Data Protection Policy – StepSoft Ltd

StepSoft Ltd needs to collect and use certain types of personal information about customers, clients, employees, contractors, and other individuals who come into contact with the business.

This personal information must be handled properly, whether collected, recorded, or used in paper form, electronically, or through other means. StepSoft Ltd is committed to ensuring that all personal data is processed in accordance with applicable data protection legislation, including:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018

Commitment to Data Protection

StepSoft Ltd regards the lawful and correct treatment of personal data as essential to maintaining trust and delivering professional services.

The company fully adheres to the principles of data protection, ensuring that all personal data is:

Data Protection Principles

Personal data shall:

1. Be processed lawfully, fairly, and transparently
2. Be collected for specified, explicit, and legitimate purposes and not used incompatibly
3. Be adequate, relevant, and limited to what is necessary
4. Be accurate and kept up to date
5. Be retained only as long as necessary
6. Be processed in accordance with data subject rights
7. Be protected using appropriate technical and organisational security measures
8. Not be transferred outside the UK/EEA without adequate safeguards

How StepSoft Ltd Applies These Principles

StepSoft Ltd will, through effective management and strict controls:

1. Ensure fair and lawful collection and use of personal data
2. Clearly define the purposes for processing data
3. Collect only necessary and relevant data for operational and legal requirements
4. Maintain the accuracy and quality of information
5. Implement retention policies and regularly review stored data
6. Ensure individuals can exercise their data protection rights
7. Apply strong security measures to protect data
8. Ensure lawful and secure transfer of data (including third parties and overseas where applicable)
9. Treat all individuals fairly and without discrimination
10. Maintain clear procedures for handling data requests

Data Subject Rights

Individuals have the following rights under UK GDPR:

• The right to be informed about data processing
• The right of access to personal data
• The right to rectification of inaccurate data
• The right to erasure (where applicable)
• The right to restrict processing
• The right to object to processing
• The right to data portability

All requests will be handled promptly and in accordance with legal requirements.

Data Security

StepSoft Ltd implements appropriate technical and organisational measures, including:

• Controlled access to systems and data
• Secure storage (digital and physical)
• Encryption and password protection where applicable
• Regular monitoring and review of data handling practices

Data Sharing

Personal data may be shared where necessary with:

• Accreditation bodies (e.g., TrustMark, ECMK, Elmhurst)
• Managing agents and funding bodies (ECO4, GBIS, etc.)
• Contractors and project stakeholders
• Regulatory authorities

All data sharing is conducted securely and in compliance with data protection laws.

Staff Responsibilities

StepSoft Ltd ensures that:

1. A designated person is responsible for overseeing data protection compliance
2. All staff handling personal data understand their responsibilities
3. Staff receive appropriate training in data protection
4. Data handling is properly supervised
5. Clear procedures exist for managing personal data
6. Data-related queries are handled efficiently and professionally
7. Data handling practices are documented and regularly reviewed
8. Internal audits are conducted to ensure compliance
9. Continuous improvement is applied to data management practices
10. Breaches of this policy may result in disciplinary action

Data Protection Responsibility

StepSoft Ltd has designated responsibility for data protection compliance within the organisation.

For all data protection matters, please contact:
📧 info@stepsoft.co.uk

Data Breaches

Any data breach will be:

• Investigated promptly
• Reported where required under UK GDPR
• Managed to minimise risk and prevent recurrence

Policy Review

This policy will be reviewed regularly and updated where necessary to reflect:

• Changes in legislation
• Best practices in data protection
• Operational or regulatory requirements

Contact

For any queries regarding this policy or how personal data is handled, please contact:

📧 info@stepsoft.co.uk