ReEnergise Cybersecurity, GDPR & Data Protection Policy

1. Introduction

ReEnergise Ltd is committed to protecting the confidentiality, integrity, and availability of personal data and IT systems. This combined policy outlines how we comply with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), as well as our approach to cybersecurity and information governance.

2. Scope

This policy applies to all employees, contractors, and partners of ReEnergise Ltd and governs the handling of personal data, cybersecurity practices, and marketing communications.

3. GDPR & Data Protection Principles

We adhere to the core principles of data protection:

- Lawfulness, fairness, and transparency

- Purpose limitation

- Data minimisation

- Accuracy

- Storage limitation

- Integrity and confidentiality

- Accountability

4. Lawful Basis for Processing

We will only process personal data where at least one lawful basis under Article 6 of the UK GDPR applies. Our most common bases are:

- Contract – for delivery of services or employment.

- Legitimate Interest – for communications or operations where this does not override data subject rights.

- Consent – for electronic marketing or special categories of personal data.

5. Rights of Data Subjects

Individuals have the right to:

- Access and obtain a copy of their data.

- Request rectification or erasure.

- Object to processing.

- Restrict processing.

- Request data portability.

- Withdraw consent at any time.

All requests will be managed in line with our internal processes and responded to within statutory timeframes.

6. Privacy Notices

We provide clear privacy notices at the point of data collection, including:

- The purpose of processing.

- The lawful basis for processing.

- Data retention periods.

- Contact details for our Data Protection Officer.

7. Marketing Compliance

In line with PECR and ICO guidance:

- Email/text marketing: Only sent with opt-in consent or under soft opt-in rules for existing customers.

- Phone marketing: Screened against TPS/CTPS; recorded calls require explicit consent.

- Postal marketing: May be sent unless an individual opts out; screened against the MPS.

- All marketing communications provide a clear opt-out mechanism.

We maintain suppression lists to prevent marketing to those who have opted out.

8. Cybersecurity Policy

8.1 Commitments:

- Secure systems and networks using firewalls, encryption, MFA, and patching.

- Access control based on least privilege.

- Employee cybersecurity awareness training.

- Incident monitoring and response procedures.

- Work only with trusted, security-vetted IT suppliers.

8.2 Use of Equipment & Software:

- Only authorised software and hardware may be used.

- Personal devices require approval and adequate security.

- Virus checking is mandatory before installing any new software.

8.3 Email and Internet Use:

- Use is restricted to legitimate business activities.

- Inappropriate use (e.g., offensive content, gambling, hacking) is prohibited and may result in dismissal.

- Emails should comply with ReEnergise communication standards.

9. Confidentiality

Employees must maintain the confidentiality of any information acquired during the course of their work. All documentation remains the property of ReEnergise and must be returned upon request or termination.

10. Data Breach Management

All suspected data breaches must be reported immediately. We will investigate incidents, notify affected individuals where required, and report notifiable breaches to the ICO within 72 hours.

11. Data Retention

Personal data will be retained only for as long as necessary to fulfil its purpose, in line with our retention schedules. In some cases, data may be anonymised and retained for analysis or reporting.

12. Roles and Responsibilities

- Managing Director – acts as Data Controller.

- Operations Director / DPO – oversees GDPR compliance, IT security, and incident management.

- All Employees – must follow this policy and report any concerns.

13. Policy Review

This policy is reviewed annually or following any significant operational or regulatory changes.