General Data Protection Regulation (GDPR) Policy

Last updated: 31/01/2022

General Data Protection Regulation (GDPR) Policy


1.1 Exalt Training Ltd aims to ensure that all the personal data it holds about staff, learners, parents, visitors, Members and other individuals, is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) and UK DPA 2018.
1.2 This Policy applies to all personal data, regardless of whether it is in paper or electronic format.


2.1 Exalt Training Ltd is required to comply with the obligations and requirements set out in the GDPR and the Data Protection Act (DPA) 2018.
2.2 Exalt Training Ltd requires all staff to comply with this Policy. Non-compliance puts data subjects, whose personal data is being processed, at risk. It also carries the risk of the imposition of significant civil and criminal sanctions for the individual and Exalt Training Limited.


3.1 This Policy is intended to ensure that personal information is dealt with appropriately and in accordance with the legislation.
3.2 It also exists to ensure that any failure to comply with this Policy may lead to disciplinary action which could result in dismissal for gross misconduct. If a non-employee breaches this Policy, they may have their contract terminated with immediate effect.


4.1 Core Principles – The principles set out in the GDPR must be adhered to when processing
personal data. The principles are as follows:

i. Personal Data shall be processed fairly and lawfully.

ii. Personal Data shall be obtained only for specified and lawful purposes and shall not be
processed in a way that is incompatible with those purposes or in contradiction to the GDPR.
iii. Personal Data shall be adequate, relevant and limited to what is necessary to fulfil the
purposes for which it is processed.
iv. Personal Data shall be accurate and kept up to date.
v. Personal Data shall be processed in accordance with the data subjects’ rights.
vi. Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against the accidental loss or destruction of, or
damage to personal data.

vii. Personal Data shall not be transferred outside of the EU except in circumstances defined
in the Act and with approval from the Exalt Training Ltd Data Protection Officer.

4.2 The Data Controller – Exalt Training Ltd processes personal data relating to learners, parents, staff, visitors and others, and therefore is a data controller. Exalt Training Ltd is registered with the ICO as a data controller and will renew this registration annually or as otherwise legally required.
4.3 Information Security – Exalt Training Ltd will use appropriate technical and organisational measures to keep personal information secure, to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage. All staff are responsible for keeping information secure in accordance with the legislation and must follow the IT Usage policy. Exalt Training Ltd will develop, implement and maintain safeguards appropriate to its size, scope and business, its available resources, the amount of personal data that it owns or maintains on behalf of others and identified risks (including use of encryption and pseudonymisation where applicable). This will include regularly evaluating and testing the effectiveness of those safeguards to ensure security of processing. Staff must guard against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to, personal data. Staff must exercise particular care in protecting sensitive personal data from loss and unauthorised access, use or disclosure. Staff must follow all procedures and technologies put in place to maintain the security of all personal data from the point of collection to the point of destruction. Staff may only transfer personal data to third-party service providers who agree in writing to comply with the required policies and procedures and who agree to put adequate measures in place, as requested. Staff must maintain data security by protecting the confidentiality, integrity, and availability of the personal data, defined as follows:

i. Confidentiality means that only people who have a need to know and are authorised to use personal data can access it.

ii. Integrity means that personal data is accurate and suitable for the purpose for which it is

iii. Availability means that authorised users can access personal data when they need it for authorised purposes. Staff must comply with and not attempt to circumvent the administrative, physical and
technical safeguards that Exalt Training Ltd has implemented and maintains in accordance with the GDPR and DPA18 regulations. Where Exalt Training uses external organisations
to process personal information on its behalf, additional security arrangements need to be
implemented in contracts with those organisations to safeguard the security of personal information.

Contracts with external organisations must provide that:
i. the organisation may only act on Exalt Training Ltd.’s written instructions;

ii. those processing data are subject to the duty of confidence;

iii. appropriate measures are taken to ensure the security of processing;

iv. the organisation will assist Exalt Training Ltd in providing subject access and allowing
individuals to exercise their rights in relation to data protection

v. the organisation will delete or return all personal information to Exalt Training Ltd as requested at the end of the contract

vi. the organisation will submit to audits and inspections, provide Exalt Training Ltd with
whatever information it needs to ensure that they are both meeting their data protection obligations, and tell Exalt Training Ltd immediately if it does something infringing data
protection law. Before any new agreement involving the processing of personal information by an external
organisation is entered into, or an existing agreement is altered, the relevant staff must seek approval from Caroline Sharp and the CEO.

