Contact

Data Protection Policy

This Data Protection policy is a privacy notice providing information and guidance on some of the data protection controls in place to ensure our data collection and data processing activities, including personal data, are managed effectively and that appropriate controls are in place to protect the confidentiality, integrity and availability of data from all threats whether internal, external, deliberate or accidental.

We have implemented appropriate controls to secure and protect all data using physical, procedural, staff and technical security measures and all workers who access our information assets should be aware of and follow this policy and all other guidance relating to data protection.

Please refer to GLE-POL-026 – G & L Environmental Privacy Notice

Responsibilities for Data Protection

Data protection is the responsibility of everyone who collects, processes or accesses data and information assets and all protection and control measures must be followed to ensure adequate data protection at all times. Any concerns about data protection should be reported to line manager and / or data protection officer / representative.

Protection of Personal Data and Compliance with Data Protection Regulations

It is our policy to protect data and comply with all applicable data protection regulations. Personal data must be controlled and secured and details must not be disclosed to any other person (whether inside or outside the company) unless authorised to do so. To ensure all workers are aware of data protection obligations and information security we have a training programme in place which covers this and other relevant policies. To ensure we are in compliance with data protection regulations including the Data Protection Act (DPA), General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR)
the company has taken various measures to ensure we are meeting all requirements.

Where we collect personal data or are responsible for personal data that is collected we will ensure we are meeting our responsibilities as the data controller and will retain an up to date overview of processing activities and control measures and a summary of our data processing activities will be included in relevant privacy notices to ensure all processing is transparent and data subjects are informed and aware of what personal data we collect, our processing activities, any data transfers and the retention schedule for all personal data.

Data protection measures currently in place include the following:

  • Data Protection Officer (DPO) / Representative – our management system details key management responsibilities including those for data protection where we may be required to respond to subject access requests or formally report data breaches within strict time limits;
  • Personal Data Register – the personal data we collect and process is detailed on the personal data register which also includes a Record of Processing Activities (ROPA) and details of why we collect this data, our lawful basis, associated data subject rights, retention schedule and method of disposal for all personal data.
  • Data Review and Retention – we regularly review and check Personal data held to ensure the personal data we hold is only retained for as long as necessary, is lawfully managed and processed and that all personal data held is accurate.
  • Consent – Where it is deemed necessary to use consent as the legal basis for processing personal data the data collection process will include a step where consent is clearly requested from the data subject and data will not be collected if consent is not granted. Records of consent will be retained as long as the personal data collected and should include full details of who consented, when, and the details of how consent was given.
  • Special Category / Sensitive Personal Data – When reviewing personal data, we will also identify any special category data which requires consideration of the condition for processing as well as legal basis for processing. Additional security and controls may also be required for protection of special category and any sensitive data we collect or process.
  • Privacy by Design / Data Protection Impact Assessments (DPIA) – Any new developments, projects or technologies that involve personal data will be reviewed to ensure privacy by design and privacy impact assessments are completed when required. A DPIA will be completed before completing any data processing activities where there is a high risk to individuals from the processing of their personal data.
  • Data Processing / Transfer – Personal data is processed and handled in a lawful and transparent manner with clear communication of what data we hold, why we hold it and how long we retain it as summarised on the personal data register and privacy notices. The personal data register also includes details of all data transfer and the appropriate privacy notices must be kept up to date with relevant details to ensure this is communicated our data subjects. Controls are in place on the transfer of personal data to ensure this Is completed securely and only with approved third parties for the purposes stated in the personal data register.
  • International Transfer of Data – wherever possible we will try to avoid any international transfer of personal data and will ensure personal data register and privacy notices include details of any international transfers and will obtain consent from data subjects where required.
  • Data and Information Security – we have measures in place to protect Confidentiality, Integrity and Accessibility of all company data and complete regular monitoring and review of the security of data and information security systems. These measures include:
    • Information Classification;
    • IT Systems Monitoring and Backups;
    • Access Control;
    • Secure passwords;
    • IT Equipment checks;
    • Management of Software;
    • Physical Security;
    • Staff training and checks.
  • Subject Access Requests (SAR’s) – Our data subjects have the right to be informed about our processing of their personal data and also have various other rights with regards to their personal data. Data Subject Access Requests should be directed at our DPO / Data Protection representative who will follow appropriate SAR procedures when dealing with these requests and will respond to all data requests within 1 month.
  • Data Breaches – A data breach is defined as the unintended deletion, alteration or loss of protection of data leading to unauthorised, insecure or accidental access, sharing or transfer of data or information assets which hold or can be used to access our data. All data breaches, suspected data breaches, or information security incidents must be reported and logged. Significant breaches concerning personal data may need to be reported to the relevant rata regulatory authorities and affected data subjects.

Further guidance on data protection is available in the management system documentation which also details other relevant policies.

An overview of personal data processing (Record of Processing Activities) is included in appendix i of this policy.

Approved By: Nathan Bond

Date Approved: 23/07/2025

Review Date: 23/07/2026

Start a project today

Get in touch and let us know your project requirements!

Contact us