GDPR Policy

Document Governance & Control

Metadata Field	Document Details
Document Title	Data Protection (GDPR) Policy
Organisation	Orizon Group Ltd (Company No. 17060906)
ICO Registration Number	ZC115994
Document Owner	Abid Rudro, Chief Executive Officer
Approved By	Board of Directors
Classification	Internal – Confidential
Governing Legislation	UK GDPR; DPA 2018; PECR 2003; Human Rights Act 1998
Effective Date	April 2026
Next Review Date	April 2027
Current Version	1.0

Revision History

Version	Date	Author	Summary of Changes
1.0	April 2026	Abid Rudro, CEO	Initial release framework implementation

Policy Statement

Orizon Group Ltd is committed to protecting the rights and freedoms of all individuals whose personal data we process[cite: 7]. This Policy establishes our comprehensive framework for full compliance with the UK GDPR, Data Protection Act 2018 (DPA 2018), and PECR[cite: 8].

It applies strictly to all directors, staff, workers, contractors, and any third party processing personal data on our behalf, across all formats (electronic, physical, verbal, visual) and all operational locations (office, client sites, remote)[cite: 9].

MANDATORY REQUIREMENT

All staff must read, understand, and comply with this Policy[cite: 10].

Non-compliance may result in disciplinary action up to and including summary dismissal[cite: 11].

1. Scope and Related Documents

This serves as Orizon’s master internal data protection governance document[cite: 13]. It sits directly alongside and links structurally to our core environment assets[cite: 13]:

External User Privacy Policy (incl. APD) [cite: 13, 186]
Cookies Policy & Website Disclaimer [cite: 13, 186]
Candidate Privacy Disclosure [cite: 13, 186]
Modern Slavery Statement [cite: 13, 186]
Tax Compliance Disclosure [cite: 13, 186]

Record of Processing Activities (ROPA) [cite: 13, 186]
Legitimate Interest Assessments (LIAs) [cite: 13, 186]
Data Breach Response Plan [cite: 13, 186]
Data Retention Schedule [cite: 13, 186]

2. The Seven Data Protection Principles

All processing systems must systematically comply with Article 5 of the UK GDPR[cite: 15]. Breach of these core principles can attract ICO fines of up to £17.5 million or 4% of annual global turnover[cite: 16].

Lawfulness, Fairness, and Transparency (Art. 5(1)(a)): Identify a valid lawful basis under Article 6 before processing[cite: 17]. For special category data, also identify an additional condition under Article 9[cite: 18]. Inform data subjects fully via public disclosures; never process in secret or in bad faith[cite: 18, 19].

Purpose Limitation (Art. 5(1)(b)): Collect data strictly for specified, explicit purposes[cite: 20]. Do not repurpose data records without establishing a fresh lawful basis and issuing fresh notice to the individual[cite: 21].

Data Minimisation (Art. 5(1)(c)): Collect only the minimum data necessary for the stated purpose[cite: 22]. Never gather or store personal records “just in case.” [cite: 22]

Accuracy (Art. 5(1)(d)): Keep data entirely accurate and up to date[cite: 23]. Rectify inaccuracies without delay, and encourage workers/candidates to report profile modifications promptly[cite: 23, 24].

Storage Limitation (Art. 5(1)(e)): Retain data logs only as long as necessary or legally mandated[cite: 25]. Securely delete, destroy, or permanently anonymise payloads when retention timelines expire[cite: 26].

Integrity and Confidentiality (Art. 5(1)(f)): Protect data against unauthorised access, loss, alteration, or accidental damage via rigorous technical/organisational controls[cite: 27].

Accountability (Art. 5(2)): Demonstrate end-to-end organizational compliance using ROPAs, DPIAs, LIAs, training logs, and breach histories[cite: 28].

NEVER process personal data without confirming the lawful basis first. If unsure, stop and consult the Data Protection Lead[cite: 29].

