GDPR Compliance Policy

1. Introduction

Little Steps Southwest Limited is committed to protecting the privacy and security of personal data. This policy outlines our approach to ensuring compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It applies to all employees, contractors, and third-party service providers who handle personal data on behalf of the company.

2. Data Protection Principles

We adhere to the following data protection principles:

  1. Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and transparently.

  2. Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with those purposes.

  3. Data Minimisation: Personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

  4. Accuracy: Personal data is accurate and, where necessary, kept up to date. Inaccurate data is erased or rectified without delay.

  5. Storage Limitation: Personal data is kept in a form that permits identification of data subjects for no longer than necessary.

  6. Integrity and Confidentiality: Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

  7. Accountability: We take responsibility for complying with the GDPR and can demonstrate compliance with all the above principles.

3. Data Subject Rights

We respect and uphold the rights of data subjects, including:

  • Access: Individuals can request access to their personal data.

  • Rectification: Individuals can request correction of inaccurate or incomplete data.

  • Erasure: Individuals can request the deletion of their personal data where there is no compelling reason for its continued processing.

  • Restriction: Individuals can request the restriction of processing of their personal data.

  • Data Portability: Individuals can request to receive their personal data in a structured, commonly used, and machine-readable format.

  • Objection: Individuals can object to the processing of their personal data in certain circumstances.

  • Automated Decision-Making: Individuals have the right not to be subject to automated decision-making, including profiling, which has legal or similarly significant effects on them.

4. Data Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: Personal data is encrypted both in transit and at rest using strong encryption standards.

  • Access Control: Access to personal data is restricted to authorized personnel only.

  • Physical Security: Personal data stored in physical formats is kept in locked cabinets and rooms with restricted access.

  • Incident Response: We have procedures in place to detect, report, and investigate personal data breaches.

5. Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) responsible for overseeing compliance with this policy and data protection laws. The DPO can be contacted at:

6. Training and Awareness

We provide regular training to all employees on data protection principles and their responsibilities under GDPR. We also promote a culture of data protection within the company.

7. Review and Updates

This policy is reviewed annually or when significant changes occur to ensure it remains relevant and effective. Any updates will be communicated to all employees and relevant stakeholders.

Signed:

Jules Carmock, Managing Director, Little Steps Southwest Limited, Date: 07.02.2025