Introduction
General Data Protection Regulation (GDPR) Enjoy Benefits Ltd Overview
The new EU General Data Protection Regulation (GDPR) is mandatory and came into force on 25 May 2018 impacting every organisation which holds or processes personal data. The act has subsequently been transposed into UK law further to the United Kingdom’s withdrawal from the European Union and so this document, when referring to GDPR legislation, refers to the Data Protection Laws as adopted, amended or superseded by EU legislation where it has legal effect in the UK, or the Data Protection Laws, legislation and regulations as applicable within the UK, currently the Data Protection Act 2018.
Enjoy Benefits Ltd has always been committed to high standards of information security, privacy and transparency. Compliance to ISO 27001, Cyber Essentials Plus accreditation, ISO 9001 and PCI-DSS have been a feature of our security and systems for a number of years. A high priority has always been placed on protecting and managing data in accordance with these standards. Enjoy Benefits typically acts as a data controller or a data processor depending on the context of the relationship with customers and users.
The principles of privacy by design and data protection by default as per Article 25 have been employed throughout compliance measures undertaken.
Article 32 recommendations concerning safe storage, such as risk mitigation of technical measures and regular testing of organisational and technical areas have also been employed. Penetration testing by third party contractors is just one method utilised to ensure best practice is maintained.
Enjoy Benefits Ltd has undertaken the following:
- Analysis of data currently held, and what data will be held in the future
- Analysis of how, when and where personal data is, and will be, gathered and processed
- Analysis of how the data is and will be stored and how long it is/will be stored for
- Documented the data protection measures to demonstrate compliance
- Analysis of the risk to privacy of personal data
- Implemented appropriate technical measures and appropriate controls to preserve privacy
Enjoy Benefits Ltd has implemented the following steps that are recorded in the IMS:
Continuous review and improvement of data security
Implemented a data protection policy that which is continuously reviewed
Information Security Policy
- Documented all data security procedures in the
- Provided extra data protection training to all employees
1. Compliance
Enjoy Benefits Ltd has a robust ISO based Integrated Management System (IMS) and in order to ensure compliance has implemented additional or augmented company-wide controls to meet GDPR requirements within the IMS using internal and external advisors. Led by our experienced management team, updated information security policies and procedures have built on existing management systems. Gap analysis, data protection risk assessments, communication and training programmes are just some of the methods employed to achieve GDPR compliance.
The Enjoy Benefits Ltd Data Protection Officer will inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, provide necessary security and ongoing delivery of objectives.
In many services Enjoy Benefits Ltd already conformed to GDPR. Existing policies such as incident response plans and backup data retention have been reviewed and updated.
2. Processing Personal Data
All the measures taken by Enjoy Benefits Ltd are designed to:
Prevent unauthorised access and unlawful processing of data
Prevent accidental loss, damage or destruction of data
Preserve data integrity and data subject confidentiality
Process data in a manner that is appropriate and lawful
3. Lawful processing in line with Article 6
Enjoy Benefits Ltd has identified the following lawful processes that are relied upon in the performance of services to data subjects, normally with data subject permission:
- Fulfilling contracts entered into with a data subject – eg, providing services such as payroll, benefits such as Cycle to Work and appointed third parties like pension providers for instance.
- Exercising the legitimate interest of the Data Controller–eg, providing information to the data subject for the benefit of the subject
4. Rights of the data subject
Enjoy Benefits Ltd guarantee the following rights to the data subjects subject to contractual or legal requirements:
Right to be informed of the collection of data, processing reason and period of storage
- Right to rectification of incorrect personal data
- Right to restriction of processing where the data subject contests the accuracy of the data or the need to process it
- Right to data portability to themselves or a third party without hindrance and in a recognised format, securely
- Right to object to the use of all processing including marketing
- Right to erasure of any data held, the right to be forgotten as per Article 17
- Right of access to data held to be free of charge unless the request is excessive or repetitive, must be provided within 1 month or in the case of complex requests registered within 1 month, provided suitable proof of identity is supplied, within a direct and secure self-service interface.
- Right of the data subject to be informed of any breach of data privacy within 72 hours of discovery
5. Consent
Where consent is asked for data processing Enjoy Benefits Ltd will ensure:
1. A positive action has to be undertaken to give permission, it must be explicit and not assumed, and a record will be kept of the consent
2. Any choice will be made clear and unambiguous and preferably a binary choice
3. Where needed consent will be separated for different processing activities and will apply to third party controllers
4. The data subject has the right to withdraw consent without hindrance
6. Data Protection Officer
Enjoy Benefits Ltd has a dedicated Data Protection Officer to:
1. Monitor any regular and/or systematic monitoring such as online behaviour tracking, email campaigns etc
2. Advise the company on data protection regulations and data protection issues
3. To assist data subjects with any requests pertaining to their rights, such as the right to be forgotten Address any issues directly to the Data Protection Officer by email via [email protected], post at Enjoy Benefits Data Protection Officer, 14 School Lane, Heaton Chapel, Stockport, Cheshire. SK4 5DG or telephone 0800 088 7315
Document control information
Version Date issued Details of changes
V1.0 21st March 2018 Initial document
V1.1 21st March 2018 Updated contact information for DPO
V1.2 May 2022 Update to reflect current legislation