Data Protection Policy & GDPR Compliance Statement
Classroom365 Limited (“Classroom365”) collects and processes personal data about individuals, including customers, suppliers, employees, and other stakeholders. This policy outlines the standards and legal requirements Classroom365 adheres to concerning the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This policy applies to all personal data, including electronic and paper records.
This policy aims to:
- Ensure compliance with both the Data Protection Act 2018 and GDPR.
- Safeguard the rights and privacy of individuals. Learn more here about Classroom365’s Safeguarding Policy and data compliance.
- Provide transparency about data processing activities.
- Minimise data breach risks.
Classroom365 adheres to the principles set forth by GDPR, which mandates that personal data:
- Is processed lawfully, transparently, and fairly.
- Is collected for specific, explicit, and legitimate purposes.
- Is adequate, relevant, and limited to what is necessary.
- Is accurate and, where necessary, kept up to date.
- Is retained only as long as needed, specifying retention periods or criteria for various data types.
- Is processed in a manner that ensures appropriate security.
- Upholds the rights of data subjects, including the right to be forgotten, the right to data portability, etc.
- Is not transferred outside the EEA unless adequate safeguards such as Standard Contractual Clauses or an adequacy decision exist.
Roles and Responsibilities:
Everyone associated with Classroom365 plays a role in ensuring data protection:
- Board of Directors: Oversee legal compliance.
- Keith Williams, Data Protection Officer: Manages data protection strategies for GDPR-related queries, ensures compliance with legal requirements, and facilitates staff training.
- Pritesh Ghedia, Company Director: Ensures systems maintain data security standards and evaluates third-party data processors for compliance.
- Rachele Pollio, Office Manager: Manages external communications and oversees marketing strategies’ compliance with GDPR principles.
To ensure data protection:
- Access data only when necessary.
- Do not share data without proper authorisation.
- Undergo regular GDPR policy compliance training.
- Ensure data security with strong passwords.
- Regularly review and update data.
- Seek guidance from the Data Protection Officer when uncertain.
Data Storage Protocols:
Store data securely and make it inaccessible to unauthorised individuals.
- Electronically stored data must have strong passwords and security measures.
- Use only GDPR-compliant cloud storage services.
- Avoid using mobile devices as primary data storage.
Data Usage Protocols:
Ensure data displays are locked when unattended.
- Encrypt data for electronic transfers, avoiding email for personal data transmission.
- Adhere to GDPR guidelines when transferring data outside the EEA.
- Always use centralised data systems.
Maintain the accuracy of data:
- Regularly validate and update data.
- Provide avenues for data subjects to update their data easily.
- Cross-check marketing databases against industry suppression files biannually.
Subject Access Requests:
Under GDPR, individuals can request access to their data:
- Direct requests to the data controller at email@example.com.
- Verify the identity of the requester before processing.
GDPR allows certain exceptions for data disclosure without consent, like law enforcement. Classroom365 will verify the legitimacy of such requests.
In case of a data breach, Classroom365 will notify the Information Commissioner’s Office (ICO) within 72 hours, as required by the GDPR.
Data Protection Impact Assessments:
Classroom365 conducts Data Protection Impact Assessments (DPIAs) for high-risk processing activities to protect personal data.
Review and Updates:
This policy will be reviewed bi-annually by the Board of Directors. Changes will be documented, and a versioning system will be maintained to track policy updates over time.