(GDPR Data Retention & Erasure Policy)

Policy Statement

Mission Labels recognizes and understands that the efficient management of its data and records is necessary to support its core business functions, to comply with its legal, statutory and regulatory obligations, to ensure the protection of personal information and to enable the affective management of the business.

The policy and related documents meet the standards and expectations set out by legal requirements and has been developed to meet the best practice of business record management, with the direct aim of ensuring a robust and structured approach to document control and systems management.

Effective and adequate records and data management is necessary to:-

• Ensure that the business conducts itself in a structured, efficient and accountable manner.
• Ensure that the business realizes best value through improvements in the quality and flow of information and greater coordination of records and storage systems.
• Support core business functions and providing evidence of conduct and the appropriate maintenance of associated tools, resources and outputs to customer, suppliers and staff.
• Meet legislative, statutory and regulatory requirements.
• Deliver services to customers, suppliers and staff.
• Assist in document policy formation managerial decision making.
• To ensure that the GDPR Data Retention & Erasure Policy is implemented to the full legal, legislative, statutory and regulatory requirements.

Purpose

The purpose of this document is to provide the companies statement of intent on how it provides a structured and compliant data and records management system with records being defined as all documents, regardless of the format; which facilitates business activities and are thereafter retained to provide evidence of transactions and functions. 

Scope This policy applies to all staff within Mission Labels (meaning permanent, fixed term and temporary staff) and pertains to the processing of personal information specific to the end user. Adherence to this policy is mandatory and non-compliance could to disciplinary action.

General Data Protection Regulation (GDPR)

Mission Labels needs to collect personal information about the people that they employ, work with have a business relationship with to effectively and compliantly carry out everyday business functions and activities and to provide the products and services defined by our business type. This information can include (but is not limited to) name, address, email address, date of birth, IP address, national insurance number,  private and confidential information, sensitive information and bank details.

Objectives. A record is information regardless of how it is created, received and maintained, which evidences the development of and compliance with, regulatory requirements, business practices, legal policies, financial transactions, administrative activities, business decisions or agreed actions. It is the Company’s objective to implement the necessary records management procedures and systems which assess and manage the following processes;  

• The creation of records.
• Compliance with legal, regulatory and statutory requirements.
• The Storage of records for business purpose only.
• The protection of record integrity and authenticity.
• The use of records and the information contained therein.
• The security of records.
• Access to and disposal of record.

Records contain information that are a unique and invaluable resource to the Company and are an important operational asset. A systematic approach to the management of our records is essential to protect and preserve the information contained in them, as well as the individuals such information refers to. Records are also a pivotal in the documentation and evidence of all business functions and activities.

Guidelines.

• Accurate – records are always reviewed to ensure that they are a full and accurate representation of the transactions, activities or practices that they document.
• Accessible – records are always made available and accessible when required (with additional security permission where applicable to the document content)
• Complete – records have the content, context and structure required to allow the reconstruction of the activities, practices and transactions that they document.
• Retention – all records retained during their specified periods are traceable and retrievable. Any file movement, use or access is tracked and logged. All company and employee information is retained, stored and destroyed in line with legislative and regulatory guidelines.
• Designated owners – All systems and records have designated owners throughout their lifecycle to ensure accountability. Owners are assigned based on role, business area and level of access to the data required. All external business data is the specific property of the business that the data originates from. Data and records are never removed, destroyed, revised, updated or destroyed without prior authorization of the designated owner.
• Classification – The five main classifications are, unclassified, public, Internal, Personal, Confidential. The classification is used to decide what access restrictions needs to be applied.
• Paper records – Due to the nature of our business the company retains paper based personal information and as such, has a duty to ensure that it is disposed of in a secure, confidential and compliant manner.
• Electronic & IT record – The Company uses computer systems which are backed up and protected by encrypted passwords.
• Internal Correspondence and General Memoranda – Unless otherwise stated in this policy, internal correspondence or memoranda should be retained for the same period as the document that they pertain or support.
• Erasure – in specific circumstances, data subjects have the right to request that their personal data is erased. Where the personal data is no longer necessary in relation to the purpose that it was originally collected or processed, when the individual objects or withdraws consent, the data was unlawfully processed, or if the data must be erased in order to comply with a legal obligation.
• Security of Data – All data is stored and erased securely as to the terms of this procedure and as such conforms to the GPDR guide lines.
• Compliance – The Company are committed to ensuring the continued compliance with this policy. The DPO’S (Data protection officers – Andrea White & Dave Humphrey) are tasked with ensuring the continued compliance of the records and data in their remit. DPO’S must be involved in all data retention and erasure and must maintain all records pertaining to the relevant data and disposed of in accordance with the Company’s protocol.

Summary. Mission Labels In preparation for General Data Protection Regulations (GDPR) coming into force on the 25th May 2018 have reviewed the processes to ensure that we are compliant.

As part of this exercise we have reviewed the data we hold relating to our customers and suppliers. All data held is for business purposes and the efficient supply of products and services and our customers and suppliers. Data we hold includes;

• Key contact data including name, email address, telephone numbers, for staff involved in the supply of products and services.
• Contact data including name, email address, telephone number and bank details, for account staff involved in ordering, invoicing and financial queries.