Purpose and Scope

This policy ensures Nexim ICT Ltd complies with UK GDPR and the Data Protection Act 2018. It applies to all employees, contractors, and third-party processors handling personal data.

Definitions

Personal Data: Any information relating to an identified or identifiable individual. Data Controller: Entity determining purposes and means of processing. Data Processor: Entity processing data on behalf of the controller.

Lawful Basis for Processing

Processing will only occur under lawful bases such as contract, consent, legal obligation, or legitimate interest.

GDPR Principles

We adhere to principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, and accountability.

Roles and Responsibilities

The DPO (Phil Durham), (dpo@neximict.com) oversees compliance. All staff must follow this policy and report any data breaches immediately.

Data Subject Rights

Individuals have rights to access, rectification, erasure, restriction, portability, and objection. Requests must be handled within statutory timeframes.

Data Security Measures

Technical measures: encryption, firewalls, access controls. Organisational measures: staff training, secure disposal of data, regular audits.

Retention and Deletion

Personal data will be retained only as long as necessary for its purpose, following our retention schedule.

Third-Party Processing & Transfers

All third-party processors must sign data processing agreements. Cross-border transfers will comply with adequacy decisions or appropriate safeguards.

Data Breach Response

Breaches must be reported to the DPO immediately. ICO will be notified within 72 hours if required.

Review and Updates

This policy will be reviewed annually or after significant changes in legislation or business operations.