3. Lawful Bases for Processing

Lawful Basis	UK GDPR Article	Orizon Application Framework
Consent	Article 6(1)(a)	Marketing communications, non-essential website cookies, voluntary equal opportunities monitoring, extended candidate retention[cite: 31].
Contract	Article 6(1)(b)	Candidate suitability assessments, onboarding documentation, placement schedules, payroll tracking, trial-to-contract tracking[cite: 31].
Legal Obligation	Article 6(1)(c)	Right-to-work verification, DBS check screenings, HMRC Real Time Information (RTI), WTR tracking, Agency Workers Regulations tracking, Conduct Regulations compliance, Health & Safety, statutory payouts[cite: 31].
Vital Interests	Article 6(1)(d)	Medical life-threatening emergency response scenarios only (used strictly as a last resort)[cite: 31].
Legitimate Interests	Article 6(1)(f)	Commercial business development, general client CRM management, CCTV operation, fraud prevention, exercising/defending legal claims[cite: 31].

3.1 Consent Requirements

Consent must be completely freely given, specific, informed, unambiguous, unbundled, granular, and explicitly documented[cite: 33]. Pre-ticked checkboxes or terms bundled into standard contracts are invalid[cite: 33]. Consent must be as easy to withdraw as it was to grant[cite: 34].

In employment contexts, consent is rarely appropriate for mandatory processing due to the inherent power imbalance between employer and worker[cite: 35].

3.2 Legitimate Interests: Three-Part Test

Every legitimate interest processing structure requires a documented, step-by-step assessment covering[cite: 37]:

Purpose Test: Is the target interest lawful, real, and current? [cite: 37]
Necessity Test: Is the processing activity necessary, or is a less intrusive alternative viable? [cite: 38]
Balancing Test: Do the individual's overriding fundamental rights or freedoms override Orizon's interest? [cite: 39]

3.3 Special Category Data Controls

Data Type	Article 9/10 Condition	DPA 2018 Statutory Reference
Right to work tracking	Employment / Social Protection purposes	Schedule 1, Part 1, Paragraph 1 [cite: 41]
DBS / Criminal Records	Employment; Preventing unlawful acts	Schedule 1, Part 1, Para 1; Part 2, Para 10 [cite: 41]
Health & Disability adjustments	Employment; Health and safety tracking	Schedule 1, Part 1, Paragraph 1 [cite: 41]
Equal opportunities metrics	Explicit consent; Equality monitoring checks	Article 9(2)(a); Schedule 1, Part 2, Para 8 [cite: 41]

4. Roles and Responsibilities

4.1 Board of Directors

Holds ultimate corporate accountability for data protection[cite: 45]. Approves this policy framework, guarantees optimal resource deployment, and receives annual operational compliance audits[cite: 45].

4.2 Data Protection Lead

Abid Rudro, CEO holds day-to-day enforcement oversight[cite: 46].

Handles SAR execution, breach triage, ICO communications, ROPA updates, DPIA approvals, and training runs[cite: 47, 48]. Contact: privacy@orizongroup.co.uk | 07884889196 [cite: 49]

4.3 Mandated Responsibilities for All Staff & Workers

All personnel processing data must adhere to the following configurations without exception[cite: 50, 51]:

Only access datasets explicitly necessary for your defined business role (strictly no browsing or curiosity access)[cite: 52].
Report any actual, suspected, or near-miss security breach to the Data Protection Lead within 4 hours[cite: 54].
Lock device screens immediately when leaving your workstation; follow the clear desk policy[cite: 57].
Never share protected data strings with unauthorised entities or transmit them via unapproved personal channels/devices[cite: 56].

5. Data Subject Rights & SAR Procedure

All individual rights requests received by any team member must be escalated to the Data Protection Lead immediately[cite: 61].

