Introduction

In undertaking its business activities XRAIL Group Limited (XRAIL) has to create, gather, store and process data on a variety of Data Subjects such as its workers, customers, suppliers, partners and associates. XRAIL’s use of data ranges from financial transactions with commercial customers through to the processing of staff details, from job application to working for the business.

Some of the data we create, collect, store and process will be other people’s personal or sensitive data such as: name, address, racial or ethnic origin, contact details, etc.

Data protection legislation has existed in the UK for many years with the Data Protection Act (1998) being the current iteration. However, from 25th May 2018, a new European legislation will come into force – the General Data Protection
Regulation (GDPR).

The GDPR applies to all ‘personal data’ which it defines as: all data relating to, and descriptive of, living individuals. Those individuals are referred to as ‘data subjects’. For further definitions of the terms used please refer to Chapter 1 of the General Data Protection Regulation.

Under this regulation, XRAIL is a Data Controller because it processes personal data that belongs to Data Subjects.

We currently process personal data strictly in accordance with current Data Protection legislations and remain committed to continuing our track record in relation to the GDPR.

Aim

The aim of this policy is to renew our commitment to privacy and data protection and to set out the responsibilities of XRAIL, its staff, partners, associates and contractors (herein referred to as ‘workers’) to comply fully with the GDPR as a Data Controller.

Policy

This policy applies to all workers of XRAIL and all items of personal data that are created, collected, stored and/or processed through any activity of the company, across all areas of the business including offices, and professional services. As our recording and use of data continues to increase, it is ever more important that all members of XRAIL understand the regulations in relation to privacy and data protection, and their own responsibilities in the process of data control. Data protection is an important part of XRAIL’s overall information security arrangements. The personal information of our Data Subjects must be handled safely and securely according to this policy. In addition to good practice, some data sets are subject to external legislation and it is vital that staff recognise both categories in their handling of information and data.

The GDPR places obligations on XRAIL and the way it handles personal data. Consequently, all our workers have a duty to ensure that personal data is processed fairly, lawfully and securely. This means that personal data should only be processed if we have valid reasons for processing (e.g. a consent obtained from the Data Subject or a contract exists with them) and we have provided information to the individuals concerned about how and why we are processing their information (i.e. a privacy notice).

There are restrictions on what we are allowed to do with personal data and these include the unauthorised accessing, processing, passing on to third-parties, or use for direct marketing.

There are important rules on data retention and portability, and the right of the Data Subjects to be forgotten or to access data that is held about them.

XRAIL is committed to a policy of protecting the rights and privacy of its Data Subjects with respect to the safe processing of their personal data and safeguarding it against unlawful access. We will continue to be pro-active in this direction and will allocate adequate resource, processes, training, awareness and auditing across all parts of our business in order to meet these obligations. We will continually monitor, measure and assess our performance on GDPR. We will ensure that the risk of data security breaches is as low as reasonably practicable at all time and that, should the worse happen, we are ready to report the incident within 72 hours to the IOC and the Data Subjects affected.

We welcome the new GDPR as an opportunity to continue growing our corporate privacy culture.

Munir Patel
Managing Director