Data Protection Policies

 

Data Protection Policy

Bang on Print & Design Ltd

Company

Bang on Print & Design Ltd

Policy owner

Simon (Director) — simon@bangonprint.co.uk

Effective date

15 July 2026

Next review

15 July 2027

Version

1.0

 

1. Purpose

This policy sets out how Bang on Print & Design Ltd (“the Company”) collects, uses, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Scope

This policy applies to all employees, contractors, and freelancers who process personal data on behalf of the Company, including customer, supplier, and staff data.

3. Data Protection Principles

The Company processes personal data in accordance with the following principles. Personal data must be:

  • Processed lawfully, fairly, and transparently
  • Collected for specified, explicit, and legitimate purposes
  • Adequate, relevant, and limited to what is necessary
  • Accurate and kept up to date
  • Kept no longer than necessary (see Data Retention Schedule)
  • Processed securely, protecting against unauthorised or unlawful processing, loss, or damage

4. Lawful Basis for Processing

The Company relies on the following lawful bases, depending on the activity:

  • Contract — processing customer order, artwork, and payment details to fulfil print and design jobs
  • Legal obligation — retaining financial records for HMRC and employment records for statutory purposes
  • Legitimate interests — general business administration, fraud prevention, and direct marketing to existing customers
  • Consent — marketing communications to new contacts, and any use of customer imagery in portfolios or case studies

5. Roles and Responsibilities

The Director is the designated Data Protection Lead and is responsible for overseeing compliance, handling data protection queries, and acting as the first point of contact for the Information Commissioner’s Office (ICO) and data subjects.

All staff are responsible for handling personal data in line with this policy and for reporting any suspected data breach immediately in line with the Data Breach Response Procedure.

6. Rights of Individuals

Individuals whose data the Company holds have the right to:

  • Be informed about how their data is used
  • Access their personal data (see Subject Access Request Procedure)
  • Have inaccurate data corrected
  • Request erasure of their data, where applicable
  • Restrict or object to certain processing
  • Request data portability
  • Withdraw consent at any time, where consent is the lawful basis

7. Data Sharing and Third Parties

Personal data is only shared with third parties (e.g. printers, couriers, payment processors, IT providers) where necessary and under a written data processing agreement. Data is not sold or shared for unrelated marketing purposes.

8. Training

All staff receive an induction briefing on data protection responsibilities and refresher guidance at least annually.

9. Policy Review

This policy is reviewed annually, or sooner if legislation, guidance, or business practice changes. Next review: 15 July 2027.

 

IT Data Security Policy

Bang on Print & Design Ltd

Company

Bang on Print & Design Ltd

Policy owner

Simon (Director) — simon@bangonprint.co.uk

Effective date

15 July 2026

Next review

15 July 2027

Version

1.0

 

1. Purpose

This policy sets out the technical and organisational measures used to protect Company systems, customer files, and personal data from loss, misuse, or unauthorised access.

2. Scope

Applies to all computers, mobile devices, servers, cloud storage, and software used to conduct Company business, and to everyone who uses them.

3. Access Control and Passwords

  • User accounts are individual — credentials must not be shared
  • Passwords must be at least 12 characters and unique to each system; a password manager is recommended
  • Multi-factor authentication (MFA) must be enabled on email, cloud storage, and financial systems
  • Access to customer files, order systems, and financial records is limited to staff who need it for their role
  • Access is revoked immediately when a staff member or contractor leaves

4. Device Security

  • All laptops and mobile devices used for work must have disk encryption, a screen lock, and up-to-date antivirus software enabled
  • Devices must be locked whenever left unattended
  • Lost or stolen devices must be reported to the Data Protection Lead immediately so accounts can be secured

5. Network and Wi-Fi Security

  • The office Wi-Fi network uses WPA2/WPA3 encryption with a strong, non-default password
  • A separate guest network is used for visitors, kept isolated from business systems
  • A firewall is maintained on the network and on individual devices

6. Customer Files and Artwork

  • Customer artwork, proofs, and order files are stored only in approved cloud storage or the studio server, not on personal devices or personal cloud accounts
  • File-sharing links sent to customers are password protected or time-limited where the platform allows
  • Completed job files are archived and removed from active production folders in line with the Data Retention Schedule

7. Backups

  • Business-critical data, including customer and order records, is backed up automatically at least daily
  • Backups are stored separately from the primary system (cloud backup or offsite drive) and tested periodically to confirm they can be restored

8. Software and Patching

  • Operating systems and business software are kept up to date with security patches
  • Only software from trusted, licensed sources is installed on Company devices

9. Removable Media and Personal Devices

  • USB drives and removable media should be avoided for transferring personal or customer data; use approved cloud storage instead
  • Personal devices used to access Company email or files (BYOD) must meet the same password, lock, and encryption standards as Company devices

10. Remote and Home Working

  • Staff working remotely must use a secure, password-protected internet connection and avoid public Wi-Fi for sensitive work without a VPN
  • Printed documents containing personal data must be stored securely and disposed of by shredding

11. Disposal of Equipment and Data

  • Old computers, drives, and devices are securely wiped or physically destroyed before disposal or resale
  • Paper records containing personal data are shredded, not placed in general waste

12. Policy Review

This policy is reviewed annually, or sooner following a security incident or significant change in systems. Next review: 15 July 2027.

