NATTC UK-GDPR 2020 & DPA 2018 Policy
- Introduction
1.1. Purpose: This policy outlines NATTC’s commitment to complying with the UK-GDPR 2020 and DPA 2018 in the handling and processing of personal data.
1.2. Scope: This policy applies to all employees, contractors, and third parties who process personal data on behalf of NATTC
- Data Protection Principles
2.1. Lawfulness, Fairness, and Transparency: NATTC will process personal data lawfully, fairly, and transparently.
2.2. Purpose Limitation: Personal data will be collected for specified, explicit, and legitimate purposes and will not be further processed in a manner that is incompatible with those purposes.
2.3. Data Minimization: NATTC will only collect and process personal data that is necessary for the purposes for which it was collected.
2.4. Accuracy: NATTC will take reasonable steps to ensure that personal data is accurate and up to date.
2.5. Storage Limitation: Personal data will be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed.
2.6. Integrity and Confidentiality: NATTC will process personal data in a manner that ensures its security, including protection against unauthorised or unlawful processing, loss, destruction, or damage.
- Data Subject Rights
3.1. Right to Access: Data subjects have the right to access their personal data held by NATTC.
3.2. Right to Rectification: Data subjects have the right to request the correction of inaccurate or incomplete personal data.
3.3. Right to Erasure (Right to be Forgotten): Data subjects have the right to request the deletion of their personal data under certain circumstances.
3.4. Right to Restriction of Processing: Data subjects have the right to restrict the processing of their personal data under certain circumstances.
3.5. Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.
3.6. Right to Object: Data subjects have the right to object to the processing of their personal data under certain circumstances.
3.7. Automated Decision-Making and Profiling: Data subjects have the right not to be subject to automated decision-making, including profiling, which produces legal effects concerning them or similarly significantly affects them.
- Data Protection Officer
4.1. NATTC have appointed a Data Protection Officer (DPO) responsible for overseeing data protection efforts and ensuring compliance with the UK-GDPR and DPA 2018.
- Data Breach Notification
5.1. NATTC will promptly report any personal data breach to the Information Commissioner’s Office (ICO) and affected data subjects when required by law.
- International Data Transfers
6.1. When transferring personal data outside the UK or the European Economic Area (EEA), NATTC will ensure that adequate safeguards are in place to protect the data.
- Training and Awareness
7.1. NATTC will provide training and raise awareness among employees and contractors regarding data protection policies and procedures.
- Privacy Impact Assessments (PIAs)
8.1. NATTC will conduct Privacy Impact Assessments for high-risk processing activities involving personal data.
- Policy Review and Updates
9.1. This policy will be reviewed regularly and updated as necessary to ensure compliance with evolving data protection regulations.
- Enforcement
10.1. Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contractual relationships.