​HeliCo

Policy Statement

HeliCo is committed to protecting the privacy and personal data of our clients, employees, contractors, and stakeholders. This policy outlines our approach to compliance with the General Data Protection Regulation (GDPR) and our commitment to safeguarding the rights and freedoms of individuals in relation to the processing of their personal data.

​

Purpose

The purpose of this policy is to ensure that HeliCo complies with the GDPR and to provide clear guidance on how personal data is collected, processed, stored, and managed within our organization.​

​​

Scope

This policy applies to all activities, processes, and systems involving the collection, processing, storage, or management of personal data carried out by HeliCo, regardless of the location of the data subjects.

​

Policy Elements

​

1. Lawful Basis for Processing:

HeliCo is committed to ensuring that personal data is processed lawfully, fairly, and transparently. We will only process personal data when there is a lawful basis for doing so, as defined by the General Data Protection Regulation (GDPR) and any other relevant data protection laws applicable in the UK.

​

The lawful bases for processing personal data may include the necessity of processing for the performance of a contract, compliance with a legal obligation, protection of vital interests, consent, the performance of a task carried out in the public interest or in the exercise of official authority, and legitimate interests pursued by HeliCo or a third party.

​

Our organization conducts thorough assessments to determine the appropriate lawful basis for each processing activity, ensuring that it aligns with the principles of data protection as outlined in the GDPR and UK data protection laws. This assessment considers the purpose of processing, the nature of the data, and the rights and interests of data subjects.

Additionally, we maintain detailed records documenting the lawful basis for processing, providing transparency and accountability in our data processing practices. These records are regularly reviewed and updated to reflect any changes in processing activities or applicable legal requirements.

​

HeliCo ensures that all employees, contractors, and stakeholders involved in processing personal data are trained and aware of the lawful basis for processing and their responsibilities in upholding the principles of data protection. 

 

By adhering to a clear and well-defined lawful basis for processing personal data, HeliCo strives to maintain the highest standards of data protection and privacy for our clients, employees, and stakeholders.

​

2. Data Minimization:

We adhere to a stringent principle of data minimization. This means that we only collect and process personal data that is absolutely essential for the specific purpose for which it was obtained.

​

Our approach to data minimization ensures that we do not gather excessive or irrelevant information about individuals. This not only respects their privacy but also reduces the potential risks associated with handling unnecessary personal data.

​

Before embarking on any data collection or processing activity, we conduct a thorough assessment to determine the precise data elements required to achieve the intended purpose. This assessment considers factors such as the nature of the data, its relevance to the purpose, and the rights and expectations of the individuals involved.

​

Additionally, we implement measures to periodically review and assess the necessity of retaining personal data. If data is no longer required for the purpose for which it was obtained, it is promptly and securely disposed of in accordance with our data retention and disposal procedures.

​

Our commitment to data minimization extends to all aspects of our operations, reinforcing our dedication to protecting the privacy and rights of individuals. By strictly adhering to this principle, we not only enhance data security but also demonstrate our respect for the trust placed in us by our clients, employees, and stakeholders.

​

3. Transparency and Notice:

We prioritize transparency and open communication regarding the processing of personal data. When we collect data from individuals, we are committed to providing them with clear and concise information about how their data will be processed.

This commitment aligns with the stringent requirements set forth by both the General Data Protection Regulation (GDPR) and the UK data protection standards. We believe that individuals have the right to be informed about how their information will be used, and we take great care to ensure that this information is communicated in a straightforward and understandable manner.

​

Our notices at the time of data collection are designed to be comprehensive yet concise, covering essential details about the purpose of data processing, the legal basis for processing, any third parties involved, data retention periods, and the rights of the individual over their data.

​

Furthermore, we make it a point to regularly review and update our notices to ensure they remain accurate and up to date. This proactive approach reflects our dedication to maintaining the highest standards of transparency and compliance with data protection regulations.

​

By providing individuals with clear and accessible information about data processing, we empower them to make informed decisions about their personal information. This transparency not only builds trust but also reinforces our commitment to respecting individual privacy rights.

​​

4. Data Subject Rights:

We prioritize transparency and open communication regarding the processing of personal data. When we collect data from individuals, we are committed to providing them with clear and concise information about how their data will be processed.

This commitment aligns with the stringent requirements set forth by both the General Data Protection Regulation (GDPR) and the UK data protection standards. We believe that individuals have the right to be informed about how their information will be used, and we take great care to ensure that this information is communicated in a straightforward and understandable manner.

