We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.
We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.
We have documented our decision on which lawful basis applies to help us demonstrate compliance.
We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.
The EU General Data Protection Regulation (GDPR) comes into force across the European Union on 25 May 2018 and brings with it the most significant changes to data protection law in two decades.
Dunedin Management Services (DMS) is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We recognise our obligations in updating and expanding our data protection to meet the demands of the GDPR.
DMS have a consistent level of data protection and security across our organization and our GDPR processes include:
- Information Audit – company-wide data mapping exercise and risk assessment to identify what personal information is held, how and why it is processed and to whom it is disclosed.
- Policies / Procedures – data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws. Completed data asset register outlining all updated processing procedures, including:
Data Retention and Erasure
We have updated our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly.
International data transfers / Third-party disclosures
Where DMS stores or transfers personal information outside the EU, we have procedures and safeguarding measures in place to secure and maintain the integrity of the data. We carry out due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information and ensure enforceable data subject rights
Legal Basis for Processing
We are reviewing all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. Revised employee privacy notice based on the data asset register.
We have revised the wording and processes for our marketing activities, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all future marketing materials.
Data Protection Impact Assessments
Where we process personal information that is considered high risk, involves large scale processing or includes special category/criminal conviction data; we have developed procedures for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements.
Where we use a third-party to process personal information on our behalf we have drafted due diligence procedures for ensuring that they meet and understand their/our GDPR obligations.
Where we process special category data, we have also identified a condition for processing special category data, and have documented this.
Where we process criminal offence data, we have also identified a condition for processing this data, and have documented this.
Data Subject Rights
In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy to access information via induction (for new employees) and company policies of an individual’s right to access any personal information that DMS processes about them and to request information about:
- What personal data we hold about them
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- Retention periods
- If we did not collect the data directly from them, information about the source
- The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
- The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
- The right to lodge a complaint or seek judicial remedy and who to contact in such instances
Information Security / Technical and Organisational Measures
DMS takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction.
Dunedin Management Services
Unit 5L, Shivers Business Park
21 Hillhead Road
Toomebridge, Co Antrim
Tel: 028 79639300
Last Updated: 13/Jun/2018