Data Protection Policy
1. Policy Statement
GILS Construction is committed to protecting personal data and ensuring it is handled lawfully, fairly, and transparently.
We recognise the importance of safeguarding personal information relating to employees, clients, subcontractors, and other stakeholders, and we are committed to complying with all applicable data protection laws.
2. Scope
This policy applies to:
All employees
Subcontractors and consultants
Temporary staff and agency workers
Anyone processing personal data on behalf of the company
It covers all personal data processed in both electronic and paper formats.
3. Legal Framework
We process personal data in accordance with:
UK GDPR
Data Protection Act 2018
We also follow guidance issued by the Information Commissioner’s Office (ICO).
4. Data Protection Principles
We adhere to the following principles:
Lawfulness, fairness, and transparency
Purpose limitation – data collected for specific, legitimate purposes
Data minimisation – only data necessary is collected
Accuracy – data kept up to date
Storage limitation – data retained only as long as necessary
Integrity and confidentiality – data kept secure
5. Types of Personal Data
We may process:
Employee records (e.g., payroll, HR data)
Client and customer contact details
Subcontractor and supplier information
Site records (e.g., CCTV, access logs, health & safety records)
Sensitive personal data (special category data) will be handled with additional safeguards.
6. Lawful Basis for Processing
We will only process personal data where there is a lawful basis, including:
Contractual necessity
Legal obligation
Legitimate business interests
Consent (where required)
7. Data Security
We implement appropriate technical and organisational measures to protect data, including:
Secure IT systems and password controls
Restricted access to personal data
Secure storage of paper records
Data encryption where appropriate
Subcontractors must also ensure adequate data security measures.
8. Data Sharing
We may share personal data with:
Clients and project stakeholders
Regulatory authorities where required
Professional advisers (e.g., legal, financial)
All data sharing will be lawful, secure, and limited to what is necessary.
9. Data Retention
We will:
Retain personal data only for as long as necessary
Follow retention schedules based on legal and business requirements
Securely dispose of data when no longer needed
10. Individual Rights
Individuals have rights under UK GDPR, including:
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Requests will be handled in accordance with legal timeframes.
11. Data Breaches
In the event of a data breach:
It must be reported immediately to management
We will investigate and take appropriate action
Serious breaches will be reported to the Information Commissioner’s Office where required
12. Responsibilities
Management
Ensure compliance with data protection laws
Implement appropriate policies and controls
Employees & Subcontractors
Handle personal data responsibly
Follow company procedures
Report any data protection concerns or breaches
13. Training & Awareness
We will:
Provide data protection awareness training
Ensure employees understand their responsibilities
Promote good data handling practices
14. Monitoring & Review
We will:
Monitor compliance with this policy
Review and update procedures regularly
Respond to changes in legislation or guidance
15. Consequences of Breach
Failure to comply with this policy may result in:
Disciplinary action
Termination of employment or contract
Legal action where applicable
16. Review
This policy will be reviewed annually or when required.