Privacy Policy

NEXIA Group Ltd INFORMATION SECURITY AND DATA PROTECTION POLICY

 

Key Details

 

  • Policy Prepared By: Deedee Richards
  • Approved by: Marc Rayner
  • Policy became operational on: May 2025
  • Next review date: May 2026
  • GDPR Officer – Marc Rayner – GDRP@kevinedward.co.uk

 

1. Introduction

 

Nexia Group Ltd processes personal data in relation to its own staff and individual client member/potential member contacts. It is vitally important that we abide by the principles of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 set out below.

Nexia Group Ltd holds data on individuals for the following general purposes:

  • Staff Administration.
  • Advertising, marketing and public relations.
  • Accounts and records.

 

The data will be processed compliant with the principles of fair processing in Article 5, GDPR. Nexia Group Ltd will:

  • Be transparent in relation to employees.
  • Tell employees what we are collecting the data for and be specific about what our purposes for processing data are.
  • Only collect what we need for the stated, legitimate purposes.
  • Keep the personal data up to date and accurate – inaccurate data will be deleted or rectified.
  • Not keep data in a form that allows identification of the data subject for longer than is necessary for the legitimate purposes notified to the employee.
  • Keep the data secure.

 

Personal data means data, which relates to a living individual who can be identified from the data or from the data together with other information, which is in the possession of, or is likely to come into possession of, Nexia Group Ltd. Data will only be processed in compliance with the following legal bases:

  • Legitimate interest.
  • Legal obligation.
  • Consent.

 

Data will be reviewed on a regular basis to ensure that it is accurate, relevant and up to date.

Employees are responsible for ensuring that any changes to old or inaccurate data takes place in a timely fashion. In addition, all employees should ensure that adequate security measures are in place. For example:

  • Computer screens should not be left open by individuals who are accessing personal information.
  • Passwords should not be disclosed.
  • Personnel files and other personal data should be stored in a place in which any unauthorised attempts to access them will be noticed. They should not be removed from their usual place of storage without good reason.
  • Personnel files should always be locked away when not in use and when in use should not be left unattended.
  • Care should be taken when sending personal data in the mail.
  • Destroying or disposing of personal data counts as processing. Therefore, care should be taken in the disposal of any personal data to ensure that it is appropriate.

 

Data subjects, are entitled to obtain access to their data on request. All requests to access data by data subjects i.e. staff or members, should be referred to the Head of Operations. Where a request is granted, the information will be provided within 30 days of the date of the request.

Any requests for access to a reference given by a third party must be referred to Head of Operations – Marc Rayner and should be treated with caution even if the reference was given in relation to the individual making the request. This is because the person writing the reference also has a right to have their personal details handled in accordance with data protection laws, and not disclosed without their consent.

 

 

 

DATA PROTECTION PROCEDURE

 

SUBJECT ACCESS REQUESTS

A Subject Access Request is simply a written request made by or on behalf of an individual for the information which he or she is entitled to ask for under section 7 of the Data Protection Act 1998.

If someone asks you how they make a Subject Access Request, there is a couple of ways that they can do this:

  • Via this website.
  • Via email to the GDPR Officer – Marc.rayner@kevinedward.co.uk

 

Please inform the individual that they should include in their written request (taken from https://ico.org.uk/for-the-public/personal-information/)

 

  • Their full name, address and contact telephone number
  • Any information used by the organisation to identify or distinguish them from others of the same name.
  • Details of the specific information they require and any relevant dates

 

Once the request is received by the GDPR Officer and they have verified it is a genuine request, the GDPR Officer will either send them the specific requested information or grant the individual access to all the personal data we hold for them, which is stored on our CRM system (Adapt), through a portal created by Adapt – for instructions on how to use the portal, please refer to page 18 of the Adapt GDPR Process Enhancements guide.

Once we receive a Subject Access Request, we will do our best to respond to this as soon as possible, but the legal requirement is that we respond within 40 days.

 

RIGHT TO ERASURE

 

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’; simply put they want us to remove their personal data from our records.

Once we receive a request from someone to ‘erase/forget’ them, we have one month to respond to that request.

If an individual contacts you asking for Kevin Edward to delete their details from our records, the most effective way to do this would be to ask them to contact the GDPR Officer via email – gdpr@kevinedward.co.uk – providing their name, address and telephone number, so that the GDPR Officer or CEO/MD can contact them to verify their identity and then process the request as quickly as possible.

 

An individual is able to make a request for erasure verbally or in person to anyone within the company and should they wish to do this instead of in writing to the GDPR Office, this is the process you must follow:

 

  • Get the individual’s name, contact number and email address – explain that this is for identification verification purposes only and that this information will not be stored.
  • Ask them the reason they want us to erase their details.
  • Send this information to the GDPR Officer – gdpr@kevinedward.co.uk – and inform the individual that their request will be processed as quickly as possible, but certainly within a 4 week timeframe.

Once the GDPR Officer or CEO/MD are happy that the individual’s identity has been verified, there is a simple ‘workflow’ they will follow within our CRM system (Adapt) that will ensure all of the individual’s personal data is removed and no longer accessible to the business; there is an option to within the workflow for the system to ‘remember’ an individual, so that we can ensure we do not contact them again – a ‘skeleton record’ is created with a name and ID only.

 

For more detailed instructions on how to erase an individual’s data from the CRM system, please refer to the user manual – ask the GDPR Officer for a copy if you don’t already have one.

 

DATA RECTIFICATION PROCEDURE

 

What is the right to rectification?

Under Article 16 of the GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

This right has close links to the accuracy principle of the GDPR (Article 5(1)(d)). However, although you may have already taken steps to ensure that the personal data was accurate when you obtained it, this right imposes a specific obligation to reconsider the accuracy upon request.

 

What to do if you receive a request for data rectification:

  • For simple rectification requests, simply log into the CRM system (Adapt) and change the data yourself
  • For more complexed requests, ask the individual to contact the GDPR Officer – gdpr@kevinedward.co.uk – with their request

NB: Data rectification requests should be dealt with as soon as possible, but at least within a month of receiving the request. Please inform any individuals making a data rectification request of this.

 

DATA PORTABILITY PROCEDURE

 

What is the right to data portability?

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

What to do if an individual makes a data portability request:

  • If the request is for something simple, such as a copy of their CV, then you can simply email this across to them yourself.
  • If the request is for more detailed information, you have 3 options:
    • Run the request past your Line Manager and as long as they are happy for you to send the requested information, email it directly to the individual yourself
    • Ask the individual to email the GDPR Officer – gdpr@kevinedward.co.uk – and they will reply with the information as quickly as possible, but at the very least, within one month of the date of the request
    • The GDPR Officer can grant the individual access to our CRM system, where the individual will be able to view all the personal data we hold for them online