Doc owner: TBD
Data Protection Policy
Seeded from legacy Allied Information Security Policy (GDPR principles + data subject rights). Content carried over for review. Lawful basis, DPIAs, breach notification, records of processing, and international transfers are not covered in the legacy doc and need drafting.
Purpose
To define how Allied protects personal and other sensitive data in line with applicable data protection legislation (UK GDPR, Data Protection Act 2018) and ISO 27001 expectations.
Scope
Applies to all personal data and other sensitive data processed by Allied, in any role (controller or processor).
Roles and responsibilities
| Role | Responsibility |
|---|---|
| TBD (policy owner) | Accountable for data protection compliance |
| Data owners | Apply protection measures to data under their control |
Public privacy policy
Allied's externally published privacy policy lives at allied.adaptive.industries/policies/privacy. That document is the customer- and visitor-facing statement of what data Allied collects, how it is used, and how data subjects can exercise their rights. This internal Data Protection Policy is its operational counterpart — when the published privacy policy changes, the corresponding controls and records here must be reviewed for alignment.
GDPR principles
We must keep the data of our users, customers and employees safe and secure, in line with the GDPR principles:
- Lawful, fair and transparent processing
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and accountability
Data subject rights
The GDPR introduced new rights and expanded previously existing ones. These apply to our users, customers and to all of us as individuals:
- Right of access
- Right to rectification
- Right of erasure ('right to be forgotten')
- Right to restrict processing
- Right to data portability
- Rights around automated decision making
Receiving and handling requests
- Any form of written request is valid, as long as it is coming through an official company method of communication (i.e. LinkedIn, email, etc).
- If you receive a request that might be classed as one of the above, message the Allied security officer and/or CEO.
Things to keep in mind:
- Don't panic — we have 30 days to respond to these.
- Engage as little as possible and don't make promises you're not sure we can keep.
- More often than not, these requests will not follow a formalised structure or explicitly say that they are actioning a particular request. Common phrases to help you identify them are:
- "How did you get my data?"
- "How can I have a copy of my messages?"
- "I want to delete my account, how can I be sure my data will be deleted?"
- "What information are you collecting about me?"
Breach notification
In accordance with GDPR, any breach affecting personal data must be assessed and notified to affected parties whose details might have been compromised. If a breach refers to the data or system of a customer, we usually have 24 hours to report it to the customer. See POL-DIG-011 Incident Response Plan for the broader incident response process.
Policy statements
TBD — gap analysis to add: lawful basis for processing, DPIA process, records of processing activities (Article 30), international transfers, retention specifics (cross-link with POL-ENT-005), processor due diligence.
Related
- Allied public privacy policy — externally published companion document
- POL-ENT-004 Data Classification Policy
- POL-ENT-005 Data Retention Policy
- POL-DIG-011 Incident Response Plan
- ISO 27001:2022 Annex A.5.34