GDPR DATA PROTECTION POLICY
For True North HR solutions

1. Introduction
True North HR solutions is committed to protecting and respecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy outlines how we collect, use, store, and protect personal data relating to clients, employees, suppliers, and other individuals.

2. Scope
This policy applies to all employees, contractors, and third parties who process personal data on behalf of True North HR solutions.

3. Data Protection Principles
We adhere to the following principles under UK GDPR:

  • Lawfulness, fairness, and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality (security)

  • Accountability

4. Lawful Basis for Processing
We process personal data under one or more of the following lawful bases:

  • Consent

  • Contractual necessity

  • Legal obligation

  • Legitimate interests

  • Vital interests

  • Public task (where applicable)

5. Types of Personal Data Collected
We may collect and process the following data:

  • Name, address, email, phone number

  • Employment and recruitment information

  • Financial and billing information

  • Identification documents

  • Technical data (e.g. IP address, website usage)

6. How We Use Personal Data
We use personal data for:

  • Delivering our services

  • Managing client relationships

  • Recruitment and HR purposes

  • Compliance with legal obligations

  • Marketing (with appropriate consent where required)

7. Data Sharing
We may share personal data with:

  • Service providers and partners

  • Legal and regulatory authorities

  • Professional advisers

All third parties are required to respect the security of personal data and process it in accordance with the law.

8. International Transfers
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses.

9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements.

10. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:

  • Access controls

  • Encryption where appropriate

  • Secure storage systems

  • Staff training

11. Data Subject Rights
Individuals have the following rights under UK GDPR:

  • Right to access their data

  • Right to rectification

  • Right to erasure (“right to be forgotten”)

  • Right to restrict processing

  • Right to data portability

  • Right to object

  • Rights related to automated decision-making

Requests should be submitted to: [Insert Contact Email]

12. Data Breaches
We have procedures in place to detect, report, and investigate personal data breaches.
Where required, breaches will be reported to the Information Commissioner’s Office (ICO) within 72 hours.

13. Responsibilities

  • Management is responsible for ensuring compliance with this policy.

  • Employees must follow this policy and report any concerns.

  • A Data Protection Officer (if applicable) oversees compliance.

14. Training
We provide regular data protection training to ensure staff understand their responsibilities.

15. Policy Review
This policy will be reviewed regularly and updated as necessary.

Contact Information
For questions about this policy or data protection practices, please contact:
Jessica Mountjoy
jessicamountjoy@truenorthhrsolutions.co.uk
[Business Address]

Approved by:
Date: 1st April 2026