Menu

Data Protection Policy

Purpose

Distinctive People HR & OD Consultancy Ltd (“the Organisation”) is committed to maintaining the privacy and protection of the personal data it processes. The purpose of this policy is to set out how the organisation complies with the requirements of the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR), and the EU General Data Protection Regulation (EU GDPR) in the processing of personal data.

This policy applies to all personal data processed by the organisation, including personal data of job applicants, employees, contractors, clients, and any individuals whose data is processed for the purposes of HR, People Management and Recruitment practices, as part of the organisation’s activities.

Data Protection Principles

The organisation processes personal data in accordance with the following principles of the DPA 2018, UK GDPR, and EU GDPR:

Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly, and in a transparent manner.

Purpose Limitation: Personal data will only be collected for specified, legitimate purposes and not processed for any other purposes.

Data Minimisation: Personal data will be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy: Personal data will be kept accurate and, where necessary, up to date.

Storage Limitation: Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.

Integrity and Confidentiality: Personal data will be processed in a manner that ensures appropriate security of the data, including protection against unlawful processing, accidental loss, destruction, or damage.

Accountability: The Organisation will be responsible for, and able to demonstrate compliance with, these principles.

Data processing compliance

The organisation is committed to ensuring compliance with the UK GDPR, the EU GDPR, and the Data Protection Act 2018 (DPA 2018) in the processing of personal data. The organisation is transparent with individuals about the processing of their personal data, including:

Reasons for Processing: The organisation clearly informs clients and individuals of the purposes for which their personal data is collected and processed.

Use of Data: The organisation explains how the personal data is used and ensures that it is only used for the specific purposes stated in its Privacy Policy

Legal Basis for Processing: The organisation outlines the legal basis for processing personal data, as per the requirements of the UK GDPR and EU GDPR. Where processing is based on legitimate interests, the organisation carries out a legitimate interests assessment (LIA) to ensure that these interests are not overridden by the rights and freedoms of individuals.

Where the organisation processes special categories of personal data (e.g., health data, racial or ethnic data) or criminal records data, this processing is carried out strictly in accordance with the UK GDPR, the EU GDPR, and the Data Protection Act 2018, ensuring that such processing is necessary for compliance with legal obligations or for the exercise of rights in employment law.

  • The organisation ensures that any processing of special categories of data is documented and supported by a valid legal basis.
  • Criminal records data is processed only as permitted under the law and when strictly necessary for specific purposes related to employment or compliance with legal obligations.

The organisation commits to promptly updating personal data if an individual notifies us of any changes or inaccuracies in their information, as per the data accuracy principle under the GDPR.

Retention of Personal Data

Personal data collected is securely stored (in both hard copy and electronic formats, where applicable), and on HR systems. The organisation ensures that personal data is retained only for the period necessary for the legitimate purpose for which it was collected. The retention period for personal data is detailed in our Privacy Policy

The organisation maintains an up-to-date record of processing activities in relation to personal data, in full compliance with the documentation and accountability requirements of the UK GDPR and EU GDPR. This record includes the purposes of processing, categories of data, and any third parties with whom data is shared, and is reviewed regularly to ensure ongoing compliance.

Data Protection Officer

The organisation has appointed a Data Protection Officer (DPO) who is responsible for overseeing the data protection strategy and ensuring compliance with data protection laws. For any questions regarding this policy or data protection matters, please contact:

Mark Glinwood

Director, Distinctive People HR & OD Consultancy Ltd

mark.glinwood@distinctivepeople.co.uk

Types of data we process

The types of personal data that may be processed include:

HR-related Data: Personal details, employment history, qualifications, health information, criminal record data (if applicable), special categories of data (e.g., race, ethnicity, sexual orientation, health), references, and other information provided by applicants, employees, contractors, and volunteers.

Client Data: Contact details, business information, contracts, and any other data related to the provision of Recruitment, HR, and People Management services.

Candidate Data: Information related to candidates for positions, including CVs, interview notes, assessments, and other application-related information.

Legal basis for processing data

The organisation processes personal data based on one or more of the following legal bases:

Consent: Where the organisation has obtained consent from a client and/or individual to process personal data for specific purposes.

Contractual Necessity: Where the processing is necessary for the performance of a contract or pre-contractual measures (e.g., processing employee data for employment purposes).

