The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25th May 2018. It brought the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the digital age requirements. While no longer part of the EU, the UK adopts GDPR under legislative reforms that retain parity with EU regulations.
The 21st Century brings broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardise data protection laws and processing across the EU, affording individuals stronger, more consistent rights to access and control their personal information.
TM Pharma Group (TMPG) (‘we’ or ‘us’ or ‘our’) are committed to ensuring the security and protection of personal information. We process and provide a compliant and consistent approach to data protection. We have a robust and effective data protection program that complies with existing law and abides by data protection principles. However, we recognise our obligations to continually update our policy and policy statement to meet the demands of the GDPR and the Data Protection Act 1998 & 2018 as amended.
TMPG is dedicated to safeguarding the personal information under our remit. We are committed to continually developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of our legal requirements. Our preparation and objectives for GDPR compliance have been summarised in this statement. They include developing and implementing new data protection roles, policies, procedures, controls, and measures to ensure maximum and ongoing compliance.
TMPG have a consistent data protection and security level across our organisation, and we aim to remain fully compliant with the GDPR through annual review. Our preparation includes:
- Information Audit – carrying out a company-wide information audit to identify and assess our personal information, where it comes from, how and why it is processed, and if and to whom it is disclosed.
- Policies & Procedures – [revising/implementing new] data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:
- Data Protection – our central policy and procedure document for data protection has been authored to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand, adequately disseminate, and evidence our obligations and responsibilities, with a dedicated focus on privacy by design and the rights of individuals.
- Data Retention & Erasure – we review our retention policy and schedule, ensuring we meet the ‘data minimisation’ and ‘storage limitation’ principles. We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply, along with any exemptions, response timeframes and notification responsibilities. Also, that personal information is stored, archived and destroyed compliantly and ethically.
- Data Breaches – our breach procedures ensure safeguards and measures to identify, assess, investigate, and report any personal data breach at the earliest possible time. Our robust systems have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
- International Data Transfers & Third-Party Disclosures – where TMPG stores or transfers personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. We undertake strict due diligence and verification of data recipients, ensuring appropriate protection safeguards, enforceable data subject rights, and effective legal remedies. Our systems include a continual review of the countries with sufficient adequacy decisions and provisions for binding corporate rules, standard data protection clauses or approved codes of conduct for those countries without.
- Subject Access Request (SAR) – Our SAR procedures accommodate the revised 30-day timeframe for providing the requested information and making this provision free of charge. Our procedures include data subject verification, processing an access request, and determining what exemptions apply. Plus, a suite of response templates to with data subjects are compliant, consistent and adequate.
- Cyber Essentials Accreditation – Backed by the National Cyber Security Centre (NCSC) – TMPG have achieved the accreditation standard for cyber security.
- Legal Basis for Processing – we constantly review all processing activities to ensure the legality and that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
- Privacy Notice / Policy – we check that our Privacy Notice(s) comply with the GDPR. We ensure individuals whose personal information we process are informed why it is needed and used. We also address their rights, to whom the information is disclosed, and what safeguards are in place to protect it.
- Obtaining Consent – we revised our consent mechanisms, ensuring individuals understand what they are providing, why and how we use it. We have stringent processes for recording consent, ensuring we can evidence an affirmative opt-in. We hold time and date records and an easy-to-see and accessible way to withdraw consent at any time.
- Direct Marketing – TMPG does not currently engage in direct marketing. We are cognizant of the requirements for precise opt-in mechanisms for marketing subscriptions. Also, a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
- Data Protection Impact Assessments (DPIA) – We accommodate high-risk information, involve large-scale processing, or include special category/government/conviction data. We have developed stringent procedures and assessment templates for impact assessments that comply fully with the GDPR’s Article 35 requirements. We have implemented processes that record assessments. They allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the threat posed to the data subject(s).
- Processor Agreements – if we use third-party processes, we will draft compliant contracts to ensure everyone meets and understands their GDPR obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the GDPR.
- Special Categories Data – where we obtain and process any special category information, we do so in complete compliance with the Article 9 requirements. We have high-level encryptions and protections on all such data. Special category data is only processed where necessary and only when we have identified the appropriate Article 9(2) basis or the Data Protection Bill Schedule 1 condition. Where we rely on consent for processing, this is explicit and is verified by a signature, with the right to modify or remove consent being signposted.
Data Subject Rights
In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy-to-access information via line managers. Also accessible files and folders of an individual’s right to access any personal information that TMPG processes about them and to request information about:
- What personal data do we hold about them
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long do we intend to store your data for
- If we did not collect the data directly from them, information about the source
- The right to have incomplete or inaccurate data about them corrected or completed, and the process for requesting this
- The right to request the erasure of personal data (where applicable) or to restrict processing under data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
- The right to lodge a complaint or seek judicial remedy and whom to contact in such instances
Information Security & Technical and Organisational Measures
TMPG takes the privacy and security of individuals and their personal information very seriously. We take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure, or destruction and have several layers of security measures, including: –
- Cyber Essentials annual accreditation.
- IT security policies and procedures, including personal devices.
- Paperless office processes where possible to minimise the risk of data loss.
- Hierarchal levels of data access with audit and intrusive supervision.
- Pseudonymisation of identifiable data in management reporting.
- Staff IT security awareness, continual training, and CPD.
GDPR Roles and Employees
TMPG has designated Tony Moore as our Data Protection Officer (DPO) & Appointed Person. He is responsible for promoting awareness of the GDPR across the organisation, assessing our GDPR compliance, identifying gaps, and implementing new policies, procedures, and measures.
TMPG understands that continuous employee awareness and understanding is vital to continued compliance with the GDPR and have involved our employees in our preparation plans. We have implemented employee training to deliver GDPR (EU) and GDPR (UK) legislation and training. This training is supported by regular staff meetings with IT and data compliance as agenda items.
If you have any questions about our preparation for the GDPR, please contact Tony Moore – Data Protection Controller and Appointed person – email@example.com
- Version 1 to April 2022
- Version 2 revised January 2023 for Website inclusion