Individual Right	UK GDPR Article	Statutory Resolution Timeframe
Right of Access (SAR)	Article 15	1 Month (extended by up to 2 months for complex tracks) [cite: 62]
Right to Rectification	Article 16	1 Month [cite: 62]
Right to Erasure	Article 17	1 Month [cite: 62]
Right to Restriction	Article 18	1 Month [cite: 62]
Right to Data Portability	Article 20	1 Month [cite: 62]
Right to Object	Article 21	1 Month (Direct Marketing objections: actioned immediately) [cite: 62]
Automated Decision Controls	Article 22	1 Month [cite: 62]
Withdrawal of Consent	Article 7(3)	Processed without undue delay [cite: 62]

Subject Access Request (SAR) Standard Operating Procedure

Log incoming requests in the SAR Tracker on the exact day of receipt; the clock starts immediately[cite: 64].
Issue a formal acknowledgment within 2 working days[cite: 65].
Verify identity proportionately without constructing artificial administrative barriers[cite: 66].
Query all active architectures: core databases, corporate emails, cloud vaults, physical file boxes, CCTV files, and processor engines[cite: 67].
Collate documentation. Redact third-party identifying markers and review for specific statutory exemptions (e.g., legal privilege)[cite: 68].
Respond transparently within one calendar month providing clean copies alongside data purpose definitions and retention notices[cite: 69]. Document all search parameters for future ICO inspection[cite: 71].

6. Privacy by Design and DPIAs

Privacy by Design and Default (Article 25): Data protection workflows must be built directly into every new technology deployment, service project, or data vendor relationship from the outset[cite: 74]. Default environmental parameters must restrict processing to the bare minimum[cite: 75].

When a DPIA is Mandated (Article 35)

A detailed Data Protection Impact Assessment must be completed before starting[cite: 76]:

Large-scale handling of special category elements (e.g., occupational health history, criminal records data)[cite: 77].
Systematic monitoring systems (e.g., CCTV operations, workforce tracking, GPS logs)[cite: 78].
Deployments introducing emerging or alternative technologies with novel risk matrices[cite: 79].
Processing focusing on vulnerable cohorts (migrant workforces, young workers under 18)[cite: 80].

If a completed DPIA signals high residual risks that cannot be effectively mitigated, Orizon must consult the ICO before initiating the project[cite: 88].

7. Data Security (Article 32)

7.1 Technical Protections

Encryption Protocols: Implementation of TLS 1.2+ for data in transit and AES-256 configurations at rest[cite: 92]. Full-disk encryption is mandatory across all portable hardware assets[cite: 92].
Authentication controls: Multi-Factor Authentication (MFA) is strictly enforced on all platforms holding personal data records[cite: 93]. Passwords must be 12+ characters and rotated every 90 days[cite: 93].
Access Management: Role-Based Access Control (RBAC) following least-privilege logic[cite: 94]. Access maps are audited quarterly and revoked immediately upon role shift or termination[cite: 94].
Vulnerability Sweeps: Monthly infrastructure scans paired with annual penetration testing[cite: 96]. Critical security patches must be fully applied within 14 days of release[cite: 96].

7.2 Organisational Controls

Workstation Rules: Clear Screen and Clear Desk policy enforcement[cite: 100]. Device screens must be locked when moving away; physical data must be locked in specialized secure cabinets[cite: 57, 100].
Secure Destruction: Physical items must pass through certificated shredding systems matching DIN 66399 P-4+ rules[cite: 102]. Hard drive structures must achieve NCSC-standard sanitisation; certificates must be retained for 2 years[cite: 102, 153].

7.3 Remote Work Requirements

Processing data in public areas where displays are vulnerable to being overlooked is strictly prohibited[cite: 107]. Only Orizon-approved, encrypted computing equipment may link to company ecosystems via secure corporate VPN networks[cite: 104, 105]. No personal data may be stored on unencrypted personal hardware[cite: 106]. Any lost or stolen device must be formally reported within 1 hour[cite: 108].

8. Data Breach Management

ALL BREACHES MUST BE ESCALATED TO THE DATA PROTECTION LEAD WITHIN 4 HOURS[cite: 110].

Examples include emails sent to incorrect addresses, using CC instead of BCC for mass candidate updates, losing unencrypted documents, phishing incidents, or unauthorized verbal disclosures[cite: 112, 114, 115, 116].