Legal Obligation: Where processing is necessary to comply with a legal obligation (e.g., statutory reporting requirements).

Legitimate Interests: Where the organisation have a legitimate interest in processing personal data, provided that the individual’s rights and freedoms do not override those interests.

How we collect data

The organisation may collect personal data through a variety of means, including:

Directly from our clients: In the course of delivering our consultancy services, clients may provide personal employee data in order that services can be delivered. This will be covered by the client’s legal obligation or legitimate interest under the UK GDPR and the EU GDPR.

Directly from individuals: (e.g., job applicants, employees, clients) via forms, applications, interviews, and other interactions.

From third-party sources: including background check providers and public sources (e.g., social media, professional networks).

Through online platforms: (e.g., email, client portals) and HR systems.

Data subject rights

Individuals have the following rights regarding their personal data:

Right to Access: Individuals have the right to request access to their personal data and information about how it is processed.

Right to Rectification: Individuals have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure: Individuals can request the deletion of personal data under certain circumstances (e.g., when the data is no longer necessary for the purposes for which it was collected).

Right to Restrict Processing: Individuals can request the restriction of processing under certain circumstances.

Right to Data Portability: Individuals can request to receive their personal data in a structured, commonly used, and machine-readable format.

Right to Object: Individuals can object to the processing of their data for specific purposes, including direct marketing.

Right to Withdraw Consent: Where processing is based on consent, individuals can withdraw their consent at any time.

Subject access requests

Under the UK GDPR and EU GDPR, individuals have the right to make a Subject Access Request (SAR) to obtain a copy of the personal data the organisation holds about them. If an individual makes a SAR, the organisation will provide the following information:

  1. Confirmation of whether or not personal data is being processed and, if so, the purposes of the processing, the categories of personal data involved, and the source of the data (if it was not collected directly from the individual).
  1. Recipients or categories of recipients to whom the personal data has been disclosed, including recipients located outside of the European Economic Area (EEA), and the safeguards in place to protect such data during the transfer.
  1. Data retention period: The duration for which the personal data will be stored, or the criteria used to determine that retention period.
  1. Rights available to the individual, including:
  • The right to rectify inaccurate data,
  • The right to erase personal data or to restrict its processing,
  • The right to object to processing, especially if processing is based on legitimate interests or for direct marketing.
  1. The individual’s right to lodge a complaint with the Information Commissioner’s Office (ICO) (UK GDPR) or the relevant Supervisory Authority (EU GDPR) if they believe their data protection rights have been violated.
  1. Whether the organisation carries out any automated decision-making, including profiling, and a clear explanation of the logic involved, and the potential consequences of such processing for the individual.

The organisation will provide the individual with a copy of the personal data undergoing processing. This will usually be provided in electronic format if the request is made electronically, unless the individual requests otherwise.

Submitting a Subject Access Request

To submit a Subject Access Request, the individual should contact Mark Glinwood,  mark.glinwood@distinctivepeople.co.uk.

In some cases, the organisation may request proof of identity to verify that the request is being made by the correct individual. The organisation will inform the individual if verification is necessary and what documentation is required.

Response Times

The organisation will respond to a Subject Access Request within one month (thirty calendar days) of receiving the request. In some circumstances, such as when the organisation processes a large volume of personal data, they may extend the response period by an additional two months (for a total of three months). If this extension is required, the organisation will notify the individual within the first month of receiving the original request, providing an explanation for the delay.

Manifestly Unfounded or Excessive Requests

If a Subject Access Request is manifestly unfounded or excessive, the organisation is not obliged to comply with the request. In such cases, the organisation may either refuse to respond or may charge a reasonable fee based on the administrative costs involved in processing the request.

A request is likely to be considered manifestly unfounded or excessive if it is repetitive or if it seeks information that the organisation has already provided. If the organisation determines a request is unfounded or excessive, it will inform the individual and explain whether it will respond to the request or not.

Data security

The organisation is committed to ensuring that personal data is secure and protected against unauthorised or unlawful processing, and accidental loss, destruction, or damage. We have implemented appropriate technical and organisational measures to protect personal data, including:

  • Secure storage of data (both physical and electronic).
  • Access controls and password protection.
  • Regular reviews of security measures and risk assessments.
  • Encryption of sensitive data where necessary.

