ERP PRIVACY NOTICE
Inspire Data Protection/GDPR Reassurance Statement for Professional Clients and other Agencies
Last Updated – December 2021
Inspire set high standards for privacy and promote a positive attitude to data protection across the services and jurisdictions in which it operates.
Inspire Group systems, processes, procedures and security controls ensure the appropriate processing and security of Personal Data at all times in line with relevant legislation (e.g. Data Protection Acts 1988 – 2018 and the UK/EU General Data Protection Regulation (GDPR) and the guidance from time to time as issued by the UK Information Commissioner/Data Protection Commissioner of Ireland).
Inspire will not process sensitive or special category data on behalf of any other business unless under specific written instruction.
We work to ensure regulators, partners and individuals can see how we are managing personal data risks and endeavour to secure their trust and confidence. By implementing the following across the Inspire Group:
Appointed a dedicated Data Protection Officer Role across the Inspire Group UK and Ireland. The DPO is registered with both the Data Protection Commission (DPC Ireland) and the Information Commissioner Office (ICO UK). Our DPO has specific responsibilities in line with Article 39 of the GDPR for data protection compliance, data protection policies, awareness raising, training and audits.
There is an organisational structure for managing data protection and information governance, which provides strong leadership, clear reporting lines and responsibilities, and effective information flows.
Inspire have a monitored Data Protection Accountability Framework in place which covers the following categories:
- Leadership and oversight,
- Policies and procedures,
- Training and awareness, Individuals’ rights,
- Transparency, Records of processing and lawful basis,
- Contracts and data sharing,
- Risks and data protection impact assessments,
- Records management and security,
- Breach response and monitoring.
Our policies and procedures foster a ‘data protection by design and by default’ approach across our organisation. We have a review and approval process in place to make sure that policies and procedures are consistent and effective. We update policies and procedures without undue delay when they require changes, e.g. because of operational change, court or regulatory decisions or changes in regulatory guidance. All policies, procedures and guidelines show document control information, including version number, owner, review date and change history.
The Inspire Group currently have effective data protection policies and procedures in place to help our organisation take the practical steps to comply with our legal obligations including:
- Data Protection/GDPR Policy
- Subject Access Request Procedure
- Data Breach Procedure
- Data Protection Impact Assessment Procedure
- Right to be Forgotten Procedure
- Inspire Group Privacy Statement and specific project privacy statements in place
- Data Sharing/Processing Agreements in place
- Standard Contractual Clause (SCC) in place (where required to provide an appropriate safeguard for transfer of data outside of EU)
- Data Records Management Framework – including Retention & Disposal policy, procedure and schedule
- Complaints Procedure
- Confidentiality Policy – in line with the Caldicott Principles
- Organisation Logs – Our organisation logs receipt of all verbal and written requests from individuals and updates the log to track the handling of each request
Inspire operate an all-staff data protection and information governance training programme with staff completing initial GDPR training as part of induction and also ongoing as part of localised team/department/role skills development annually.