Purpose
This policy sets out Rexon Consulting Ltd’s approach to managing personal data and ensuring compliance with UK GDPR and the Data Protection Act 2018. It complements our Privacy Policy and applies to all employees, contractors, and third parties handling data on our behalf.
Data Protection Principles
We adhere to the following principles:
- Lawfulness, fairness, and transparency
- Purpose limitation – collected for specified, legitimate purposes only.
- Data minimisation – limited to what is necessary.
- Accuracy – kept up to date.
- Storage limitation – retained only as long as needed.
- Integrity and confidentiality – processed securely.
Roles and Responsibilities
- Board of Directors: ultimate accountability for data protection governance.
- Data Protection Lead: oversees compliance, risk assessments, and staff training.
- All Staff: responsible for following policies and reporting incidents promptly.
Data Processing and Risk Management
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk activities.
- Maintain a Record of Processing Activities (RoPA).
- Report and document all data breaches within 72 hours to the Data Protection Lead.
Third-Party Data Processors
All suppliers handling personal data must:
- Sign a Data Processing Agreement.
- Provide evidence of GDPR compliance.
- Notify Rexon of any incident immediately.
Training and Awareness
All staff receive annual data-protection and information-security training.
Awareness refreshers are delivered following policy updates or incidents.
Monitoring and Review
The policy is reviewed annually by the Board and updated where necessary.
Non-compliance may result in disciplinary action or termination of supplier contracts.