Context  Overview
The General Data Protection Regulation 2016/679(GDRP) is an EU regulation which came into effect on 25 h May 2018. It updates existing law and places greater accountability on organisations when using personal information on suppliers, customers, business contacts & employees. This policy describes how this personal data must be collected, handled & stored to meet the company’s data protection standards and to comply with the law.

​

Why this policy exists
This data protection policy ensures that Direct2SchoolBooks:
o Complies with data protection law and follows good practice
o Protect the rights of staff and its customers
o Is transparent about how it stores & processes an individual’s personal data
o Protects itself from the risks of a data breach

​

Data Protection Law
The General Data Protection Regulation 2016/679 describes how organisations, including Direct2SchoolBooks, collects, handles & stores personal data for an individual. The rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The General Data Protection Regulation is underpinned by eight important principles. These principles state that personal data must be:
1. Processed fairly & lawfully
2. Obtained only for specific, lawful purposes
3. Adequate, relevant & not excessive
4. Accurate & kept up to date
5. Held only for as long as is necessary
6. Processed in accordance with the rights of the data subject
7. Protected in appropriate ways
8. Not be transferred outside the EU, unless that country or territory also
ensures an adequate level of protection

​

Policy scope
This policy applies to all data that the company holds relating to living individuals, even if that data technically falls outside of the GDRP 2016/679. This can include:
o Names of individuals
o E-mail addresses
o Phone numbers
o Any other information relating directly or indirectly to individuals that
clearly identifies that individual

​

Data Protection Risk
This policy helps to protect Direct2School from some very real data security risks, including:
o Breaches of confidentiality – e.g. information being given out inappropriately
o Failing to offer choice – All individuals should be free to choose how the company uses data relating to them
o Repetitional damage e–g. The company could suffer repetitional damage if hackers successfully gained access to sensitive data

​

Responsibilities
Direct2Schoolbooks has responsibility for ensuring that data is collected, stored and handled appropriately in line with this policy as well as ensuring it meets its legal obligations.
Data Storage
When personal data is stored electronically, it should be protected by strong passwords that are regularly changed and never shared between employees
Data Accuracy
The GDPR requires that Direct2Schoolbooks takes reasonable steps to ensure that data is kept accurate & up to date. In certain circumstances, the GDPR allows personal data to be disclosed to law
enforcement agencies without the consent of the data subject.