GDPR Policy 2019


KeyOstas Limited needs to gather and use information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has or may need to contact.

This policy describes how this potential data must be collected, handled, stored and disposed of to meet The GDPR 2018 requirements, to comply with the Law.


This GDPR policy ensures KeyOstas Limited

• Complies with the regulations and follows good practice
• Protects the rights of staff, clients and partners
• Is transparent about how it collects, stores and processes individual’s data
• Protects itself from the risks of data breach

Data Protection Law

The Data Protection Act 1998 is being replaced by the General Data Protection Regulations in May 2018 (following an EU directive). The regulations describe how a company must collect, handle, store and dispose of personal information.

The Regulations apply whether the data is stored electronically or as hard copy.
Data kept will be: –

1. Collected fairly and legally
2. Individual will be made aware and must actively give permission
3. Data must be relevant
4. Data will be accurate and current
5. Not be held for longer than necessary
6. Be protected appropriately
7. Destroyed on request – right to be forgotten
8. Be supplied on request to the relevant individual FOC
9. Not shared with any other party without permission


This policy applies to: –

• All KeyOstas offices
• All staff
• All contractor’s supplier’s associates and others working on behalf of the company

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside GDPR 2018. This data will include:

• Names of individuals
• Postal addresses
• E-mail addresses
• Telephone numbers – landline and mobile
• Any other information relating to individuals


This policy helps to protect KeyOstas from security risks including:

• Breaches of confidentiality e.g. divulging information by mistake
• Failing to offer choice e.g. preventing the individual giving permission on holding data what is held and how it is stored
• Reputational damage e.g. company servers being hacked and sensitive data being stolen


All staff have some responsibility for ensuring that data is collected handled stored and disposed of appropriately. Each team must ensure that data is handled in line with GDPR 2018.

Key stake holders are: –

Managing Director – Craig Gibbs is responsible for ensuring the company meets its legal requirements under GDPR 2018

Data Protection Officer – Vicky Jones is responsible for

• Keeping the directors updated
• Reviewing GDPR procedures
• Arranging GDPR e-learning training for people covered by this policy
• Handling data protection questions from staff and anyone else covered by the policy
• Dealing with requests from individuals who request to see data KeyOstas holds on them
• Ensure any third party conforms with Key Ostas GDPR policy

Sales & Marketing Manager – Devon Glithero is responsible for: –

• Ensuring marketing initiatives conform with GDPR
• Approving any data protection statements attached to letters and email

IT Managed Service Provider – 81gblue are responsible for: –

• Ensuring that all systems, security and equipment used for storing data meet acceptable security standards
• Perform regular checks and scans to ensure security hardware and software is functioning correctly
• Evaluate any third-party services the company is considering using to store or process data e.g. cloud computing services

General Staff

• The only staff accessing data should need to do it for their work
• Data must not be shared informally
• KeyOstas will provide eLearning training to staff where appropriate
• Staff should keep all data secure and take sensible reasonable precautions.
• Staff should use strong passwords and change regularly
• Personal data must not be disclosed to unauthorised people either internally or externally
• Where on review data is found to be no longer needed it should be disposed of appropriately
• Staff should request help from their manager or Data Protection Officer if they are unsure of any aspect of GDPR

Collection & Storage

• When data is collected it must be with the permission of the individual. Passive agreement is not agreement so the individual must be told we are keeping their data, what will be recorded and the fact it will be stored and agree.
• Data will be stored in a secure place either electronically or as hard copy.
• Staff should ensure that they do not leave hard copy records where unauthorised people could see them
• Data should be disposed of securely – e.g. shredded when no longer required
• Where data is stored electronically it must be protected from unauthorised access, accidental deletion and malicious hacking attempts
• Data should be protected by strong passwords, changed regularly and never shared between staff
• Data will only be stored on designated servers drives and approved cloud computing services
• Portable drives will be kept securely
• Data will be backed up frequently, at the end of each day. The backup is removed from site
• Servers are protected with security software and appropriate firewalls


Data is at the highest risk of loss corruption or theft when it is being used:

• Staff should ensure no data is visible on screens when they are unattended
• Personal data should not be shared informally, where possible it should not be sent by email which is not secure
• Staff should not save copies of personal data to their own computer


KeyOstas Ltd will take reasonable steps to ensure data is kept up to date and it is accurate and relevant: –

It is the responsibility of staff to take reasonable steps to ensure data kept is accurate and up to date

• Data will be held in as few places as possible. Unnecessary additional sets will not be created
• Staff should take the opportunity to update client personal data – by confirming client details when speaking to a client
• Data will be updated as inaccuracies are discovered e.g. if the client can no longer be reached on a specific phone number it should be deleted from the database

Subject Access Request

The person whose data is held is referred to under GDPR as the subject.

The subjects of KeyOstas Ltd are entitled to:

• Ask what information is held on them
• Ask how to gain access to it
• Be informed how to keep it up to date
• Be informed how the company is meeting it legal obligations under GDPR 2018

Subject access requests should be made to the Data Protection Officer (Vicky Jones) formally in writing. Information will be supplied free of charge within 1 month of the request.

The Data Protection Officer will always verify the identity of the person making the subject access request before handing over any information.

Disclosing Data for other reasons

In certain circumstances KeyOstas may be required to provide personal data to certain authorised agencies e.g. police, HSE etc. Under these circumstances the data controller will ensure the request is legitimate seeking legal advice where necessary.

Craig Gibbs
Managing Director
Date: 25 May 2018