We are committed to protecting personal information that we process and to maintaining a compliant and consistent approach to data protection across our organisation. This statement summarises our GDPR preparation, roles, policies, procedures and controls.
1.Commitment & Scope#
We maintain a robust data protection programme aligned to GDPR and the UK’s Data Protection Act. Our objective is to operate an effective regime that safeguards personal information we process.
2.Preparation for GDPR Compliance#
We updated and expanded policies, procedures, controls and roles to ensure ongoing compliance.
3.Information Audit#
We conducted a company-wide audit to identify personal data held, its sources, purposes, processing activities and disclosures.
4.Policies & Procedures#
We revised data protection policies and operating procedures to meet GDPR standards and relevant data protection laws.
We do not store or transfer personal information outside the EU; for UK-based organisations we apply strict safeguards, encryption, and integrity controls. We perform due diligence on all recipients of personal data and ensure enforceable data subject rights.
5.Subject Access Requests (SAR)#
Employees and data subjects can request access to information held about them (e.g., personnel files, records, emails where they are the focus).
We honour the 30-day timeframe to provide requested information, subject to lawful extensions.
6.Privacy Notice / Policy#
Our Privacy Notice explains why we need personal data, how we use it, individual rights, disclosures and safeguards.
It is aligned to our ongoing commitment and updated as needed.
7.Accuracy & Retention#
Individuals should notify us of inaccurate or outdated information so we can correct it promptly.
We do not retain data longer than necessary for the purposes for which it was collected.
8.Employee Obligations & Security#
Employees handling personal data must keep it accurate, necessary, and secure; use password-protected and encrypted tools; lock files; and ensure proper destruction (e.g., shredding hard copies).
No personal data may be taken off-site without prior consent of directors; off-site use demands heightened care (no unattended devices, prevent shoulder surfing, etc.).
- Restrict access on a ‘need-to-know’ basis.
- Use encryption for transmitting personal/special category data.
- Ensure permanent removal from servers/mailboxes when disposing.
9.Consequences of Non-Compliance & Incident Reporting#
Failure to observe data protection principles may lead to disciplinary action up to dismissal and potential personal criminal liability.
Any incident of actual or potential loss of personal data must be reported to the directors immediately.
10. Contact#
Report incidents or send GDPR enquiries to the Directors:
Virtuous Improvement Technologies Ltd
Harvest Hill House, Harvest Hill Lane, Allesley, Coventry, CV5 9DD, UK
Email: hello@vi-tech.io · Contact form