GDPR and Cookies

Introduction

The European Union has taken a huge step towards protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which became effective from May 25, 2018. In the UK, this is implemented as the Data Protection Act (2018) which will still apply and keep in step with GDPR even after ‘Brexit’.

It means that EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data.

Impact Food Group is aware of its role in providing the right tools and processes to support its users and customers in meeting their GDPR obligations.

Impact Food Group's Commitment

At Impact Food Group we have always honoured our users' right to data privacy and protection. We have never used personal details for marketing purposes and do not provide this information to anyone else for any purpose. We also recognise that our suppliers and contractors are a key part of our ability to provide our services and we put the same effort into protecting them as we do our customers and staff.

We have no necessity to collect and process any individual’s personal information beyond what is required for the functioning of our products or the provision of our services.

Over the years, we have demonstrated our commitment to data privacy and protection by ensuring the technology and tools supporting our services have been implemented to the best data privacy and security standards, but we recognise that the GDPR will help us move towards the highest standards of operations in protecting customer data.

How has Impact Food Group prepared for GDPR?

With responsibility for the safety and security of several hundred children, young people and their parents who are our customers and service users, we know that we cannot simply ignore or ‘tick the boxes’ for GDPR compliance.

As a data controller, Impact Food Group understands that it is responsible for ensuring all its staff, suppliers and service providers understand and actively embrace the ideas and intentions, principles and rights of GDPR. And not just in a way which ticks boxes, but which changes the way we manage individual’s information and then drives the business forwards.

As a data processor on behalf of our partners and customers, we understand our obligation to help them to prepare for their own GDPR compliance.

This is not something which can be completed overnight, nor does it end when we can say ‘we are compliant’. This is why we have embarked on an ongoing journey to become compliant and maintain our compliance as the laws and risks change and evolve.

We have thoroughly analysed GDPR requirements and have put in place a dedicated internal team to drive our organisation to meet them. Some of our ongoing initiatives are:

Identifying personal data – We have reviewed each of our business systems and processes to identify the different types of personal data we collect, use, store and dispose of. This has helped us to determine the roadmap we must follow.

Providing visibility and transparency – One of the most important aspects of GDPR is about communicating how the collected data is used. As both a data controller and data processor, Impact Food Group’s key role is to provide clarity over what we collect, how we use it and why and we are pleased to say this is now available to everyone in our privacy policy.

Enhancing data integrity and security – Data privacy and data security are both intimately related to and dependent upon each other. Analysis of our existing systems and processes indicated a number of areas where our already individual-focused security measures and processes could be further improved, and we are working towards this, both internally and with our suppliers, and are reinforcing this with independent testing.

Children’s information – Being a supplier of services into an educational environment which interacts directly with children is both an incredible privilege and an incredible challenge. To provide our services, we need some means of being able to identify individual children to ensure they are provided with what they are entitled to, so in every case we work with the schools to ensure secure and robust integration with their own systems, security measures and controls and that any child specific information which we maintain is kept to an absolute minimum. Access to this information is strictly controlled and monitored, and as a result of our GDPR project, this has been reviewed and will be further improved through a series of additional contracts, processes, measures and controls which will ensure we provide end-to-end security across our systems.

Breach handling process – We know that no-one wants to have to own up to a mistake, but we take our obligations under GDPR seriously especially where breaches are concerned. We have now created a Breach Handling process which enables us to manage when things go wrong in the correct manner.

Subject access requests – Following our earlier work, we have now created a set of processes which enable us to handle any individual’s choice to exercise their rights under GDPR (known as ‘Subject Access Requests’). The details of how to start the process are now clearly stated on our privacy policy.

Data retention – we now have a clear definition of what the information we have, what we use it for and how long we need it for and a process for destroying it when it is either no longer correct or required.

Data Protection Officer – owing to the size of our business and the nature of the information we process and control, we now have a dedicated Data Protection Officer in Bryan Lygate. Bryan has been working with an external consultancy to help formulate our data privacy objectives and GDPR compliance plan and is working with senior management in our company to ensure we do the right things for compliance.

What does this mean for you?

We understand that meeting the GDPR requirements will take a lot of time and effort, both for us and for you. But we want this to be as painless as possible.

In all cases, you can expect us to provide you with;

• updated contractual agreements detailing what you can expect from us and equally what we expect from you.

• details of what external organisations we use to process your information and how they themselves meet the GDPR obligations.

• communication from us regarding our work on our GDPR compliance journey

Cookies

Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. Your interaction with this website is collected using cookies by Google as part of Google Analytics and is protected under their standard privacy policy here.

For further information visit www.aboutcookies.org or www.allaboutcookies.org

You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.