant to the purposes for which it is processed and limited to what is necessary.
Data Retention
Personal data is not retained for longer than is necessary for the purposes for which it is processed. The standard retention period is 6 years, corresponding with the rating list period. After this period, data is either securely deleted or anonymized, except where longer retention is required for legal or regulatory reasons.
Sharing of Personal Data
Commercial Property Advisors LTD may share personal data with third parties under the following conditions:
- With the explicit consent of the data subject for specific purposes.
- With affiliates or subcontractors when necessary for service provision or where specialist knowledge is required.
- In compliance with legal obligations or to protect the company's legitimate interests.
All third parties engaged in processing personal data on behalf of Commercial Property Advisors LTD are required to comply with our data protection standards and ensure the confidentiality and security of the data.
Consent and Individual Rights
Obtaining Consent
Commercial Property Advisors LTD recognizes the importance of obtaining valid consent for processing personal data. Consent is obtained through:
- Clear and specific terms and conditions provided to clients and leads.
- Explicit opt-in mechanisms for marketing communications.
Clients and leads have the right to withdraw their consent at any time. This can be done through:
- Contacting Commercial Property Advisors LTD via phone or email.
- Using the unsubscribe options provided in our marketing communications.
Individual Rights
In accordance with the Data Protection Act 2018 and UK GDPR, individuals have the following rights concerning their personal data:
- The Right to be Informed: Individuals have the right to clear information about how their data is being used.
- The Right of Access: Individuals have the right to access their personal data and supplementary information.
- The Right to Rectification: Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete.
- The Right to Erasure: Individuals have the right to have personal data erased in certain circumstances ('right to be forgotten').
- The Right to Restrict Processing: Individuals have the right to request the restriction or suppression of their personal data in certain circumstances.
- The Right to Data Portability: Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
- The Right to Object: Individuals have the right to object to the processing of their personal data in certain circumstances.
- Rights in Relation to Automated Decision Making and Profiling: Individuals have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
Responding to Requests
Commercial Property Advisors LTD is committed to facilitating the exercise of these rights in a timely and respectful manner. Requests from individuals exercising their rights will be responded to without undue delay and, in any event, within one month of receipt of the request. This period may be extended by two further months where necessary, considering the complexity and number of the requests.
Record-Keeping
Records of consent and individual rights requests, including how and when consent was obtained and how requests were handled, will be maintained to demonstrate compliance with data protection regulations.
Data Sharing and Transfer
Principles of Data Sharing
Commercial Property Advisors LTD adheres to strict principles when sharing personal data:
- Transparency: Individuals are informed about the sharing of their data and the purposes for which it is shared.
- Lawfulness: Data is shared only where there is a lawful basis to do so.
- Security: Measures are taken to ensure the security and confidentiality of data during transfer and at the receiving end.
Conditions for Data Sharing
Personal data may be shared under the following conditions:
- With Consent: When explicit consent is obtained from the individual for specific sharing purposes.
- For Service Provision: Sharing with affiliates or subcontractors when necessary for delivering our services or where specialist knowledge is required.
- Legal Obligations: When required by law or to protect the company's legitimate interests.
Data Sharing Agreements
When engaging with third parties:
- Data sharing agreements are in place, specifying the responsibilities of each party and ensuring compliance with data protection laws.
- Third parties are vetted to ensure they have adequate data protection measures.
International Data Transfers
- As Commercial Property Advisors LTD operates solely within the UK, there are no routine international transfers of personal data.
- Any exceptional international data transfers will be conducted in compliance with the Data Protection Act 2018 and UK GDPR, ensuring an adequate level of protection.
Data Security and Storage
Security Measures
To protect personal data against unauthorised access, alteration, disclosure, or destruction, we implement robust security measures, including:
- Two-Step Verification: For access to sensitive data and systems.
- Cloud Storage: Secure and encrypted cloud storage solutions.
- Antivirus Software: Regularly updated antivirus and malware protection.
- Secure Internet Connection: Use of secure and encrypted connections.
Data Storage
- Personal data is stored in accordance with our data retention policy, ensuring it is not kept longer than necessary.
- Data is reviewed quarterly, and information related to dissolved companies is deleted.
Data Breach Response
- In the event of a data breach, we have procedures in place to promptly assess and respond to the incident.
- Affected individuals and relevant authorities are notified in accordance with legal requirements.
Employee Access
- Access to personal data is limited to employees who require it for their job responsibilities.
- Regular training and awareness programs are conducted to ensure staff understand their obligations in handling personal data.
Data Protection Officer (DPO)
Role and Contact Information
- The Data Protection Officer (DPO) for Commercial Property Advisors LTD is Daria Gavrilova.
- Contact details: [Provide contact details – email, phone number, office address]
- The DPO is responsible for overseeing data protection strategy and implementation to ensure compliance with data protection laws.
