Data Protection

Data Protection and Information Security Policy
Last Updated: June 2024


1. Introduction
A E Vaughan ("we," "our," or "us") is committed to protecting the privacy and security of personal data and ensuring the confidentiality, integrity, and availability of all information we handle. This Data Protection and Information Security Policy outlines our principles and procedures for managing personal data and securing information in compliance with the UK General Data Protection Regulation (UK GDPR) and other relevant data protection laws.


2. Scope
This policy applies to all employees, contractors, and third parties working on behalf of A E Vaughan. It covers all personal data and information assets processed and handled by the company, including those of customers, employees, suppliers, and other individuals.


3. Data Protection Principles

We adhere to the following data protection principles:

  • Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data Minimisation: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy: Personal data must be accurate and, where necessary, kept up to date.
  • Storage Limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
  • Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.


4. Information Security Principles

We are committed to maintaining robust information security practices, including:

  • Confidentiality: Ensuring that information is accessible only to those authorized to have access.
  • Integrity: Safeguarding the accuracy and completeness of information and processing methods.
  • Availability: Ensuring that authorized users have access to information and associated assets when required.


5. Legal Basis for Processing

We ensure that personal data is processed only when there is a lawful basis for doing so. The lawful bases include:

  • Consent: The data subject has given clear consent for the processing of their personal data for a specific purpose.
  • Contractual Necessity: The processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
  • Legal Obligation: The processing is necessary to comply with a legal obligation.
  • Legitimate Interests: The processing is necessary for the legitimate interests of the company or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject.


6. Data Subject Rights

Data subjects have the following rights regarding their personal data:

  • Right to Access: The right to request access to their personal data.
  • Right to Rectification: The right to request correction of inaccurate or incomplete personal data.
  • Right to Erasure: The right to request deletion of their personal data, subject to certain conditions.
  • Right to Restriction of Processing: The right to request restriction of processing of their personal data.
  • Right to Data Portability: The right to receive their personal data in a structured, commonly used, and machine-readable format and to transfer it to another data controller.
  • Right to Object: The right to object to the processing of their personal data for specific purposes.
  • Right to Withdraw Consent: The right to withdraw consent at any time where processing is based on consent.


7. Data Security Measures

We implement appropriate technical and organisational measures to ensure the security of personal data and information assets, including:

  • Access Controls: Restricting access to personal data and information systems to authorized personnel only.
  • Encryption: Using encryption to protect personal data and sensitive information during transmission and storage.
  • Network Security: Implementing firewalls, intrusion detection systems, and other network security measures to protect information systems from unauthorized access and cyber attacks.
  • Regular Audits and Assessments: Conducting regular security audits and risk assessments to identify and address vulnerabilities.
  • Training and Awareness: Providing regular data protection and information security training to employees and contractors.


8. Data Breach Response

In the event of a data breach or security incident, we will:

  • Contain the Breach: Take immediate steps to contain the breach and mitigate any potential harm.
  • Assess the Risk: Assess the risk to individuals and information assets as a result of the breach.
  • Notify Authorities: Notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, if required.
  • Inform Data Subjects: Inform affected data subjects if the breach is likely to result in a high risk to their rights and freedoms.
  • Review Procedures: Review and update data protection and information security procedures to prevent future incidents.


9. Data Retention
We retain personal data and information only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal, regulatory, or internal policy requirements. Once data is no longer needed, we securely delete or anonymize it.


10. International Data Transfers
If personal data is transferred to countries outside the UK, we ensure that appropriate safeguards are in place to protect the data in accordance with this policy and applicable data protection laws.


11. Data Protection Officer
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing this data protection and information security policy and ensuring compliance with data protection laws. The DPO can be contacted at:
Oliver Gillman
A E Vaughan Unit 2 Lyndon Yard
Riverside Road
SW17 0BZ
Email: admin@olivergarratt.com Phone: 0208 944 0103


12. Policy Review
This policy will be reviewed regularly and updated as necessary to reflect changes in our practices or legal requirements. We will notify employees and other relevant parties of any significant changes to this policy.

13. Contact Information
For questions or concerns about this data protection and information security policy or our data protection practices, please contact:
A E Vaughan Unit 2 Lyndon Yard
Riverside Road
SW17 0BZ
Email: management@vaughanmemorials.com
Phone: 0208 767 6522


You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

Share by: