Introduction

Kaizzen Tech regards the lawful and correct processing of personal and sensitive data as an integral part of its business.
Kaizzen Tech believes this is vital for maintaining the confidence of employees, customers, partners and other stakeholders about whom we process data, and ourselves.

Policy Statement

This Data Protection Policy explains how Kaizzen Tech will meet its legal obligations concerning confidentiality and data security standards.
The requirements within the policy are primarily based upon the EU General Data Protection Regulation (EU GDPR), which is the key piece of legislation covering data security and confidentiality of personal and sensitive personal data in the European Union.
Kaizzen Tech will implement adequate and appropriate physical and technical measures and organisational measures to ensure the security of all data contained in or handled by its systems.
The main focus of this policy is to provide guidance about the protection, sharing and disclosure of personal data, but it is important to stress that maintaining confidentiality and adhering to data protection legislation applies to anyone handling personal data or personal sensitive data on behalf of Kaizzen Tech.

Personal Data Definitions

All identifiable customer data.
All identifiable employee data.
All identifiable supplier data.
All other personal data processed by Kaizzen Tech.

Examples of personal identifiable data Lincoln’s Inn processes include:

Names, addresses, emails, phone numbers and other contact information.
Photographs, video and audio recordings.

Data Protection Principles

The Data Protection principles that lie at the heart of the EU GDPR give the Regulation its strength and purpose. To this end, Kaizzen Tech fully endorses and abides by the principles of data protection.
Personal data and sensitive personal data must not be used other than for the specific purpose required to deliver a product or service.
A record can be in computerised and/or in a physical format.
Backup data (i.e. archived data or disaster recovery records) also falls under the DPA; however, a search within them should only be conducted if specifically asked for by an individual as an official Subject Access Request.

Practical Implications

Understanding and complying with the Data Protection Principles is the key to understanding and complying with the KAIZZEN TECH ’s responsibilities as the data controller. Therefore, KAIZZEN TECH  will:

Ensure that there are lawful grounds for using the personal data.
Ensure that the use of the data is fair and meets one of the specified conditions.
Only use sensitive personal data where we have obtained the individual’s explicit consent (unless an exemption applies).
Only use sensitive personal data, if it is absolutely necessary.
Explain to individuals, at the time their personal data is collected, how that information will be used.
Only obtain and use personal data for those purposes which are known to the individual.
Ensure personal data is only used for the purpose it was given. If we need to use the data for other purposes, further consent will be obtained.
Only keep personal data that is relevant to Lincoln’s Inn.
Keep personal data accurate and up to date.
Only keep personal data for as long as is necessary.
Always adhere to our Subject Access Request Procedure and be receptive to any queries, requests or complaints made by individuals in connection with their personal data.
Ensure individuals are given the opportunity to ‘opt in’ to receiving mass communications.
Take appropriate technical and organisational security measures to safeguard personal data.

In addition, KAIZZEN TECH  will ensure that:

There is an employee appointed as the Security Information Risk Owner with specific responsibility for Data Protection. This is currently the Managing Director.
Everyone managing and handling personal data and sensitive personal data understands that they are legally responsible for following good data protection practice and has read and signed the Inn’s Data Protection Policy.
Everyone managing and handling personal data and sensitive personal data is appropriately supervised by their line manager.
Enquiries about handling personal data and sensitive personal data are dealt with promptly.
Methods of handling personal data and sensitive personal data are clearly described in polices and guidance.
A review and audit of data protection arrangements is undertaken annually. This will take place each year in May.
Methods of handling personal data and sensitive personal data are regularly assessed and evaluated by the Security Information Risk Owner and relevant members of the Executive team.
Performance with personal data and sensitive personal data handling is regularly assessed and evaluated by the Security Information Risk Owner and relevant members of the Executive team.

Roles and Responsibilities

Maintaining confidentiality and adhering to data protection legislation applies to everyone at KAIZZEN TECH . All employees and contractors have a responsibility to:

Observe all guidance and codes of conduct in relation to obtaining, using and disclosing personal data and sensitive personal data.
Obtain and process personal data and sensitive personal data only for specified purposes.
Only access personal data and sensitive personal data that is specifically required to carry out their activity or work.
Record data correctly in both manual and electronic records.
Ensure any personal data and sensitive personal data is held is kept secure.
Ensure that personal data and sensitive personal data is not disclosed in any form to any unauthorised third party.
Ensure personal data and sensitive personal data is sent securely.

Breach of Policy

In the event that an employee fails to comply with this policy, the matter may be considered as misconduct and dealt with in accordance with KAIZZEN TECH ’s Policy.
Any individuals or organisations with whom KAIZZEN TECH ’s data has been shared may be personally liable for any breach of the EU GDPR.

Dealing with a Data Breach

If a data breach is suspected, the person who identified the breach should immediately:

Notify the Managing Director.
Document the Data Incident.

Following notification of a breach, the Managing Director will take the following action as a matter of urgency:

Implement a recovery plan, which will include damage limitation.
Assess the risks associated with the breach.
Inform the appropriate people and organisations that the breach has occurred.
Review KAIZZEN TECH ’s response and update information security.