Data protection policy

This policy outlines the obligations of Blueprint Compliance Limited under UK data protection law. It specifies the company’s responsibilities for handling the personal data of staff, customers, and business contacts. The policy applies to all employees, agents, and contractors working on behalf of the company.

1. Definitions

  • Consent: Freely given, specific, informed, and unambiguous agreement to process personal data.
  • Data Controller: The organization determining the purposes and means of processing personal data (e.g., the company).
  • Data Processor: A party processing personal data on behalf of the data controller.
  • Data Subject: Any identifiable natural person whose personal data is held by the company.
  • Personal Data: Information that identifies or relates to a data subject, including sensitive data like racial or health information.
  • Processing: Any operation performed on personal data, such as storage, alteration, or erasure.
  • Special Category Data: Sensitive data, such as racial or ethnic origin, health data, or religious beliefs.

2. Scope

  • The company ensures lawful and fair handling of personal data and respects the rights of all data subjects.
  • The Data Protection Officer (DPO) is Rob Chambers (rob@blueprintcompliance.co.uk).
  • Managers must ensure compliance by their teams and implement necessary practices and training.

3. Data Protection Principles

Personal data must be:

  1. Processed lawfully, fairly, and transparently.
  2. Collected for specific, explicit, and legitimate purposes.
  3. Adequate, relevant, and limited to what is necessary.
  4. Accurate and kept up-to-date.
  5. Stored for no longer than necessary.
  6. Protected using appropriate security measures.

4. Data Subject Rights

Data subjects have the right to:

  1. Be informed about data collection and use.
  2. Access their personal data.
  3. Request corrections or erasure.
  4. Restrict processing of their data.
  5. Object to data processing.
  6. Data portability (receive and reuse their data).
  7. Protection against automated decision-making and profiling.

5. Lawful Data Processing

Personal data can only be processed if one of the following conditions is met:

  • Consent is given.
  • It is necessary for contract performance.
  • It is required for compliance with legal obligations.
  • It is necessary to protect vital interests.
  • It serves the public interest or official authority.
  • It supports legitimate interests that do not override data subject rights.

6. Data Security

  • Emails containing personal data must be encrypted and marked as “confidential.”
  • Personal data should be transmitted over secure networks only.
  • Data should be stored securely using encryption and access control.
  • Backups should be encrypted and stored offsite.

7. Accountability and Record-Keeping

  • The DPO oversees compliance and develops related policies.
  • Data protection impact assessments (DPIAs) must be conducted for high-risk processing activities.
  • Regular audits ensure adherence to data protection laws.

8. Implementation

This policy takes effect on 7th December 2024. It applies only to activities occurring on or after this date.

Compliance at Your Fingertips

Take the hassle out of managing compliance with our easy-to-use portal. Track monitor and stay ahead of potential issues all in one place.

Book a demo