Data Protection Policy
Creative Ideas In Print Limited recognises its legal duties to comply with the General Data Protection Regulations and associated legislation. In addition, the company acknowledges its moral obligations to protect personal, confidential or sensitive data or information.
Therefore, Creative Ideas In Print Limited is committed to full development, implementation and maintenance of technical and organisational processes to protect any data processed or retained from accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access and all other forms of unlawful or non-consensual processing.
To fulfil this commitment, the company will ensure the following are in place and maintained:
1. Identify data obtained and processing conducted
We will systematically review all business operations to identify all stakeholders (e.g. employees, clients, suppliers and sub-contractors) from whom we obtain or receive and subsequently process personal or confidential information. We will determine the type of data obtained, how it is processed, how it is protected and stored, for how long it is retained and the disposal arrangements. A fundamental part of this review will be establishing the legal basis for obtaining, processing and retaining this data. This review will be documented as Data Protection Register and Analysis and made available for review by any stakeholders on request.
Due to the nature of the business, processing of particularly sensitive data or processing of data on a large scale is unlikely. However, it is acknowledged that personal and confidential data such as name, address, bank details etc. are routinely obtained from employees, clients and suppliers and used to facilitate service delivery, pay wages and invoices and comply with obligations under employment law.
2. Assessment of data breach impact
As part of the Data Protection Register and Analysis, the criticality of the data held and processed will be considered via qualitative evaluation of the likelihood of data breach and its potential impact. The findings of this evaluation will be used to assess the adequacy of protection and security arrangements.
3. Review of data protection and security arrangements
The technical and organisational measures implemented to protect data and prevent data breach will be documented in the Data Protection Register and Analysis. Where additional measures are required to reduce risk of data breach, they will be documented and implementation plans developed.
4. Notification of processing activities and receipt of consent
Key stakeholders will be notified of the data obtained/received by Creative Ideas in Print Ltd and how that data is processed. Notification will be achieved by any suitable means such as internal briefings, policy issue, e-mail etc.
5. Sharing and transferring of data
The company will not transfer or share data to any third parties unless it is simply to comply with legal duties. The company will never transfer data outside of the European Economic Area or share data with any other third parties without the prior written consent of the relevant stakeholder.
6. Retention, storage and disposal of data
Data will be retained for as long as necessary to complete the identified processing. The arrangements for ensuring all data is suitably stored and protected to prevent unauthorised access to it will be detailed in the Data Protection Register and Analysis, along with how long the data will be retained and what arrangements are made for suitable disposal of the data to ensure its continued security.
7. Reporting of breaches
If any data breaches occur, the company will ensure they are reported to the Information Commissioner’s Office within 72 hours. All data breaches will be fully investigated to determine causes and corrective actions to prevent recurrence. Where necessary, relevant stakeholders will be informed of breach relating to their data.
8. Individual rights to regarding personal data
All stakeholders have the right to request access to any personal information the company holds on them at any time. Stakeholders may request their data is corrected, subjected to restricted use or deleted at any time.
All resources necessary to fully implement and maintain this policy will be made available. The suitability and sufficiency of this policy will be subject to regular and ongoing review. Any significant changes to this policy will be suitably communicated to all stakeholders.