​

Our notices at the time of data collection are designed to be comprehensive yet concise, covering essential details about the purpose of data processing, the legal basis for processing, any third parties involved, data retention periods, and the rights of the individual over their data.

​

Furthermore, we make it a point to regularly review and update our notices to ensure they remain accurate and up to date. This proactive approach reflects our dedication to maintaining the highest standards of transparency and compliance with data protection regulations.

​

By providing individuals with clear and accessible information about data processing, we empower them to make informed decisions about their personal information. This transparency not only builds trust but also reinforces our commitment to respecting individual privacy rights.

​

5. Security Measures:​

At HeliCo, safeguarding personal data is paramount. We take a comprehensive approach to security by implementing a robust framework of technical and organizational measures designed to ensure the utmost protection, confidentiality, and integrity of personal data.

​

Our commitment to security aligns perfectly with the stringent requirements set forth by both the General Data Protection Regulation (GDPR) and the UK data protection standards. We understand that securing personal data is not only a legal obligation but also a fundamental ethical responsibility.

​

Our security measures encompass:

​

• Technical Safeguards: We employ state-of-the-art encryption, access controls, and intrusion detection systems to protect data from unauthorized access, breaches, and cyber threats. Regular security assessments and audits ensure the ongoing effectiveness of our technical safeguards.

• Organizational Practices: Our staff is rigorously trained to adhere to the highest standards of data security and confidentiality. We enforce strict access controls, conduct background checks, and limit data access to authorized personnel only.

• Data Privacy Impact Assessments (DPIAs): For high-risk processing activities, we conduct comprehensive DPIAs to identify, assess, and mitigate potential risks to personal data, ensuring that data protection is at the forefront of our operations.

• Incident Response Plans: In the unfortunate event of a data breach, we have well-defined incident response plans in place to detect, report, and promptly mitigate breaches, in accordance with GDPR and UK data protection requirements.

• Regular Audits and Reviews: We conduct regular security audits, assessments, and reviews to evaluate the effectiveness of our security measures, ensuring they remain in compliance with evolving data protection standards.

​

Our unwavering commitment to security extends to every facet of our organization, reflecting our dedication to preserving the trust placed in us by our clients, employees, and stakeholders. By adhering to these rigorous security practices, we not only fulfill our legal obligations but also uphold our ethical responsibility to protect personal data.

​

6. Data Breach Response:

At HeliCo, we recognize that rapid and effective response to data breaches is critical in upholding the trust and confidence of our clients, employees, and stakeholders. We have implemented a comprehensive set of procedures designed to swiftly detect, report, and respond to any potential data breaches, in strict accordance with the requirements outlined in both the General Data Protection Regulation (GDPR) and the UK data protection standards.

​

Our approach to data breach response encompasses the following key elements:

​

• Early Detection and Identification: We employ advanced monitoring tools and conduct routine assessments to swiftly identify any suspicious activities or anomalies within our data systems. This proactive approach ensures that potential breaches are identified at the earliest possible stage.

• Timely Reporting: In the event of a suspected or confirmed data breach, we have established clear protocols for promptly reporting the incident to the relevant authorities, including the Information Commissioner's Office (ICO), as required by law.

• Comprehensive Investigation: Our experienced incident response team conducts thorough investigations to assess the nature and scope of the breach. This includes identifying the affected data, evaluating the potential impact, and determining the root cause.

• Notification and Communication: If necessary, affected individuals and relevant stakeholders will be promptly and transparently informed about the breach. Our notifications will include details about the nature of the breach, steps taken to mitigate its effects, and guidance on protective measures.

• Remediation and Mitigation: Following the identification of a breach, we take immediate action to contain and remediate the situation. This may involve isolating affected systems, implementing additional security measures, and enhancing our existing safeguards to prevent future incidents.

• Documentation and Reporting: Every step of our data breach response process is meticulously documented to ensure compliance with legal requirements. This documentation also serves as a valuable resource for post-incident analysis and process improvement.

​

Our unwavering commitment to data breach response not only demonstrates our compliance with regulatory mandates but also reflects our dedication to maintaining the highest standards of data protection and security. By prioritizing swift and effective response protocols, we aim to mitigate potential risks and uphold the integrity of our data handling practices.

​

7. International Data Transfers:

If personal data is transferred outside the European Economic Area (EEA), or to countries not deemed by the EU Commission as providing an adequate level of data protection, adequate safeguards will be implemented to ensure the protection of that data, in accordance with GDPR and UK data protection standards.