 

Data Breach Response Procedure

Bang on Print & Design Ltd

Company

Bang on Print & Design Ltd

Policy owner

Simon (Director) — simon@bangonprint.co.uk

Effective date

15 July 2026

Next review

15 July 2027

Version

1.0

 

1. Purpose

This procedure sets out the steps to follow if a personal data breach occurs or is suspected, so it can be contained, assessed, and reported quickly.

2. What Counts as a Breach

A personal data breach is any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include:

  • A laptop, phone, or USB drive containing customer or staff data is lost or stolen
  • An email or file containing personal data is sent to the wrong recipient
  • A cloud storage account or email account is accessed by an unauthorised person (hacking, phishing)
  • Customer artwork or order files containing personal details are exposed via a misconfigured share link

3. Step 1 — Report Immediately

Anyone who discovers or suspects a breach must report it to the Data Protection Lead (Simon (Director) — simon@bangonprint.co.uk) immediately, and in any case within 24 hours.

4. Step 2 — Contain and Recover

  • Isolate affected systems or accounts (e.g. change passwords, revoke access, disable compromised accounts)
  • Recover lost data from backups where possible
  • Preserve evidence (screenshots, logs, emails) for the investigation

5. Step 3 — Assess the Risk

The Data Protection Lead assesses the breach within 24 hours of it being reported, considering:

  • What data was involved and how sensitive it is
  • How many individuals are affected
  • The likelihood and severity of harm to those individuals (e.g. identity theft, financial loss, distress)

6. Step 4 — Report to the ICO (if required)

Where the breach is likely to result in a risk to individuals’ rights and freedoms, it must be reported to the Information Commissioner’s Office (ICO) without undue delay, and no later than 72 hours after the Company becomes aware of it. If full details aren’t yet known, an initial report is made within the deadline and updated as the investigation progresses.

Reports are made via ico.org.uk, and must include: a description of the breach, categories and approximate number of individuals and records affected, likely consequences, and measures taken or proposed to address it.

7. Step 5 — Notify Affected Individuals (if required)

Where the breach is likely to result in a high risk to individuals, those affected are notified directly and without undue delay, explaining what happened, the likely consequences, and what steps they can take to protect themselves.

8. Step 6 — Record the Breach

All breaches, whether or not reportable to the ICO, are logged in the Company’s breach register, recording: date and nature of the breach, data and individuals affected, risk assessment, actions taken, and whether the ICO/individuals were notified.

9. Step 7 — Review and Prevent Recurrence

After resolution, the Data Protection Lead reviews the cause and updates policies, training, or systems to reduce the risk of recurrence.

10. Policy Review

Next review: 15 July 2027.

 

Acceptable Use Policy

Bang on Print & Design Ltd

Company

Bang on Print & Design Ltd

Policy owner

Simon (Director) — simon@bangonprint.co.uk

Effective date

15 July 2026

Next review

15 July 2027

Version

1.0

 

1. Purpose

This policy sets out the standards expected when using Company IT equipment, systems, and accounts, to protect Company and customer data and systems from misuse or harm.

2. Scope

Applies to all staff, contractors, and freelancers using Company computers, email, internet access, software, or data, whether on-site or remote.

3. General Use

  • Company systems and accounts are provided primarily for business purposes; reasonable, occasional personal use is permitted provided it does not interfere with work or breach this policy
  • Users must lock their screen when away from their desk and log out of shared devices
  • Users must not attempt to bypass security controls, install unauthorised software, or connect unauthorised devices to Company systems

4. Email and Internet

  • Company email must not be used to send personal data or customer files to personal email addresses
  • Staff must be alert to phishing emails and report suspicious messages to the Data Protection Lead rather than clicking links or opening attachments
  • Internet use should avoid sites that could expose Company systems to malware or that are illegal, offensive, or unrelated to business activity

5. Social Media

  • Customer artwork, order details, or images may only be shared publicly (e.g. in a portfolio or on social media) with the customer’s prior consent
  • Staff should not discuss confidential Company or customer information on personal social media accounts

6. Personal Devices (BYOD)

  • Personal devices used to access Company email, files, or systems must meet the security standards in the IT & Data Security Policy (password/PIN, lock screen, encryption, up-to-date software)
  • Company data should not be stored on personal devices or personal cloud accounts other than through approved, managed apps

7. Prohibited Activities

  • Sharing login credentials with others
  • Downloading or installing unlicensed or unauthorised software
  • Accessing, storing, or sharing personal data without a legitimate business reason
  • Using Company systems for any unlawful purpose

8. Monitoring

The Company may monitor use of its IT systems (e.g. email and internet logs) where necessary and proportionate to protect its systems and data, in line with data protection law. Monitoring is not used to intrude on personal privacy beyond what is necessary for legitimate business and security purposes.

