Data Protection Policy

1.    Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law for Europe as well as any organisations doing business in or with Europe that goes in to effect on 25th May 2018.

This is to ensure that there is transparency relating to what personal data is held and how it is obtained, processed and held by organisations.


Everyone who uses data at work must ensure that it is handled and processed in conjunction with the Company’s Privacy Policy, the Data Retention Policy and the Data Protection Policy and they are responsible for reading and understanding the data principles set out in all 3 policies.

However, the Company’s Data Protection Officer alongside the Chief Executive Officer has ultimate responsibility for ensuring that the Elahi Fusion Consulting Group uses data in accordance with these policies.


Anyone who processes personal information must comply with the eight principles:

Information must be:

  1. Permission is obtained to use and hold personal data
  2. Fairly and lawfully processed
  3. Processed for specified purposes
  4. Adequate, relevant and not excessive
  5. Accurate and up-to-date
  6. Not kept for longer than is necessary
  7. Processed in line with individuals’ rights
  8. Secure
  9. Not transferred outside the European Economic Area without adequate protection.

GDPR provides individuals with important rights, including the right to find out what personal information is held about them.

4.    Personal Data

GDPR regulates the use of ‘’personal data’’ and “sensitive data”.

The definition of personal data means:

  • Email addresses
  • First/Last names
  • Mailing addresses
  • Financial information
  • Photos/videos
  • Online identifiers (IP addresses/cookie strings/etc)

The definition of sensitive data (but not limited to) means:

  • health data
  • sexual orientation
  • religious/philosophical beliefs
  • political views
  • genetic data


  • Processing personal data fairly and lawfully
  • Processing personal data for specified purposes
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the rights of data subjects under the GDPR Regulations.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.


This right, commonly referred to as subject access, is set out in Clause 13 of the Company’s Privacy Policy. It is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be:

  • Told whether any personal data is being processed;
  • Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
  • Given a copy of the information comprising the data; and
  • Given details of the source of the data (where this is available).

An individual can also request information about the reasoning behind any automated decisions, such as a computer generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret).

In most cases you must respond to a subject access request promptly and in any event within 1 month of of receiving it. This can be extended up to 2 months if agreed with the individual requesting it. However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request.

The right to object to processing likely to cause damage or distress

An individual has a right to object to processing only if it causes unwarranted and substantial damage or distress. If it does, they have the right to require an organisation to stop (or not to begin) the processing in question.


The right to prevent direct marketing

Individuals have the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give you written notice to stop (or not begin) using their personal data for direct marketing. Any individual can exercise this right, and if you receive a notice you must comply within a reasonable period.

Right relating to automated decision making

The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means. GDPR compliments this provision by including rights that relate to automated decision taking. Consequently:

  • An individual can give written notice requiring you not to take any automated decisions using their personal data;
  • Even if they have not given notice, an individual should be informed when such a decision has been taken; and
  • An individual can ask you to reconsider a decision taken by automated means.

Rights relating to inaccurate personal data

GDPR requires personal data to be accurate. Where it is inaccurate, the individual concerned has a right to apply to the court for an order to rectify, block, erase or destroy the inaccurate information. In addition, where an individual has suffered damage in circumstances that would result in compensation being awarded and there is a substantial risk of another breach, then the court may make a similar order in respect of the personal data in question.

The right to compensation

Under Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered. The individual is entitled to bring a compensation claim in the courts.

Please be aware that claims can now be brought against the Data Controller as well as the Data Processor. This is a change under GDPR as previously claims could only be brought against the Data Controller.

Data controllers are defined as the individuals or department in the business that decide what personal data is collected and why.

Data processors are defined as those who maintain and process the data according to the instructions of the data controller.


To ensure we are compliant with the GDPR Regulations, we need to follow the procedures set out below.

  • Emails, Documentation and Contacts

All business contacts and documentation that contains personal data or sensitive data within business emails needs to be added to Infusionsoft and/or OneDrive and then the email needs to be deleted.

Where sensitive data is saved onto the OneDrive this must be saved under encryption.

  • Passwords

All Devices MUST be password protected and updated every 3 months.

  • Documentation

No documents are to saved to your desktop and OneDrive is to be used to save all business documents. If you need a generic area to save work to, that is not specific to a company or project, then please create a folder in your name to save such documents to. This will also avoid any confusion.

  • Personal Information

All personal information is saved to the OneDrive or any device provided by the company needs to be removed as do any personal contacts that have been inadvertently saved to Infusionsoft.

  • Mobile Phones

This is a slightly grey area but if you use your mobile phone for both work and personal then the contacts need to be saved to the correct entity – as can be done on all smart phones. There also needs to be a password on your phone protecting your emails and anti-virus software. We can check this with you.

  • Contact Referral

If you are referred to a business contact, if you choose to email the proposed contact, please can I ask that you begin the email explaining who you got their details from and if they are happy to proceed.

  • Credit Checks

No credit checks are to be carried out on any business or individual without their express consent.

If consent is not given, we cannot carry out credit checks.