4.4 Collecting Personal Data – Lawfulness, Fairness and Transparency

We will only process personal data where we have one of six ‘lawful bases’ (legal reasons) to do so under data protection law:

i. The data needs to be processed so that Exalt Training Ltd can fulfil a contract with the
individual, or the individual has asked Exalt Training Ltd to take specific steps before entering into a contract;

ii. The data needs to be processed so that Exalt Training Ltd can comply with a legal obligation;
iii. The data needs to be processed to ensure the vital interests of the individual e.g. to protect
someone’s life;

iv. The data needs to be processed so that Exalt Training Ltd, as a private limited company,
can perform a task in the public interest, and carry out its official functions;

v. The data needs to be processed for the legitimate interests of Exalt Training Ltd or a third
party (provided the individual’s rights and freedoms are not overridden);

vi. The individual (or their parent/carer when appropriate in the case of a learner under 18)
has freely given clear consent;

vii. Where we offer online services to learners, such as classroom apps, and we intend to rely
on consent as a basis for processing personal data, we will obtain parental consent where the
learner is under 16. Whenever we first collect personal data directly from individuals, we will
provide them with the relevant information required by data protection law.

4.5 Limitation, Minimisation and Accuracy – We will only collect personal data for specified, explicit and legitimate reasons. It must not be further processed in any manner incompatible with those proposed. We will explain these reasons to the individuals when we first collect their data. If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so and seek consent where necessary. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processes. Staff may only process data when their role required it. Staff must not process personal data for any reason unrelated to their role. When staff no longer need the personal data they hold, they must ensure it is deleted or anonymised.
4.6 Sharing Personal Data – We will not normally share personal data with anyone else, but may do so where: i. there is an issue with a learner or parent/carer that puts the safety of our staff at risk; ii. we need to liaise with other agencies. iii. Our suppliers or contractors need data to enable us to provide services to our staff and students; for example, IT companies. To provide safeguards, we will: iv. Only point suppliers or contractors that can provide sufficient guarantees that they comply with data protection law; v. Establish a data sharing agreement with the supplier or contractor, either in the contract or as a standalone agreement, to ensure the fair and lawful processing of any personal data we share. vi. Only share data that the supplier or contractor needs to carry out their service, and information necessary to keep them safe while working with us. We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for example: i. the prevention or detection of crime and/or fraud; ii. the apprehension or prosecution of offenders; iii. the assessment or collection of tax owed to HMRC; iv. in connection with legal proceedings; v. where the disclosure is required to satisfy our safeguarding obligations; vi. research and statistical purposes, as long as personal data is sufficiently anonymised or consent has been provided. vii. we may also share personal data with emergency services and local authorities to help them to respond to an emergency that affects any of our learners or staff.
4.7 Subject Access Requests – Individuals have a right to make a ‘subject access request’ to gain access to personal information that Exalt Training Ltd holds about them. This includes:
i. confirmation that their personal data is being processed;
ii. access to a copy of the data;
ii. access to a copy of the data;
iv. the categories of personal data concerned;
v. who the data has been, or will be, shared with;
vi. how long the data will be stored for, or if this is not possible, the criteria used to determine this period;
vii. the source of the data, if not the individual;
viii. whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual.

ix. Subject access requests must be submitted in writing, by either letter, email or fax to
Caroline Sharp. They should include:

i. name of individual

ii. correspondence address;

iii. contact number and email address;

iv. details of the information requested.

If staff receive a subject access request, they must immediately forward it to the Caroline Sharp.
When responding to requests, we:
i. may ask the individual to provide 2 forms of identification;
ii. may contact the individual via phone to confirm the request was made;

iii. will respond without delay and within 1 month of receipt of the request; 

iv. will provide the information free of charge;
v. may tell the individual we will comply within 3 months of receipt of the request, where a request is complex or numerous. We will inform the individual of this within 1 month and explain why the extension is necessary.
We will not disclose information if it:
i. might cause serious harm to the physical or mental health of the learner or another individual. A request will be deemed to be unfounded or excessive if it is repetitive or asks for further copies of the same information. When we refuse a request, we will inform the individual as to the reason for the refusal and that they have the right to complain to the ICO.
Other data protection rights of the individual – in addition to the right to make a subject access request, and to receive information when we are collecting their data about how we use and process it, individuals have the right to:
i. Withdraw their consent to the processing at any time.
ii. Ask us to rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances).
iii. Prevent the use of their personal data for direct marketing.

iv. Challenge processing which has been justified on the basis of public interest. 