Incident Response Routine

1. Contain
Stop the breach activity instantly, isolate networks, and preserve log files[cite: 119].

2. Assess & Record
Log inside the master Breach Register detailing the scale and risk level[cite: 121, 122].

3. Report
Notify the ICO within 72 hours if risk paths exist[cite: 122, 124].

If the assessment flags a high risk to individuals, Orizon must notify the affected data subjects directly using clear, plain language outlining steps they can take to minimize harm[cite: 123, 125].

9 & 10. Data Processors and International Transfers

9.1 Due Diligence: Before executing service relationships with third-party data processors, Orizon must verify their security systems and check for ISO 27001 or Cyber Essentials validation[cite: 130].

9.2 Article 28 DPAs: A written Data Processing Agreement (DPA) must govern every processor interaction[cite: 132]. It must explicitly restrict sub-processing, require written destruction confirmations, and grant Orizon full inspection and audit rights[cite: 134, 135, 136].

10. International Transfers: Personal data must never leave the United Kingdom without verified safeguards[cite: 140]. This requires either a UK adequacy decision, an active International Data Transfer Agreement (IDTA), or an executed UK Addendum alongside EU Standard Contractual Clauses[cite: 141, 142]. A Transfer Risk Assessment (TRA) must be documented for each cross-border processing instance[cite: 145].

11 & 12. Records, Retention, and Disposal

11. ROPA Maintenance (Article 30): Orizon maintains an internal Record of Processing Activities tracking categorizations, target purposes, transfer tracking, and active retention cycles[cite: 148]. The ROPA must be updated quarterly[cite: 149].

12. Operational Disposal Framework: Following retention expiration, records must be completely expunged or anonymized within 30 days[cite: 152]. Electronic drives must undergo permanent erasure across all backup platforms, and decommissioned computing equipment must receive NCSC-standard data sanitisation[cite: 154, 155].

13. Training and Awareness Path

Tier 1 — Induction Training

Must be fully completed by all new hires before they handle any company or candidate data[cite: 158].

Tier 2 — Annual Refresher Course

Mandatory for all staff. Covers modern legislative shifts, ICO enforcement directions, and operational case studies[cite: 160].

Tier 3 — Role-Specific Training

Deep dives for recruitment staff (RTW/DBS mechanics), payroll systems (financial data controls), and IT teams (breach mitigation)[cite: 161, 162].

14, 15 & 16. CCTV, Marketing, and Complaints

14. CCTV Operations: Managed under legitimate interest frameworks for security and prevention of crime[cite: 166, 167]. Footage is automatically overwritten after 30 days[cite: 167].

15. Direct Marketing: Digital campaigns require explicit prior consent unless PECR soft opt-in exclusions are met[cite: 170]. Opt-out requests must be fully updated inside suppression tables within 28 days[cite: 172]. No purchased data databases may be used without verified consent validation records[cite: 174].

16. Complaints: Internal entries to privacy@orizongroup.co.uk must receive an acknowledgment within 5 working days, with a substantive response completed within 28 days[cite: 177]. Data subjects retain the right to escalate complaints to the ICO at any time[cite: 178].

17 & 18. Enforcement Matrix & Penalties

Violation Severity	Operational Examples	Internal Consequences
Minor / Unintentional	Forgetting to lock an active screen; basic administrative document misfiling[cite: 180].	Verbal reminder coupled with immediate targeted training sessions[cite: 180].
Moderate / Negligent	Sending records to incorrect external entities; failing to report a breach within 4 hours[cite: 180].	Formal written warning, mandatory retraining, and systemic permission access reviews[cite: 180].
Serious / Reckless	Deliberate unauthorized access attempts, or sharing candidate profiles without a valid lawful basis[cite: 180].	Final written warning or immediate suspension pending formal board investigation[cite: 180].
Gross Misconduct	Direct data theft, selling internal company records, or deliberate concealment of an active breach[cite: 180].	Summary dismissal accompanied by a direct referral to law enforcement agencies[cite: 180].

Criminal Liability Notice (s.170 DPA 2018): Knowingly or recklessly obtaining, disclosing, or retaining personal data without data controller consent constitutes a criminal offense subject to unlimited judicial fines [cite: 184].