GDP01.0 Data Breach
Coops Group is committed to our obligations under GDPR. Our data audit report has been produced to ensure that our compliance, processes, functions and procedures are fit for purpose and that mitigating actions are in place where necessary, however should there be any data breaches, this policy states our intent and objectives for dealing with such a breach.
Although we understand that not all risks can be completed mitigated, we operate a robust and structured system of controls, measures and processes to help protect data subjects and their personal information from the risks associated with processing data. The protection and security of the data that we hold and use, including personal information, is paramount to us.
The purpose of this policy is to provide Coops Group’s intent, objectives and procedures regarding data breaches involving personal information.
As we have obligations under the GDPR, we also have a requirement to ensure that the correct procedures, controls and measures are in place and communicated to all employees if a personal information breach occurs. This policy also notes our processes for reporting, communicating and investigating any such breach.
Whilst it is the Company's aim to prevent data breaches where possible, we do recognise that human error and risk elements occur in business that prevent the total elimination of any breach occurrence. We also have a duty to develop protocols for data breaches to ensure that employees, regulating and/or accreditation bodies are aware of how we handle any such breach.
This policy applies to all staff within the Company (meaning permanent, fixed term, 0 hours and temporary staff, any third-party representatives or sub-contractors, agency workers, and agents engaged with the Company in the UK), and relates to the processing of personal information. Adherence to this policy is mandatory and noncompliance could lead to disciplinary action or the termination of contracts for services
Data Security & Breach Requirements
The Company's definition of a personal data breach for the purposes of this policy is any breach of security, lack of controls, system or human failure, error or issue that leads to, or results in, the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Coops Group have a legal, regulatory and business obligation to ensure the maximum security of data that is processed, including as a priority, when it is shared, disclosed and transferred. Our Information Security Policy & Procedures and Data Protection Policy & Procedures provide the detailed measures and controls that we take to protect personal information and to ensure its continued security.
We will carry out information audits to ensure that all personal data held and processed by us is accounted for and recorded. We have implemented adequate, effective and appropriate technical and organisational measures to ensure a level of security appropriate to the risks, including (but not limited to): -
- Encryption of personal data
- Restricted access as appropriate
- Reviewing, auditing and improvement plans for the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Disaster Recovery and Business Continuity Plan to ensure up-to-date and secure backups and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- Frequent and rolling training programs for all staff in the GDPR, its principles and applying those regulations to each role, duty and the company as a whole.
- Staff assessments and testing to ensure a high level of competency, knowledge and understanding of the data protection regulations and the measures we have in place to protect personal information.
- Recheck processes to ensure that where personal information is transferred, disclosed, shared or is due for disposal, it is rechecked by the Compliance Manager
GDP02.0 Data Retention & Erasure
Coops Group recognises and understands that the efficient management of its data and records is necessary to support its core business functions, to comply with its legal, statutory and regulatory obligations, to ensure the protection of personal information and to enable the effective management of the organisation.
This policy meets the standards and expectations set out by contractual and legal
requirements and has been developed to meet the best practices of business records management, with the direct aim of ensuring a robust and structured approach to document control and systems.
Effective and adequate records and data management is necessary to: -
- Ensure that the business conducts itself in a structured, efficient and accountable manner.
- Ensure that the business realises best value through improvements in the quality and flow of information and greater coordination of records and storage systems.
- Support core business functions and providing evidence of conduct and the appropriate maintenance of associated plant and equipment, resources and services provided to our customers.
- Meet legislative, statutory and regulatory requirements.
- Deliver services to staff in a consistent and equitable manner.
- Assist in managerial decision making.
- Provide continuity in the event of a disaster.
- Protect the interests of the organisation and the rights of employees, customers and sub-contractors.
- Protection of personal information and data subject rights.
- Avoid inaccurate or misleading data and minimise risks to personal information.
- Erase data in accordance with the legislative and regulatory requirements
Information held for longer than is necessary carries additional risk and cost and can breach data protection rules and principles. The Company only ever retains records and information for legitimate business reasons and use, and we comply fully with the UK data protection laws and guidance.