Data Protection Policy

Document Owner: Pobl Tech Limited (T/A Pobl)
Effective Date: 08/08/21
Latest Revision Date: 01/04/26

1. Purpose

The purpose of this policy is to define how Pobl Tech processes and protects personal data. It sets out the principles, responsibilities, and controls used to ensure that personal data is handled lawfully, fairly, and securely in accordance with UK data protection legislation.

This policy supports Pobl Tech’s commitment to protecting the rights and freedoms of individuals whose personal data is processed in the course of business operations.

2. Scope

This policy applies to:

All personal data processed by Pobl Tech
All employees, directors, contractors, and temporary staff
All systems, services, and devices used to collect, store, or process personal data

This includes data processed through websites, forms, integrations, hosting platforms, support systems, and internal tools.

3. Policy Statement

Pobl Tech is committed to complying with the UK General Data Protection Regulation and the Data Protection Act 2018. Personal data is processed only where a lawful basis exists and is protected through appropriate technical and organisational measures.

Personal data must be:

Processed lawfully, fairly, and transparently
Collected for specified, explicit, and legitimate purposes
Adequate, relevant, and limited to what is necessary
Accurate and kept up to date
Retained only for as long as necessary
Protected against unauthorised or unlawful processing, loss, or damage

4. Roles and Responsibilities

Senior Management

Senior management has overall responsibility for ensuring that data protection obligations are met and that appropriate resources are in place.

Technical Director

The Technical Director oversees technical and organisational measures for data protection and supports compliance through secure system design and operation.

All Staff

All staff are responsible for handling personal data responsibly, following this policy, and reporting any suspected data protection incidents promptly.

5. Lawful Basis for Processing

Personal data is processed only where a lawful basis applies under UK GDPR. This may include:

Performance of a contract
Compliance with a legal obligation
Performance of a task carried out in the public interest
Legitimate interests

Where Pobl Tech acts as a data processor, personal data is processed strictly in accordance with documented instructions from the data controller.

6. Data Minimisation and Purpose Limitation

Only the minimum amount of personal data required to deliver services is collected and processed.

Personal data is not used for purposes beyond those originally defined unless a further lawful basis is established.

7. Data Security Measures

Personal data is protected through a combination of technical and organisational controls, including:

Role-based access control and least privilege
Secure hosting within UK-based environments
Encryption of data in transit where supported
Secure authentication and credential management
Regular patching and system maintenance
Monitoring and logging of system access

Third-party services are assessed to ensure appropriate safeguards are in place before use.

8. Data Retention and Disposal

Personal data is retained only for as long as necessary to fulfil its purpose or meet legal or contractual obligations.

When personal data is no longer required, it is securely deleted or anonymised using appropriate technical methods.

9. Data Subject Rights

Pobl Tech supports the rights of individuals under UK GDPR, including:

Access
Rectification
Erasure
Restriction
Objection

Where acting as a data processor, Pobl Tech assists the data controller in responding to requests within statutory timescales.

10. Personal Data Breaches

Any suspected or actual personal data breach must be reported immediately in line with the Incident Response Plan.

Incidents are assessed, recorded, and managed in a timely manner.

Where required, Pobl Tech supports notification to the Information Commissioner’s Office and affected individuals in accordance with legal requirements.

11. Third Parties and Data Transfers

Where third parties are used to support service delivery, appropriate contractual and security measures are in place.

Personal data is not transferred outside the UK unless appropriate safeguards are established and approved.

12. Training and Awareness

Data protection awareness forms part of onboarding and ongoing working practices.

Staff are expected to understand their responsibilities regarding confidentiality and secure handling of personal data.

13. Review and Maintenance

This policy is reviewed at least annually, or sooner if there are changes to legislation, services, or data processing activities.

Document Control and Governance
Document Owner

The owner of this document is the Senior Leadership Team, Pobl Tech.

The Document Owner is responsible for:

Ensuring the policy remains accurate and up to date
Approving changes to the document
Ensuring the policy is communicated and applied within the organisation
Approval

This policy has been reviewed and approved by Pobl Tech senior management.

Review Schedule

This document will be reviewed:

At least annually
Following significant changes to systems, services, or regulatory requirements
Following major incidents or material changes in risk
Policy Distribution

This policy is available to relevant staff and can be provided to clients or auditors where required.