11. Data protection by design and default
We will put measures in place to show that we have integrated data protection into all of our data processing activities, including:
- Appointing a suitably qualified privacy officer, and ensuring they have the necessary resources to fulfil their duties and maintain their expert knowledge
- Only processing personal data that is necessary for each specific purpose of processing, and always in line with the data protection principles set out in relevant data protection law (see section 6)
- Completing privacy impact assessments where AWH Holdings Ltd’s processing of personal data presents a high risk to rights and freedoms of individuals, and when introducing new technologies (the privacy officer will advise on this process)
- Integrating data protection into internal documents including this policy, any related policies and privacy notices
- Regularly training members of staff on data protection law, this policy, any related policies and any other data protection matters; we will also keep a record of attendance
- Regularly conducting reviews and audits to test our privacy measures and make sure we are compliant
- Maintaining records of our processing activities, including:
- For the benefit of data subjects, making available the name and contact details of our AWH Holdings Ltd and privacy officer and all information we are required to share about how we use and process their personal data (via our privacy notices)
- For all personal data that we hold, maintaining an internal record of the type of data, data subject, how and why we are using the data, any third-party recipients, how and why we are storing the data, retention periods and how we are keeping the data secure
12. Data security and storage of records
We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage.
In particular:
- Paper-based records and portable electronic devices, such as laptops and hard drives that contain personal data are kept under lock and key when not in use.
- Papers containing confidential personal data must not be left on office desks or left anywhere else where there is general access.
- Where personal information needs to be taken off site, staff must sign it in and out from AWH Holdings Ltd office.
- Passwords that are at least 8 characters long containing letters and numbers are used to access AWH Holdings Ltd computers, laptops and other electronic devices. Employees are reminded to change their passwords at regular intervals.
- Encryption software is used to protect all portable devices and removable media, such as laptops and USB devices.
- Where we need to share personal data with a third party, we carry out due diligence and take reasonable steps to ensure it is stored securely and adequately protected (see section 8).
13. Disposal of records
Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it.
For example, we will shred or incinerate paper-based records, and overwrite or delete electronic files. We may also use a third party to safely dispose of records on AWH Holdings Ltd’s behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.
14. Personal data breaches
AWH Holdings Ltd will make all reasonable endeavours to ensure that there are no personal data breaches.
In the unlikely event of a suspected data breach, we will follow the procedure set out in appendix 1.
When appropriate, we will report the data breach to the ICO within 72 hours. Such breaches in a AWH Holdings Ltd context may include, but are not limited to:
- Sensitive personal information being made available to an unauthorised person.
- The theft of a company laptop or phone containing non-encrypted personal data.