​

HeliCo recognizes the paramount importance of safeguarding personal data when it is transferred beyond the borders of the European Economic Area (EEA) or to countries that may not be designated by the EU Commission as offering an equivalent level of data protection. In adherence to both the General Data Protection Regulation (GDPR) and the exacting standards set forth by UK data protection laws, we are committed to ensuring that robust safeguards are meticulously implemented to fortify the security and confidentiality of such data.

​

Our approach to international data transfers encompasses the following key principles:

​

• Risk Assessment and Due Diligence: Before any international transfer takes place, we conduct rigorous risk assessments and due diligence to evaluate the specific risks associated with the destination country. This includes an assessment of local data protection laws and regulations.

• Use of Standard Contractual Clauses (SCCs): In instances where an adequate level of data protection is not ensured by the receiving country, we enter into agreements that incorporate Standard Contractual Clauses (SCCs) approved by the relevant authorities. These clauses establish a contractual framework to protect the rights of data subjects and ensure compliance with GDPR and UK data protection standards.

• Binding Corporate Rules (BCRs) and Certification Mechanisms: In cases involving intra-organizational transfers, we explore the use of Binding Corporate Rules or certification mechanisms to facilitate the lawful transfer of personal data across borders.

• Transparency and Information Provision: We believe in maintaining open and transparent communication with data subjects regarding international data transfers. We inform individuals of the countries to which their data may be transferred and the safeguards we have put in place to protect their information.

• Data Protection Impact Assessments (DPIAs): For high-risk international data transfers, we conduct comprehensive DPIAs to identify, assess, and mitigate potential risks to personal data, ensuring compliance with GDPR and UK data protection requirements.

​

8. Third-Party Processors:

When personal data is processed by third-party processors on behalf of HeliCo, contracts will be in place to ensure GDPR and UK data protection compliance.

​

We recognize the critical importance of ensuring that any third-party processors entrusted with processing personal data on our behalf uphold the same exacting standards of data protection and privacy. To this end, we establish robust contractual agreements with all such processors, meticulously designed to guarantee compliance with the rigorous requirements stipulated by both the General Data Protection Regulation (GDPR) and the rigorous UK data protection standards.

 

Our approach to third-party processors includes the following key components:

 

• Due Diligence and Vendor Assessment: Prior to engaging the services of any third-party processor, we conduct thorough due diligence and vendor assessments to ascertain their capacity to meet our stringent data protection standards. This includes an evaluation of their technical capabilities, security measures, and track record in data protection compliance.

• Comprehensive Contractual Agreements: We insist on detailed contractual agreements that outline the specific responsibilities, obligations, and expectations of third-party processors with regard to the processing of personal data. These contracts include explicit provisions for data protection, security measures, breach notification, and compliance with GDPR and UK data protection laws.

• Data Processing Audits and Oversight: We maintain a proactive stance by conducting regular audits and oversight of our third-party processors to verify ongoing compliance with our contractual agreements and data protection standards. This ensures that they continue to meet the stringent requirements set forth by regulatory authorities.

• Continuous Monitoring and Evaluation: We recognize that maintaining the highest standards of data protection requires ongoing vigilance. Therefore, we implement continuous monitoring mechanisms to assess the performance of our third-party processors. This includes regular reviews of their data handling practices, security measures, and compliance with contractual obligations.

• Immediate Response to Non-Compliance: In the event that a third-party processor is found to be in breach of our contractual agreements or data protection standards, we take immediate action to rectify the situation. This may involve implementing corrective measures, seeking clarification, or, if necessary, terminating the engagement.

• Training and Guidance: We provide guidance and training to our third-party processors to ensure they understand and comply with our data protection requirements. This includes educating them on GDPR and UK data protection laws, as well as best practices for handling personal data.

​

9. Data Retention and Disposal:

Ensuring the appropriate retention and disposal of personal data is a cornerstone of our commitment to data protection at HeliCo. We strictly adhere to the principles outlined in both the General Data Protection Regulation (GDPR) and the rigorous UK data protection laws to govern the lifecycle of personal data.

​

Our approach to data retention and disposal is guided by the following key principles:

​

• Purpose-Limited Retention: Personal data is retained only for the duration that is necessary to fulfill the specific purposes for which it was initially collected. This principle ensures that we do not retain data longer than is required for its original intended use.

• Secure Disposal Procedures: When personal data reaches the end of its retention period, we employ secure and irreversible methods of disposal. This may include shredding physical documents, securely wiping electronic storage media, or utilizing certified data disposal services.