Data breaches

In the event of a personal data breach, the organisation will take immediate steps to mitigate any potential risks to the rights and freedoms of data subjects. The organisation will:

  1. Notify the Information Commissioner’s Office (ICO) (UK GDPR) and/or the relevant Supervisory Authority (EU GDPR) within 72 hours of discovering the breach, if it is likely to result in a risk to the rights and freedoms of individuals.
  1. Assess the severity of the breach by considering factors such as the nature, scope, and potential consequences for data subjects. This assessment will help determine the necessary actions and whether the breach requires further notification.
  1. If the breach is deemed to be high-risk and may adversely affect individuals’ rights and freedoms, affected individuals will be notified without undue delay, in accordance with both UK and EU GDPR requirements. The notification will include details such as:
  • The nature of the breach.
  • The likely consequences for the data subjects.
  • The measures the organisation has taken or intends to take to address the breach and mitigate potential risks.
  • Contact details for further information.
  1. If the breach is unlikely to result in a risk to individuals’ rights and freedoms, the organisation is not required to notify affected individuals but will still report the breach to the ICO or the relevant Supervisory Authority (EU GDPR).
  1. Record the breach: Regardless of the risk level, the organisation will maintain a record of the breach, including the facts, its effects, and the remedial actions taken, in compliance with the UK and EU GDPR documentation requirements. This will include:
  • A description of the breach, including its causes.
  • The consequences of the breach for the data subjects.
  • The actions taken to address the breach, prevent recurrence, and mitigate risks. This record will be maintained as part of the organisation’s ongoing compliance with UK and EU GDPR obligations.
  1. Conduct a thorough review of the incident to evaluate the effectiveness of its security measures, response protocols, and preventative measures. Necessary updates will be made to policies and procedures to enhance future data protection practices.

Data retention

The organisation will retain personal data for no longer than necessary to fulfil the purposes for which it was collected, in accordance with applicable legal, regulatory, or contractual obligations. Data retention periods are outlined the organisation’s Privacy Policy

International Transfers

Some personal data may be transferred to third parties outside the United Kingdom or the European Economic Area (EEA), in which case the organisation will ensure that appropriate safeguards are in place to protect the data in accordance with the relevant data protection laws.

Third-party processors

The organisation may engage third-party processors to assist in the provision of HR and consultancy services. All third-party processors are required to adhere to strict data protection standards, and the organisation ensures that appropriate contracts are in place to protect personal data.

Individual Responsibilities 

Individuals are responsible for helping the organisation keep their personal data up to date. They should inform the organisation promptly if any data provided to the organisation changes, such as a change of address, contact information, or bank details.

Individuals may have access to the personal data of other individuals, as well as customers and clients, during the course of their employment, contract, volunteer period, internship, or apprenticeship. In such cases, the organisation relies on individuals to help meet its data protection obligations to staff, clients, and customers. Individuals who have access to personal data must adhere to the following requirements:

Accessing Personal Data: Access only the personal data that they are authorised to access and use it solely for authorised purposes.

Confidentiality: Do not disclose personal data to individuals (either inside or outside the organisation) unless they have the appropriate authorisation to receive such data.

Data Security: Ensure personal data is kept secure at all times. This includes compliance with internal security protocols, such as access controls, secure storage of physical and electronic files, and password protection.

Data Storage and Device Security: Do not store personal data on local drives or personal devices used for work purposes unless explicitly authorised and protected by appropriate security measures (e.g., encryption or password protection).

Data Removal: Do not remove personal data or devices containing personal data from the organisation’s premises unless the data and device are appropriately secured.

Reporting Data Breaches: Immediately report any known or suspected data breaches to Mark Glinwood.

Failure to comply with these requirements may result in disciplinary action, which will be handled according to the organisation’s disciplinary procedures. Significant or deliberate breaches, such as accessing personal data without authorisation or legitimate reasons, may constitute gross misconduct and could lead to dismissal without notice.

Training

The organisation will provide training to all individuals about their data protection responsibilities as part of the induction process, and at regular intervals thereafter.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.

Changes to this policy

This policy will be reviewed and updated regularly to ensure that it remains compliant with data protection laws. Any changes will be communicated to relevant individuals.

home