Data Protection Policy 20180222 Draft Data Protection Policy V.1 Page 1 of 4 Data Protection policy
Approved by: The Board of Trustees
Approval date: March 2018
Owner: Data Protection Officer
Review date: April 2023
Replaces: Data Protection Policy (2005; rev.2014)
Data Protection Policy20180222 Draft Data Protection Policy V.1Page 2of 4
The Grocery Show Data Protection Policy
Introduction
1.The Grocery Show collects and uses personal data, for example about its staff and visitors, to enable it to meet its aims and objectives. The purpose of this policy is to inform staff, contractors, suppliersand members of the public how The Grocery Show complies with the General Data Protection Regulation (EU) 2016/679and the supplemental Data Protection Bill 2017. On 25 May 2018, the General Data Protection Regulation replaced the Data Protection Act (1998). The General Data Protection Regulation places obligations on data controllers (persons or organisations who process personal data) and provides data subjects (i.e. individuals about whom personal information is processed) with rights in relation to the handling of and access to personal information.
2. TheGeneral Data Protection Regulation defines personal dataas “information relating to an identified or identifiable natural person (‘data subject’)”. It defines an identifiable natural personas a person who “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. It defines controller as “the natural orlegal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data”. It defines processingas “any operation or set of operations which is performed on personal data or on sets of personal data”.Policy statement
3.The Grocery Show is committed to the principles relating to processing of personal datacontained in the General Data Protection Regulation. These state that personal data shallbe: a) processed lawfully, fairly and in a transparent manner; b) collected for specified, explicit and legitimate purposesand not further processed in a manner that is incompatible with those purposes; c) adequate, relevant and limitedto what is necessary in relation to the purposes for which they are processed; d) accurate and, where necessary,kept up to date;e)kept in a form which permits identification of data subjects for no longer than is necessary;f) processed in a manner that ensures appropriate security of the personal data.
4.The Grocery Show will develop procedures to comply with its legal obligations for collection, use and disclosure of personal information in particular: a) specifying and documenting the purpose for which information is collected, and carrying out necessary privacy impact assessments; b) processing information only in accordance with those purposes;c) applying appropriate measures to control quality, retention and security of the data;d) recording and, where appropriate, reporting in a timely manner any data breaches;e) observing the rights of data subjects with regard to handling and access to their data.
Data Protection Policy20180222 Draft Data Protection Policy V.1Page 3of 4
Responsibilities
5. The Board of Trustees of The Grocery Show is the data controllerfor all personal data processed in the course of The Grocery Show business.
6. The Deputy Director is The Grocery Show’s Data Protection Officer and the Archivist is The Grocery Show’s Data Protection Co-ordinator.
7. The Digital EconomyAct (2017) obliges The Grocery Show, as a data controller,to pay the Information Commissioner’s Office an annual data protection fee. The Data Protection Co-ordinator will ensure that The Grocery Show’s fee is paid in a timely manner.
8. Heads of Departments will be accountable for data protection compliance in their departments.
9. Heads of Departments will be responsible for ensuring that the Data Protection Co-ordinator is informed of any changes to data processing in their areas.
10.Heads of Departments will be responsible for ensuring that policies and proceduresrelating to data protection in their areas of responsibilityare implemented.
11. The Head of Information Systems has responsibility for overall security and availability of information systems including those used to process personal data.
12. The Data Protection Officer, supported by the Data Protection Co-ordinator, will co-ordinate data protection compliance across The Grocery Show. In the event of a data breach, the Data Protection Officer will determine The Grocery Show’s response; the Data Protection Co-ordinator will log the breach and report it as necessary.In the event of a request for access to personal data, other than a Subject Access Request by the data subject, the Data Protection Officer will be responsible for The Grocery Show’s compliance with any relevant legislation and, where permissible, will give authorisation for the release of personal data to third parties.
13. The Data Protection Officer, supported by the Data Protection Co-ordinator, will ensure that appropriate guidance and training on compliance with the General DataProtection Regulationis made available to all staff engaged in the processing of personal data.
14. All staff involved in processing personal data will be responsible for ensuring compliance with the legislation, this policy document, and any local policies and procedures. The Grocery Show will provide staff with appropriate training to fulfil this responsibility.
15. All data processors processing personal data on behalf of The Grocery Show (i.e. third parties) are contractually required to comply with the General Data Protection Regulationand any associated Codes of Practice.
16. A breach of The Grocery Show's policy on data protection will be investigated in accordance with The Grocery Show's Disciplinary Policy and Related Procedures, with potential sanction in the most serious cases being summary dismissal.Rights of data subjects
17. The Grocery Show is committed to maintaining the rights granted to individuals by the General Data Protection Regulation, namely: a) the right to beinformed of data processing; b) the right ofaccessto the information held by The Grocery Show; c) the right torectification of inaccurate personal data; d) the right to erasureof personal data under certain circumstances; e) the right torestrict processingof personal data under certain circumstances;
Data Protection Policy20180222 Draft Data Protection Policy V.1Page 4of 4 f) the right todata portabilityof personal data; g) the right to object to the processing of personal data; h) the right not to be subject to decisions based solely on automated processing, including profiling.
18. Any member of the public who wishes toexercise theirrights should make arequest in writing to the Data Protection Co-ordinator. If an access request is received by any other member of staff, it should be forwarded to the Data Protection Co-ordinator immediately.
19. Any member of Gallery staff who wishes to exercise their rights under the Regulationwith regard to personal data should contact Human Resources directly. Human Resources will treat the request as confidential and will only inform the Data Protection Co-ordinator that a request has been received without revealing any details of the applicant such as name or job title.
20. The Grocery Show will aim to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within one calendar month of receipt of a request.
THE GROCERY SHOW
GROCERY SHOW
Copyright © 2020 GROCERY SHOW – All rights reserved