• Compliance with Legal Obligations: We strictly adhere to all relevant legal and regulatory requirements pertaining to data retention and disposal. This includes compliance with the specific retention periods mandated by GDPR and UK data protection laws for different types of personal data.

• Regular Review and Audit: We conduct periodic reviews of our data retention practices to ensure they remain aligned with evolving legal requirements and best practices. This includes assessing the necessity of retaining specific types of data and updating our policies and procedures accordingly.

• Documentation and Record-Keeping: We maintain detailed records of our data retention and disposal activities, providing a transparent and accountable record of our compliance efforts. These records serve as a vital resource for audits and demonstrate our commitment to data protection.

​

10. Data Privacy Impact Assessments (DPIA):

Conducting Data Privacy Impact Assessments (DPIAs) is a fundamental practice at HeliCo, serving as a proactive measure to evaluate and address potential risks associated with high-risk processing activities. This process is conducted in strict accordance with the robust requirements outlined by both the General Data Protection Regulation (GDPR) and the exacting standards set forth by UK data protection requirements.

​

Our approach to DPIAs encompasses the following key elements:

​

• Identification of High-Risk Activities: We meticulously identify processing activities that have the potential to pose a higher risk to the rights and freedoms of data subjects. This includes activities involving sensitive data, large-scale processing, or innovative use of technology.

• Comprehensive Risk Assessment: For each identified high-risk activity, we conduct a comprehensive assessment to identify, evaluate, and mitigate potential risks to data subjects. This involves a thorough analysis of the nature, scope, context, and purposes of the processing, as well as the likelihood and severity of the risks.

• Involvement of Stakeholders: We engage relevant stakeholders, including data protection experts, legal advisors, and business units, in the DPIA process. Their expertise and insights are invaluable in ensuring a thorough and balanced assessment.

• Mitigation Strategies: Based on the findings of the DPIA, we implement targeted mitigation strategies to minimize identified risks. These strategies may include enhanced security measures, privacy-enhancing technologies, or adjustments to data processing procedures.

• Documentation and Accountability: The DPIA process, including its findings, mitigation measures, and decisions, is meticulously documented. This documentation serves as a transparent record of our commitment to identifying and mitigating risks to data subjects.

• Integration with Project Lifecycles: DPIAs are seamlessly integrated into the project lifecycles of high-risk processing activities, ensuring that data protection considerations are embedded from the outset and continuously monitored throughout the project's duration.

​

11. Employee Training and Awareness:

We recognize that our employees play a crucial role in upholding the highest standards of data protection. To empower them in this responsibility, we have instituted a comprehensive training program focused on GDPR compliance, data protection best practices, and the specific requirements of UK data protection laws.

​

Our approach to employee training and awareness includes the following key elements:

​

• Tailored Curriculum: Our training program is meticulously designed to cater to the unique needs and responsibilities of our employees. It covers a wide range of topics, including the fundamental principles of GDPR, individual rights of data subjects, secure data handling practices, and compliance with UK data protection laws.

• Continuous Learning Culture: We believe in fostering a culture of continuous learning and improvement. Therefore, our training modules are regularly updated to reflect any changes in data protection regulations, ensuring that our employees stay abreast of the latest developments.

• Interactive Workshops and Simulations: We conduct interactive workshops and simulations to provide practical, hands-on experience in applying data protection principles. This approach allows our employees to gain a deeper understanding of their role in safeguarding personal data.

• Scenario-Based Learning: We present employees with real-world scenarios and case studies to illustrate the application of data protection principles in various contexts. This helps them develop a practical and contextualized understanding of their responsibilities.

• Assessment and Certification: Upon completion of the training program, employees undergo assessments to evaluate their comprehension and retention of the material. Successful completion results in certification, recognizing their proficiency in GDPR compliance and data protection best practices.

• Ongoing Communication and Awareness Campaigns: We maintain open lines of communication with our employees through regular updates, newsletters, and awareness campaigns. These initiatives serve to reinforce the importance of data protection and keep our team informed about relevant changes in regulations.

 

By investing in employee training and awareness, we ensure that every member of our team is equipped with the knowledge and skills necessary to uphold the highest standards of data protection. This not only demonstrates our commitment to compliance with GDPR and UK data protection laws but also reinforces our ethical responsibility to protect the privacy and rights of individuals.​

​

12. Regulatory Compliance:

At HeliCo, our commitment to data protection extends to unwavering adherence to all relevant data protection laws and regulations. This includes strict compliance with the General Data Protection Regulation (GDPR) and any other applicable data protection standards within the UK.

