Skip to main content
DraftIndicative placeholder for the section owner — amend, replace, or confirm as the first definitive version.

Doc owner: TBD

Data Protection Policy

Seeded from legacy Allied Information Security Policy (GDPR principles + data subject rights). Content carried over for review. Lawful basis, DPIAs, breach notification, records of processing, and international transfers are not covered in the legacy doc and need drafting.

Purpose

To define how Allied protects personal and other sensitive data in line with applicable data protection legislation (UK GDPR, Data Protection Act 2018) and ISO 27001 expectations.

Scope

Applies to all personal data and other sensitive data processed by Allied, in any role (controller or processor).

Roles and responsibilities

RoleResponsibility
TBD (policy owner)Accountable for data protection compliance
Data ownersApply protection measures to data under their control

Public privacy policy

Allied's externally published privacy policy lives at allied.adaptive.industries/policies/privacy. That document is the customer- and visitor-facing statement of what data Allied collects, how it is used, and how data subjects can exercise their rights. This internal Data Protection Policy is its operational counterpart — when the published privacy policy changes, the corresponding controls and records here must be reviewed for alignment.

GDPR principles

We must keep the data of our users, customers and employees safe and secure, in line with the GDPR principles:

  1. Lawful, fair and transparent processing
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and accountability

Data subject rights

The GDPR introduced new rights and expanded previously existing ones. These apply to our users, customers and to all of us as individuals:

  • Right of access
  • Right to rectification
  • Right of erasure ('right to be forgotten')
  • Right to restrict processing
  • Right to data portability
  • Rights around automated decision making

Receiving and handling requests

  • Any form of written request is valid, as long as it is coming through an official company method of communication (i.e. LinkedIn, email, etc).
  • If you receive a request that might be classed as one of the above, message the Allied security officer and/or CEO.

Things to keep in mind:

  • Don't panic — we have 30 days to respond to these.
  • Engage as little as possible and don't make promises you're not sure we can keep.
  • More often than not, these requests will not follow a formalised structure or explicitly say that they are actioning a particular request. Common phrases to help you identify them are:
    • "How did you get my data?"
    • "How can I have a copy of my messages?"
    • "I want to delete my account, how can I be sure my data will be deleted?"
    • "What information are you collecting about me?"

Breach notification

In accordance with GDPR, any breach affecting personal data must be assessed and notified to affected parties whose details might have been compromised. If a breach refers to the data or system of a customer, we usually have 24 hours to report it to the customer. See POL-DIG-011 Incident Response Plan for the broader incident response process.

Policy statements

TBD — gap analysis to add: lawful basis for processing, DPIA process, records of processing activities (Article 30), international transfers, retention specifics (cross-link with POL-ENT-005), processor due diligence.