General Data Protection Regulation (GDPR)Policy

General Data Protection Regulation (GDPR) Policy

Last Updated: 29/10/2025

Next Review Date : 29/10/26

1. Purpose

This policy outlines how Highway Data Systems (HDS) complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring that personal data is handled lawfully, fairly, and transparently. The organisation is committed to safeguarding the privacy and rights of individuals and to maintaining compliance through regular reviews and staff awareness.

2. Scope

This policy applies to all employees, contractors, and anyone acting on behalf of HDS who may have access to personal data.

It also extends to third parties and partner organisations who handle personal data on behalf of HDS under appropriate contractual or data processing agreements.

3. Data Protection Principles

HDS adheres to the following data protection principles when processing personal data:

• Processed lawfully, fairly, and transparently.

• Collected for specified, explicit, and legitimate purposes.

• Adequate, relevant, and limited to what is necessary.

• Accurate and, where necessary, kept up to date.

• Retained only for as long as necessary.

• Processed securely to maintain integrity and confidentiality.

4. Data Protection Impact Assessments (DPIA)

A Data Protection Impact Assessment (DPIA) was completed when the current legislation came into force to assess the organisation’s processing activities and ensure compliance with data protection requirements.

The DPIA is reviewed annually, or sooner if there are significant changes to systems, processes, or data handling practices.

All outcomes, risks, and recommended actions are documented and monitored to ensure continued compliance.

5. Privacy Notices

All staff receive a GDPR Privacy Notice during induction, explaining how their personal data is collected, used, stored, and shared.

Where personal data is collected from clients, suppliers, or other individuals, a suitable privacy notice will also be made available.

6. Staff Responsibilities

• All staff must ensure that personal data is handled securely and in accordance with this policy.

• Staff must immediately report any data breaches or suspected breaches to their line manager.

• Unauthorised access, disclosure, or misuse of personal data may result in disciplinary action.

7. Confidentiality and Impartiality Agreements

All employees sign Confidentiality and Impartiality Agreements during induction.

These are renewed and re-signed annually to reinforce understanding and compliance with data protection and professional conduct requirements.

8. Data Security

The organisation uses appropriate technical and organisational measures to protect personal data, including: 

• Secure storage.

• Controlled access to systems and files.

• Password protection, system monitoring, and secure disposal of data and equipment.

• Caution when using portable devices or remote access to ensure data is not exposed to unauthorised individuals.

9. Data Retention

Personal data will not be kept longer than necessary for the purpose it was collected. Retention and disposal are managed in accordance with the organisation’s Document Control and Data Retention Procedure.

10. Data Subject Rights

Individuals have the right to:

• Access their personal data.

• Request correction or deletion.

• Restrict or object to processing.

• Request data portability.

Requests should be directed to the individual’s line manager, who will ensure they are handled within statutory timeframes (normally within one calendar month).

11. Data Breach Management

Any personal data breach must be reported immediately to the line manager.

The organisation will assess and document all breaches, and if necessary, notify the Information Commissioner’s OƯice (ICO) within 72 hours of becoming aware of the breach.

12. Review

This policy, including the DPIA, will be reviewed annually or sooner if there are significant organisational, legislative, or procedural changes.