Responsibilities of the DPO
- Monitoring Compliance: Regularly reviewing and updating data protection policies and practices to align with legal requirements.
- Advice and Training: Providing guidance and training to staff on data protection matters, ensuring company-wide awareness and understanding.
- Point of Contact: Acting as a point of contact for employees and data subjects regarding data protection issues and rights.
- Liaison with Authorities: Communicating with regulatory bodies as required, including reporting data breaches and cooperating in investigations.
Support and Resources
- Commercial Property Advisors LTD ensures that the DPO is provided with the necessary resources, access to data and operations, and maintains independence in their role.
- All staff are required to cooperate with the DPO and provide any assistance necessary for them to perform their duties.
Training and Awareness
Employee Training
- Regular training sessions on the Data Protection Act 2018 and UK GDPR are conducted for all employees.
- Training covers the principles of data protection, rights of individuals, responsibilities of employees, and specific procedures relevant to Commercial Property Advisors LTD.
Awareness Programs
- Simulation of phishing attacks and other cybersecurity threats to raise awareness and prepare employees.
- Continuous updates on best practices and legal requirements in data protection.
Record of Training
- Records of all training attended by employees are maintained to ensure everyone has the necessary knowledge to comply with data protection laws.
Ongoing Education
- Commitment to ongoing education and updates in data protection to adapt to changes in legislation, technology, and industry practices.
Breach Response and Reporting
Data Breach Policy
- A clear policy and procedure are in place to manage and respond to any data breaches effectively.
- Includes steps for identifying, assessing, and mitigating the impacts of data breaches.
Reporting Mechanisms
- Procedures for internal reporting of data breaches to ensure prompt action.
- Guidelines for notifying the Information Commissioner’s Office (ICO) and affected individuals in line with legal requirements.
Incident Response Team
- An incident response team, including the DPO and relevant staff, is established to manage breach incidents.
- Regular training and drills to ensure preparedness for potential data breaches.
Post-Incident Analysis
- After a breach, a thorough analysis is conducted to identify the cause and implement measures to prevent future occurrences.
- Continuous improvement of security measures and response strategies based on lessons learned from incidents.
Data Protection Impact Assessments (DPIAs)
Implementation of DPIAs
- Commercial Property Advisors LTD conducts Data Protection Impact Assessments for processing activities that pose a high risk to individuals' rights and freedoms.
- DPIAs are integrated into project planning and decision-making processes.
DPIA Process
- The process includes identifying and assessing data processing activities, evaluating the necessity and proportionality of these activities, and managing risks to the rights and freedoms of individuals.
- DPIAs are carried out at least annually or when significant changes in data processing occur.
Involvement of Stakeholders
- Key stakeholders, including data subjects where appropriate, are involved in the DPIA process to understand the impact of data processing activities fully.
Documentation
- Findings and decisions from DPIAs are documented and kept as a part of our data protection records.
- The DPO is responsible for reviewing and approving DPIAs, ensuring that they meet the required standards.
Record Keeping and Documentation
Data Processing Records
- Comprehensive records of all data processing activities are maintained, detailing the purpose of processing, data categories, data recipient, and data retention periods.
Consent and Data Subject Requests
- Records of how and when consent was obtained are kept, along with documentation of responses to data subject access requests, erasure requests, and other rights exercised by individuals.
Policy Documentation
- All data protection policies and procedures, including this Data Protection Policy, are documented and accessible to relevant parties.
Regular Review
- Documentation is regularly reviewed and updated to reflect changes in data processing activities and legal requirements.
Review and Audit
Policy Review
- This Data Protection Policy is reviewed annually to ensure it remains up-to-date and compliant with current data protection laws and best practices.
Internal Audits
- Regular internal audits of data protection practices are conducted to assess compliance with this policy and data protection laws.
- Audits include reviewing data processing activities, security measures, and staff compliance.
Continuous Improvement
- Findings from reviews and audits are used to continuously improve data protection practices.
- Updates and modifications to policies and procedures are implemented as necessary.
External Audits
- External audits may be conducted periodically to provide an independent assessment of data protection practices.
Compliance with Specific Sectors or Regulations
Sector-Specific Regulations
- Commercial Property Advisors LTD acknowledges that certain sector-specific regulations may apply to our data processing activities, especially in relation to the business rates sector.
- We commit to staying informed about and compliant with any such regulations that affect our operations.
Handling Sensitive Information
- Special attention is given to handling any sensitive information, particularly when dealing with data published by local authorities, such as credit availability for clients.
- We ensure that such sensitive information is processed in accordance with the highest standards of data protection and only when necessary and lawful.
Collaboration with Regulatory Bodies
- We maintain an open and cooperative relationship with regulatory bodies relevant to our sector and data protection authorities.
- This includes seeking guidance and advice to ensure compliance with sector-specific regulations and data protection laws.
Policy Approval and Review
Approval
- This Data Protection Policy has been approved by the senior management of Commercial Property Advisors LTD. The policy reflects our commitment to data protection and legal compliance.