​

Our approach to regulatory compliance encompasses the following key elements:

​

• Comprehensive Legal Oversight: We maintain a dedicated legal team tasked with continuously monitoring and interpreting the evolving landscape of data protection laws. This ensures that our practices remain aligned with the latest regulatory requirements.

• Proactive Policy Development: We take a proactive approach to policy development, ensuring that our internal policies and procedures are meticulously crafted to reflect the specific requirements of GDPR and UK data protection standards.

• Regular Compliance Audits: We conduct routine compliance audits to verify that our data processing practices, policies, and procedures align with the stringent requirements set forth by regulatory authorities. Any identified gaps or areas of improvement are swiftly addressed.

• Engagement with Regulatory Authorities: We maintain open lines of communication with relevant regulatory authorities, seeking guidance and clarification when needed. This collaborative approach helps us ensure that our practices meet or exceed regulatory expectations.

• Adaptation to Regulatory Changes: As data protection laws evolve, we promptly adapt our practices to reflect any changes in requirements. This includes adjustments to policies, procedures, and training programs to ensure ongoing compliance.

• Transparency and Accountability: We maintain transparent and accountable records of our compliance efforts, providing clear evidence of our commitment to regulatory adherence. This documentation also serves as a valuable resource for audits and regulatory inquiries.

​

Responsibility:

Every employee, contractor, and stakeholder of HeliCo is responsible for ensuring compliance with this policy. The Data Protection Officer will oversee the implementation and compliance with GDPR and UK data protection requirements, providing guidance and support as needed.

​

By implementing this GDPR policy, HeliCo aims to demonstrate its commitment to protecting the privacy and rights of individuals in accordance with the GDPR and other applicable data protection laws.

​

Reference:

​

European Data Protection Requirements:

• General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) to be found at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

• Right to Access (Article 15): Individuals have the right to request access to their personal data and information about how it is being processed.

• Right to Rectification (Article 16): Individuals can request the correction of inaccurate or incomplete personal data.

• Right to Erasure (Article 17): Also known as the 'Right to be Forgotten', this allows individuals to request the deletion of their personal data.

• Right to Restriction of Processing (Article 18): Individuals can request that their personal data be processed only for specific purposes.

• Right to Data Portability (Article 20): Individuals can request their personal data in a structured, commonly used, and machine-readable format.

• Right to Object (Article 21): Individuals can object to the processing of their personal data in certain circumstances.

• Automated Decision-Making and Profiling (Article 22): Individuals have rights related to automated decision-making, including the right not to be subject to decisions based solely on automated processing.

​

UK Data Protection Requirements:

• Data Protection Act 2018 (DPA): This act to be found at https://ico.org.uk/ supplements the GDPR and provides specific provisions for how the GDPR is applied in the UK.

• Information Commissioner's Office (ICO): The ICO to be found at https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted is the UK's independent regulator for data protection and privacy. It provides guidance, enforces data protection laws, and oversees compliance.

• Data Protection Impact Assessments (DPIAs): Similar to GDPR, DPIAs in the UK are used to identify and mitigate risks associated with processing personal data.

• Data Protection Officers (DPOs): Certain organizations are required to appoint a DPO to oversee data protection activities.

• UK-EU Data Transfers (Post-Brexit): With the UK's exit from the EU, specific mechanisms and safeguards are in place for transferring data between the UK and EU member states.

• Privacy Notices (Article 13/14 of GDPR): Organizations must provide detailed information to individuals about how their personal data is processed.

​

US Data Protection Requirements:

• California Consumer Privacy Act (CCPA): California Consumer Privacy Act (CCPA) (California Civil Code Sections 1798.100 - 1798.199) to be found at https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article=.

• Virginia Consumer Data Protection Act (CDPA): Virginia Consumer Data Protection Act (CDPA) (House Bill No. 2307) to be found at https://lis.virginia.gov/cgi-bin/legp604.exe?ses=211&typ=bil&val=HB2307.

• Federal Trade Commission (FTC) Enforcement of Privacy Laws in the USA: Federal Trade Commission (FTC) - Privacy and Data Security to be found at https://www.ftc.gov/tips-advice/business-center/privacy-and-security.

• Health Insurance Portability and Accountability Act (HIPAA): HIPAA Privacy Rule to be found at https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.

• Gramm-Leach-Bliley Act (GLBA): Privacy of Consumer Financial Information (16 CFR Part 313) to be found at https://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr313_main_02.tpl.

• Children's Online Privacy Protection Act (COPPA): Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §§ 6501–6506) to be found at https://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr313_main_02.tpl.