GDPR outlines six principles which underpin the handling of personal data. To ensure compliance with the Regulation, Uns Ai Ltd must ensure that personal data is:

(a) Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency).

In practice this means:

• Having a legitimate ground for collecting and using personal data.
• Not using personal data in a way that would have an adverse effect on the
  individual concerned.
• Being transparent about how you intend to use personal data and provide
  privacy notices where appropriate.
• Handling personal data in a way that the individual would reasonably expect.
• Ensuring that you do nothing unlawful with personal data.

(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation).

In practice this means:

• Being clear about why you are collecting personal data and what you will do with it.
• Providing privacy notices when collecting personal data.
• Ensuring that any additional processing of personal data is fair.

(c) Adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed (data minimisation).

In practice this means:

• Only processing the personal data that is necessary.

(d) Accurate and, where necessary, kept up to date (accurate).

In practice this means:

• Taking reasonable steps to ensure the accuracy of any personal data held.
• Ensuring that the source of the personal data is clear.
• Carefully consider any challenges to the accuracy of personal data.
• Considering whether it is necessary to update the information.

(e) Not kept for longer than is necessary for the purpose (storage limitation).

In practice this means:

• Reviewing the length of time you keep personal data for.
• Considering the purpose you hold the personal data for in deciding whether,
  and how long, you retain it.
• Securely deleting information that is no longer needed.

Processed in a manner that ensures the security of data using appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction (integrity and confidentiality).

In practice this means:

• Designing and organising security to fit the nature of the personal data held and the harm that may result from the breach.
• Ensuring that the right physical and security measures are in place, backed by robust policies and procedures and reliable, well-trained employees.
• Reporting security breaches promptly so that they can be reported to the Information Commissioner’s Office within the required 72 hours timescale.

In addition, the first principle requires that one or more grounds for processing must be satisfied for the processing to take place. Many of these relate to the purpose for which you intend to use the data and the nature of the personal information.

Us Ai Ltd, as the data controller, is responsible for and able to demonstrate compliance with these principles.

• P.Trainor will have access to personal data only where it is required as part of their functional remit.
• All data subjects (including employees, research participants and others who interact with P.Trainor) are entitled to make a Subject Access Request to ask P.Trainor whether it holds any personal data relating to them and, if so, to be given a description of and a copy of that personal data. Exemptions may apply in certain circumstances.
• Subject Access Requests are coordinated by our management board.

Personal data will not be transferred outside the European Economic Area unless that country or territory can ensure an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of their personal data.

Personal data in any format will not be shared with a third party organisation without a valid business reason, a contract or Data Sharing Agreement in place, or without the data subject’s consent.

P.Trainor is committed to meeting the GDPR requirement to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.

Data Protection Impact Assessments (DPIA) are a key mechanism for meeting this requirement and will be carried out for all new system and ensure that privacy risks are considered at an early stage. They allow an organisation to demonstrate to data subjects and regulators that the personal data will be handled in a responsible way and that the organisation is compliant with the GDPR.

P.Trainor has overall responsibility for compliance as a data controller and data processor with the Regulation.

All employees are responsible for ensuring that they meet the requirements of the Regulation. They will all familiarise themselves with this policy and related documents.

Our policy benefits everyone by:

• Promoting transparency and accountability, and fostering a data protection culture across the organisation.
• Ensuring compliance with the Regulation.
• Ensuring employee confidence and compliance in their processing of personal data, being fully informed and aware of their responsibilities and obligations.
• Reducing the risk of financial penalties (up to €20m) and reputational damage from non-compliance.
• Providing confidence to the Us Ai community that their personal data is being well managed and ensuring data subjects know how they can access it.

Compliance

Breaches of this policy will be investigated and appropriate actions are taken.

Review

This policy will be reviewed annually or as business reasons dictate.

• General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
• Privacy and Electronic Communications (ED Directive) regulations 2003
• Human Rights Act 2004
• Computer Misuse Act 1990
• Crime and Disorder Act 1998
• Disability Discrimination Act 1995