Regular Review
- The policy is subject to regular review, at least annually, to ensure it remains effective and relevant to our operations and the evolving data protection landscape.
- Reviews take into consideration changes in legislation, regulatory guidance, technology, operational practices, and lessons learned from any data breaches or incidents.
Updates
- Any updates to the policy will be communicated promptly to all staff and relevant stakeholders.
- Continuous training and awareness will be provided to ensure all personnel are aware of and understand any changes to the policy.
Feedback and Suggestions
- Feedback and suggestions from employees, clients, and other stakeholders are welcomed as part of the review process.
- An open-door policy is maintained for any concerns or questions relating to data protection.
As the previous sections have comprehensively covered the key aspects of your Data Protection Policy, including the principles, data processing practices, consent management, data sharing, security, and compliance mechanisms, the final sections typically include:
Implementation and Enforcement
Responsibility for Implementation
- All department heads and managers are responsible for implementing this Data Protection Policy within their respective areas.
- Employees at every level are required to adhere to this policy and contribute to its effective implementation.
Enforcement
- Non-compliance with this policy will be taken seriously and may result in disciplinary action, up to and including termination of employment or contracts.
- Regular audits and assessments will be conducted to ensure adherence to this policy.
Communication and Training
Internal Communication
- This policy will be made available to all employees through internal communication channels.
- Key aspects of the policy will be highlighted in staff meetings and internal bulletins.
Training Programs
- Ongoing training programs will be conducted to ensure employees understand their responsibilities under this policy and the broader data protection regulations.
- New employees will receive data protection training as part of their induction process.
External Communication
- Key elements of this policy will be communicated to clients, suppliers, and partners to ensure they understand how Commercial Property Advisors LTD handles personal data.
- Updates to the policy will also be communicated to external stakeholders as appropriate.
Monitoring and Evaluation
Monitoring
- Regular monitoring of data processing activities will be carried out to ensure compliance with this policy and data protection laws.
- The DPO will oversee the monitoring process and report findings to senior management.
Evaluation and Improvement
- The effectiveness of this policy will be evaluated regularly.
- Feedback from monitoring and audits, as well as input from employees and external stakeholders, will be used to continually improve data protection practices.
Conclusion
Commitment to Data Protection
- Commercial Property Advisors LTD is committed to upholding the highest standards of data protection and privacy.
- This policy reflects our dedication to protecting the personal data of our clients, employees, and partners.
Contact Information
- For any questions or concerns regarding this policy or data protection practices, please contact our DPO, Daria Gavrilova, at [Contact Information].
The Data Protection Policy for Commercial Property Advisors LTD is now complete. The final step is to formalise and disseminate the policy:
Formalisation and Dissemination
Policy Approval
- This policy has been formally approved by the senior management of Commercial Property Advisors LTD. The approval signifies the commitment of the highest level of management to data protection and privacy.
Distribution of Policy
- The policy will be distributed to all employees, contractors, and relevant third parties.
- A copy of the policy will be accessible on the company's internal network and, where appropriate, on the company website.
Acknowledgment of Policy
Employee Acknowledgment
- All employees will be required to sign an acknowledgment form stating that they have read, understood, and agreed to comply with the Data Protection Policy.
- This acknowledgment will be kept on record by the Human Resources department.
Contractor and Third-Party Acknowledgment
- Contractors and third parties who handle personal data on behalf of Commercial Property Advisors LTD will also be required to acknowledge and agree to comply with this policy.
- These acknowledgments will form part of the contractual agreements with these parties.
Policy Accessibility and Visibility
Internal Accessibility
- The policy will be made easily accessible to all staff members at all times, ensuring that employees can refer to it as needed.
External Visibility
- Key aspects of the policy, especially those relevant to clients and the public, will be made available on the company's external website.
Continuous Improvement
Feedback Mechanism
- A mechanism for feedback on the policy will be established, allowing employees and other stakeholders to provide suggestions for improvements.
Regular Updates
- The policy will be reviewed and updated regularly to reflect changes in legislation, best practices, and the operational environment of Commercial Property Advisors LTD.
Ongoing Training
- Regular training and refresher courses will be provided to ensure all employees are kept up to date with any changes in the policy and wider data protection regulations.
Policy Review and Revision
Scheduled Review
- A formal review of the policy will be conducted annually or more frequently if significant changes in data processing activities or laws occur.
Policy Amendments
- Any amendments to the policy will be approved by senior management and communicated clearly to all relevant parties.
Conclusion
Commitment to Excellence in Data Protection
- Commercial Property Advisors LTD remains committed to maintaining the highest standards in data protection and privacy, ensuring that personal data is handled with the utmost care and respect.
Final Acknowledgment
- This policy is a testament to our commitment to legal compliance, ethical data handling, and the protection of the privacy rights of individuals.