Data Protection Policy

Purpose

This policy sets out Rexon Consulting Ltd’s approach to managing personal data and ensuring compliance with UK GDPR and the Data Protection Act 2018. It complements our Privacy Policy and applies to all employees, contractors, and third parties handling data on our behalf.


Data Protection Principles

We adhere to the following principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation – collected for specified, legitimate purposes only.
  3. Data minimisation – limited to what is necessary.
  4. Accuracy – kept up to date.
  5. Storage limitation – retained only as long as needed.
  6. Integrity and confidentiality – processed securely.

Roles and Responsibilities
  • Board of Directors: ultimate accountability for data protection governance.
  • Data Protection Lead: oversees compliance, risk assessments, and staff training.
  • All Staff: responsible for following policies and reporting incidents promptly.

Data Processing and Risk Management
  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk activities.
  • Maintain a Record of Processing Activities (RoPA).
  • Report and document all data breaches within 72 hours to the Data Protection Lead.

Third-Party Data Processors

All suppliers handling personal data must:

  • Sign a Data Processing Agreement.
  • Provide evidence of GDPR compliance.
  • Notify Rexon of any incident immediately.

Training and Awareness

All staff receive annual data-protection and information-security training.

Awareness refreshers are delivered following policy updates or incidents.


Monitoring and Review

The policy is reviewed annually by the Board and updated where necessary.

Non-compliance may result in disciplinary action or termination of supplier contracts.