Within these statements we want to highlight to our customers some of the measures we have put in place to ensure compliance with the GDPR where we hold or process personal data on your behalf.
We have introduced and updated several documents, policies and measures to provide protection for both internal and client data including:
- Privacy Notices – For schools and recruitment
- SAR Procedure
- Protecting Schools Data Policy
- Information Governance Policy
- Employee Data Policy
- Data Breach Policy
- Confidentiality Clause in Employee Contracts
As part of the GDPR audit process we gained the Cyber Essentials Certification which demonstrates a base line for general IT systems good practice and we have introduced the following new processes:
- We have produced a Data Processing contract that our data processors are asked to sign up to and all suppliers now have more stringent restrictions in place on data they process and store.
- Our systems have been improved to offer a better level of authentication in areas we store information.
- All staff have received training in data protection, those handling more sensitive data having more specific training.
- All staff have data protection clauses in their contracts and are asked to read and sign up to relevant documents such as Protecting Schools Data Policy, Employee Data Policy etc.
- All marketing and update emails will continue to have an unsubscribe option included. We are also currently investigating allowing customers to choose to opt-out from marketing emails rather than all emails.
- New customers will be asked if they would like to opt-in to all emails or just to receive non-marketing emails.
- We have introduced an IRT (Incident Response Team) to handle any reported Data Breaches and a Data Breach policy and process to handle such incidents.
We have designated a Data Protection Officer (DPO), who is working with us on all matters relating to data protection and GDPR compliance. The DPO will ensure that we are accountable and transparent to the supervisory authorities, including the creation and maintenance of ‘Records of processing activities’ as per Article 30 of the GDPR.
We will continually seek to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
If you would like to discuss any of the information in this statement, please contact dpo@turniton.co.uk