Early Break is fully committed to complying with the General Data Protection Regulation (GDPR).

The GDPR applies to all organisations that process data relating to employees and others, including customers, contractors, and clients. It sets out principles that should be followed by those who process data and gives new and extended rights to those whose data is being processed.

To this end, Early Break endorses fully and adheres to the six principles of data protection, as set out in Article 5 of the GDPR.

1. Data must be processed lawfully, fairly and in a transparent manner in relation to individuals.

2. Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3. Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4. Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

5. Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

6. Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

These principles must be followed at all times when processing or using personal information. Therefore, through appropriate management and strict application of criteria and controls, Early Break will:

• Observe fully the conditions regarding the fair collection and use of information, including the giving of consent

• Meet its legal obligations to specify the purposes for which information is used

• Collect and process appropriate information only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirements

• Ensure the quality of information used

• Ensure that the information is held for no longer than is necessary

• Ensure that the rights of people about whom information is held can be fully exercised under the GDPR (ie the right to be informed that processing is being undertaken, to access one’s personal information; to prevent processing in certain circumstances, and to correct, rectify, block or erase information that is regarded as incorrect)

• Take appropriate technical and organisational security measures to safeguard personal information

• Publicise and abide by individuals' right to appeal or complain to the supervisory authority (the Information Commissioner's Office (ICO)) in the event that agreement cannot be reached in a dispute regarding data protection

• Ensure that personal information is not transferred abroad without suitable safeguards.

Disaster Recovery

1. Early Break backs up data regularly in order to have at least a month’s worth of data at any one time. Records of these are kept.

2. Backups are kept off-site. Any kept on site are in a special heat-proof safe.

3. Backups are verified regularly by the software and system supplier.

4. Master copies of software are stored off-site or in a heat-proof safe.

5. Firewalls and virus checkers are kept up to date and running, and users are trained in virus avoidance and detection.

6. Computers are protected from physical harm, theft or damage, and from electrical surges using protective plugs.

7. Early Break plans for how to deal with loss of electricity, external data links, server failure, and network problems. It uses paper forms where necessary for temporary record keeping.

Subject Consent

The GDPR sets a high standard for consent and requires a positive opt-in. Neither pre-ticked boxes nor any other method of default consent is allowed. As required by the GDPR, Early Break takes a "granular" approach, ie, it asks for separate consent for separate items and will not use vague or blanket requests for consent. In addition to keeping evidence of any consent, Early Break ensures that people can easily withdraw consent (and tells them how this can be done).

It should be noted, however, that consent is only one of the lawful bases on which data processing depends. In brief, the others include the following.

• Contract: if processing someone’s personal data is necessary to fulfil the organisation's contractual obligations to them (e.g. to provide a quote).

• Legal obligation: if processing personal data is necessary to comply with a common law or statutory obligation.

• Vital interests: not one that will occur often, as it refers to processing personal data to protect someone’s life (and even then, it cannot be relied on with regard to health data or other special category data if the individual is capable of giving consent.

• Legitimate interests: are the most flexible lawful basis for processing and one that applies when data is used in ways people would reasonably expect and has a minimal privacy impact, or where there is a compelling justification for the processing.

Note that the GDPR provides special protection for children’s personal data, and Early Break will comply with the requirement to obtain parental or guardian consent for any data processing activity involving anyone under the age of 16.

Conclusion

This policy sets out Early Break’s commitment to protecting personal data and how that commitment is implemented in respect of the collection and use of personal data.