9. Consequences of Misuse

Breaches of this policy may be addressed through the Company’s disciplinary procedure and, where unlawful activity or a serious data breach is involved, may be reported to relevant authorities.

10. Policy Review

Next review: 15 July 2027.

 

Data Retention Schedule

Bang on Print & Design Ltd

Company

Bang on Print & Design Ltd

Policy owner

Simon (Director) — simon@bangonprint.co.uk

Effective date

15 July 2026

Next review

15 July 2027

Version

1.0

 

1. Purpose

This schedule sets out how long different categories of personal data are kept, in line with the Data Protection Policy. Retention periods reflect legal requirements and genuine business need; data is not kept longer than necessary.

2. Retention Periods

Data category

Examples

Retention period

Basis

Disposal method

Customer order records

Order details, invoices, contact info

6 years

Legal obligation (tax/accounting)

Secure deletion

Financial records

Payment records, VAT records, receipts

6 years

HMRC requirement

Secure deletion / shredding

Customer artwork & design files

Print-ready files, proofs, briefs

2 years after job completion (unless customer requests longer)

Legitimate interest / contract

Secure deletion

Marketing & consent records

Email sign-ups, consent logs

Until consent withdrawn, or 2 years of inactivity

Consent

Secure deletion

Website enquiry data

Contact form submissions

12 months if no order results

Legitimate interest

Secure deletion

Employee records

Contracts, payroll, appraisals

6 years after employment ends

Legal obligation / contract

Secure deletion / shredding

Recruitment records

Applications, interview notes (unsuccessful candidates)

6 months after decision

Legitimate interest

Secure deletion

Accident / H&S records

Accident book entries

3 years (longer for certain incidents)

Legal obligation

Secure deletion / shredding

CCTV footage (if applicable)

Premises security recordings

30 days, unless needed for an investigation

Legitimate interest

Automatic overwrite / deletion

 

3. Notes

  • Periods above are defaults; a longer period may apply where required for an ongoing legal claim, dispute, or regulatory requirement
  • Data due for deletion is reviewed at least annually by the Data Protection Lead
  • Secure deletion means permanent removal from active systems and backups within a reasonable cycle, or shredding for paper records

4. Policy Review

Next review: 15 July 2027.

 

Subject Access Request Procedure

Bang on Print & Design Ltd

Company

Bang on Print & Design Ltd

Policy owner

Simon (Director) — simon@bangonprint.co.uk

Effective date

15 July 2026

Next review

15 July 2027

Version

1.0

 

1. Purpose

This procedure explains how the Company handles requests from individuals for access to their personal data, in line with UK GDPR.

2. What Is a Subject Access Request

A Subject Access Request (SAR) is a request from an individual (e.g. a customer, employee, or supplier contact) to find out what personal data the Company holds about them, why it is held, and who it has been shared with.

3. Receiving a Request

A SAR can be made verbally or in writing (including email or social media) and does not need to mention ‘subject access request’ by name. Any staff member who receives what may be a SAR must pass it to the Data Protection Lead immediately.

4. Verifying Identity

Before releasing any data, the Data Protection Lead confirms the requester’s identity (e.g. via photo ID or account details already held) to prevent personal data being disclosed to the wrong person.

5. Timescale

The Company responds within one calendar month of receiving the request (and confirming identity). This can be extended by a further two months for complex or numerous requests, in which case the requester is told within the first month and given the reason for the delay.

6. Fees

Requests are handled free of charge. A reasonable fee may be charged only for requests that are manifestly unfounded, excessive, or for extra copies of the same information.

7. What Is Provided

The response includes a copy of the personal data held, plus: the purposes of processing, the categories of data, who it has been shared with, the retention period, and details of the individual’s rights.

8. Exemptions and Redactions

Information may be withheld or redacted where it would reveal personal data about another individual (unless they consent, or it’s reasonable to disclose without consent), or where a legal exemption applies (e.g. legal privilege). Any redactions are recorded with the reason.

9. Refusing a Request

Requests that are manifestly unfounded or excessive may be refused. The requester is informed of the refusal, the reason, and their right to complain to the ICO or seek a judicial remedy.

10. Recording Requests

All SARs are logged, recording the date received, requester, actions taken, and date responded to, to demonstrate compliance.

11. Complaints

Individuals unhappy with how their request was handled may complain to the Data Protection Lead in the first instance, or directly to the Information Commissioner’s Office (ico.org.uk).

12. Policy Review

Next review: 15 July 2027.