v. Request a copy of agreements under which their personal data is transferred outside of the European Economic Area.
vi. Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement that might negatively affect them).
vii. Prevent processing that is likely to cause damage or distress.
viii. Be notified of a data breach in certain circumstances.
ix. Make a complaint to the ICO.
x. Ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances).
xi. Individuals should submit any request to exercise these rights to Caroline Sharp. If staff receive such a request, they must immediately forward it to Caroline Sharp.
4.8 Photographs and Images – As part of Exalt Training Ltd activities, we may take photographs and record images of individuals within delivery. Unless prior consent has been obtained from learners/staff and parents/carers where requried, Exalt Training Ltdwill not utilise such images for publication or communication to external sources.
4.9 Data Protection by Design – We will put measures in place to show that we have integrated data protection into all of our data processing activities, including:
i. Appointing a suitably qualified data protection officer (DPO), Caroline Sharp, and ensuring they have the necessary resources to fulfil their duties and maintain their expert knowledge.
ii. Only processing personal data that is necessary for each specific purpose of processing, and always in line with the data protection principles set out in relevant data protection law iii. Completing privacy impact assessments where Exalt Training Ltd’s processing of personal data presents a considerable risk to the rights and freedoms of individuals and when new technologies.
iv. Integrating data protection into internal documents including this Policy, any related Policies, documents and privacy notices.
v. Regularly training members of staff on data protection law, this Policy, and any related Policies, documents and any other data protection matters; we will also keep a record of the training which has been delivered.
vi. Regularly conducting reviews and audits to test our privacy measures and make sure we are compliant.
Maintaining records of our processing activities, including:
i. For the benefit of data subjects, making available the name and contact details of Exalt Training Ltd and DPO, Caroline Sharp, and all information we are required to share about how we use and process their personal data (via our privacy notices).
ii. For all personal data that we hold, maintaining an internal record of the type of data, data subject, how and why we are using the data, any third-party recipients, how and why we are storing the data, retention periods and how we are keeping the data secure.
4.10 Data Security and Storage of Records
We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage.

i. Personal data should not be retained for any longer than is necessary. The length of
time data should be retained will depend on a number of circumstances including
the reasons why personal data was obtained.

ii. Paper-based records and portable electronic devices, such as laptops and hard
drives that contain personal data are kept securely when not in use. Papers
containing confidential personal data must not be left on office and classroom desks,
on staffroom tables, pinned to notice/display boards, or left anywhere else where
there is general access.

iii. Passwords are used to access Exalt Training Ltd computers, laptops and other
electronic devices. Staff and learners are reminded to change their passwords at
regular intervals.

iv. Access to USB storage is not allowed unless appropriate encryption software is
approved and used to protect the device and its content.

v. Where we need to share personal data with a third party, we will carry out due
diligence and take reasonable steps to ensure it is stored securely and adequately

a. Disposal of Records – Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it. We will shred paper-based records and overwrite or delete electronic files. We may also use a third party to safely dispose of records on Exalt Training Ltd.’s behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.
4.11 Personal Data Breaches – Exalt Training Ltd will make all reasonable endeavours to ensure that there are no personal data breaches. In the unlikely event of a suspected data breach, we will follow the procedure set out in Appendix 1. When appropriate, we will report the data breach to the ICO within 72 hours. Staff must ensure they inform their line manager and Caroline Sharp, DPO immediately on discovering a data breach and make all reasonable efforts to recover the data.
4.12 Training – All staff are provided with data protection training as part of their induction process. Data protection will form part of continuing professional development, where changes to legislation, guidance or Exalt Training Ltd.’s processes make it necessary.

4.13 Monitoring and Review – Caroline Sharp, DPO is responsible, with support from HR, for monitoring and reviewing this Policy. This Policy will be reviewed, as a minimum, every three years and updated, as applicable, to ensure that it remains fit for purpose in the light of any relevant changes to the law, organisational policies or contractual obligations.

4.13 Monitoring and Review  – Caroline Sharp, DPO is responsible, with support from HR, for
monitoring and reviewing this Policy. This Policy will be reviewed, as a minimum, every three
years and updated, as applicable, to ensure that it remains fit for purpose in the light of any
relevant changes to the law, organisational policies, or contractual obligations. 


5.3 Processing– anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying. Processing can be automated or manual.


6.1 Safeguarding Policy

6.2 IT Security Policy


7.1 All staff

7.2 All Managers 

7.3 All Learners 

7.3 All Learners 


8.1 Data Protection Officer (DPO): Is responsible for overseeing the implementation of this Policy, monitoring our compliance with data protection law, and developing related policies and guidelines where applicable.
8.2 Chief Executive Officer: acts as the representative of the data controller on a day-to-day basis.
8.3 All Staff are responsible for: Collecting, storing and processing any personal data in accordance with this Policy. Informing Exalt Training Ltd of any changes to their personal data, such as a change of address. Contacting the DPO, Caroline Sharp, in the following circumstances:

i. With any questions about the operation of this Policy, data protection law,
retaining personal data or keeping personal data secure

ii. If they have any concerns that this Policy is not being followed.

iii. If they are unsure whether they have a lawful basis to use personal data in a particular way.

iv. If they need to rely on or capture consent, deal with data protection rights invoked by an individual, or transfer personal data outside the European Economic Area.

v. If there has been a data breach.

vi. Whenever they are engaging in a new activity that may affect the privacy rights of individuals.

vii. If they need help with any contracts or sharing personal data with third parties.