MRC GDPR Statement (General Data Protection Regulation)

Responsibilities –

The Data Protection Officer (DPO) is responsible for ensuring compliance to the GDPR. However, all employees working on behalf of MRC are required to take a level of responsibility when handling data.

1. Enforcement/Responsibility

1.1. Our Data Protection Officer is Craig Pask who can be contacted viaemail to

2. Data Definition

2.1. The GDPR will cover data classified as:

2.1.1.‘Personal Data’ – Any information relating to an identifiable person eg Name, Telephone number and Personal Address

2.1.2.‘Sensitive Personal Data’ – Special categories of personal data eg Biometric Data, Ethnic Origin and Sexual Orientation

3. Reporting of a Breach

3.1. In line with the GDPR MRC is committed to ensuring that any breach of data will be brought to attention of its national regulator within 72 Hours. As part of the GDPR, MRC is committed to implementing controls across the six principal areas as stated below. These outline how a Data Controller shall process the personal data of clients or data subjects.

3.2. Lawful, Fair and Transparent Processing

3.2.1 Data Audit – Data processed by MRC will be stored both electronically and via hard copies that will be securely protected

3.2.2 Disclosure – If an individual wishes to view the data held by MRC they will need to contact our DPO and fill in a Data Request form.

3.3. Purpose Limitations

3.3.1 All data collected must be justified on the basis of one of the lawful purposes.

These are:

3.3.2 Consent – Clear consent to process an individual’s personal data for a specific purpose eg If emailing a personal email rather than a company email

3.3.3 Contract – The processing is necessary for a contract MRC has with the individual

3.3.4 Legal Obligation – The processing is necessary for MRC to comply with the law

3.3.5 Vital Interests – The processing is necessary to protect someone’s life

3.3.6 Public Task – The Processing is necessary for MRC to perform a task in the public interest

3.3.7 Legitimate Interests – The Processing is necessary for MRC’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests

3. Data Minimisation

3.1 MRC will guarantee minimal data is collected by ensuring that personal data shall be adequate, relevant and limited to what is necessary for the purposes of processing

4. Accuracy

4.1 MRC will ensure that any personal data that is inaccurate in regard to the purposes for which it was processed is either erased or rectified.

4.2 If an individual believes data held is incorrect or has changed they should contact our DPO to fill in a Data Rectification Form.

5. Storage Limitation

5.1 The data that is retained will be detailed in any agreement we have in place. The data subject shall always be able to opt out of any agreement eg with email correspondences there is the option to opt out.

6. Integrity and Confidentiality

6.1 MRC ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures Rights of the data subject Each individual will have the below rights, and all companies should adhere to the provision of these:

• Breach Notification – Businesses will have 72 hours to notify their national regulator of a breach

• Right to Access – The right to obtain confirmation as to whether personal data is being processed, where and for what purpose

• Right to be Forgotten – The right for data to be removed when no longer relevant to the original purposes for processing

• Data Portability – The right to receive personal data concerning the individual and the right to transmit that data to another controller.

• Privacy by Design – Requirement of data protection from the onset of the designing of systems rather than as an addition. Furthermore, to hold and process only the data absolutely necessary for the completion of its duties.

Breaches of this policy

• Any breaches of this policy will be taken seriously and dealt with in an appropriate manner.

• The breach of this policy by staff or a director of the company may lead to disciplinary action being taken in accordance with our disciplinary procedure. Serious breaches may be regarded as gross misconduct and may lead to immediate dismissal further to our disciplinary procedure.

• Everybody to who whom this policy applies, including contractors, associates and any other third-party representative will be expected to co-operate to the fullest extent possible in any investigation into suspected breaches of this policy or any related processes or procedures.

Policy Monitoring

• This policy may be continuously updated. If any part of this policy is unclear, clarification should be sought from a director.