Menu
Information
HomeProjectsAboutServicesComplex IndustriesSpace & AerospaceDesigns for DefenceGovernanceArticlesContactRate Cards
Services
Bespoke Website Development
Headless CMS
Omnichannel Marketing
Data Driven Marketing
Creative Services
Branding Services
Consultation & Support
SEO Optimisation
PPC & SMM
View All +
Retainers & Business Units
Gravitas Enterprise360
Delta V
Birkwood Research
Gravitas Optimise
Flow
Gravitas Reach
View All +
Quick Links
Client PortalBook a MeetingService StatusHosting & Support
Specialised Services
Complex IndustriesPre-seed MarketingSpace & AerospaceDesigns for Defence
Get in touch
studio@gravitasengland.com

+44 (0) 1904 530 583

Start a project
Menu

Data Protection

Version Control: V1.0.1
Format: Online

1. Introduction

This policy establishes how Gravitas Studio Ltd (trading as "Gravitas Group" and "Gravitas") ensures compliance with data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The policy applies to all personal data processed by our employees, contractors, and representatives across all business operations and client engagements.

2. Data Protection Principles

Our approach to data protection is founded on the fundamental principles established by UK GDPR. We ensure all data processing is lawful, fair, and transparent, with clear purposes that are communicated to data subjects. We collect only the minimum data necessary for specified purposes and maintain its accuracy throughout its lifecycle. Our storage periods are defined and limited, with robust security measures protecting all data. We maintain comprehensive records demonstrating our accountability and compliance with these principles.

3. Roles and Responsibilities

The Data Protection Officer serves as the cornerstone of our data protection framework, providing essential oversight and guidance for all data processing activities. They maintain regular monitoring of our compliance, provide expert advice on our data protection obligations, and serve as the primary contact point for both data subjects and the Information Commissioner's Office.

All staff members play a crucial role in maintaining data protection standards. Through comprehensive training and clear procedural guidance, our team understands their responsibilities in protecting personal data. Each member of staff is equipped with the knowledge and tools necessary to process data appropriately and maintain required security standards.

4. Data Processing Procedures

Our data collection processes are designed to ensure we gather only necessary information while maintaining full transparency with data subjects. We provide clear information about our data collection purposes and obtain appropriate consent where required. All processing activities are documented with their lawful basis clearly established.

We maintain rigorous standards for data storage, implementing comprehensive security systems that protect all personal data. Our access control systems ensure data is only accessible to authorised personnel, with encryption providing additional protection for sensitive information. Regular security reviews and robust backup procedures maintain the integrity and availability of all stored data.

Data processing activities are strictly controlled and monitored. We ensure all processing serves specified, explicit purposes and remains necessary and proportionate. Comprehensive records of all processing activities are maintained and regularly reviewed to ensure ongoing compliance.

5. Security Measures

Our technical security framework encompasses multiple layers of protection. We implement enterprise-grade encryption for all data, both in transit and at rest. Network configurations are regularly reviewed and updated to maintain security, while access control systems ensure appropriate data access. Continuous monitoring and systematic logging provide clear audit trails of all data interactions.

The organisational security measures complement our technical controls. All staff undergo regular security awareness training and follow clear security protocols. Device management policies ensure appropriate protection of all equipment, while physical security measures protect our premises and hardware.

6. Data Subject Rights

We are committed to upholding the rights of all data subjects. These rights include:

  • The right to be informed about how their data is used
  • The right to access their personal data
  • The right to have inaccurate data corrected
  • The right to have their data erased in certain circumstances
  • The right to restrict processing of their data
  • The right to data portability
  • The right to object to data processing
  • Rights relating to automated decision making

7. Data Breach Response

Our data breach response framework ensures swift and effective action in the event of any security incident. Upon identification of a potential breach, immediate steps are taken to contain the incident and assess its severity. Our documented response procedures ensure consistent handling of all incidents, with appropriate notifications made to affected parties and authorities when required.

The response process includes thorough investigation and documentation of each incident, followed by comprehensive reviews to prevent recurrence. We maintain detailed records of all breaches and our responses, using these to continuously improve our security measures.

8. International Data Transfers

Our approach to international data transfers ensures compliance with UK GDPR requirements while maintaining operational efficiency. We carefully assess each international transfer to ensure appropriate safeguards are in place. Where transfers rely on adequacy decisions, we monitor their ongoing validity. For transfers requiring additional measures, we implement robust contractual and technical safeguards to protect personal data.

The security of international transfers is maintained through continuous monitoring and regular reviews. We document the legal basis for each transfer and maintain records of all safeguards implemented. Our transfer mechanisms are regularly evaluated to ensure they remain appropriate and effective as regulatory requirements evolve.

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for all high-risk processing activities to identify and minimise data protection risks. These assessments are particularly crucial when implementing new technologies, processing sensitive data, or conducting large-scale data operations. Our DPIA process involves systematic evaluation of processing activities, identification of risks, and implementation of mitigation measures.

Each DPIA follows a structured methodology to ensure thorough risk assessment and appropriate mitigation. We document all findings and recommendations, implementing necessary changes before proceeding with processing activities. Regular reviews ensure our assessments remain relevant as processing activities evolve.

10. Training and Awareness

Our comprehensive training programme ensures all staff maintain high standards of data protection awareness and compliance. New employees receive detailed data protection training during onboarding, while regular refresher sessions keep all staff updated on best practices and regulatory requirements. Training content is regularly updated to reflect changes in legislation and emerging threats.

We maintain detailed records of all training activities and regularly assess their effectiveness. Training materials are continuously refined based on feedback and changing requirements. This ensures our staff remain well-equipped to handle personal data appropriately and maintain security standards.

11. Compliance Monitoring

Our compliance monitoring framework ensures continuous adherence to data protection requirements. Regular internal reviews assess all aspects of our data protection practices, from processing activities to security measures. These reviews are supplemented by external audits when required, providing independent verification of our compliance.

Monitoring activities feed into our continuous improvement process. Findings from reviews and audits inform updates to policies and procedures, ensuring our data protection framework remains effective and current. Staff feedback and incident reports provide additional insights for improvement.

12. Policy Review and Updates

This policy undergoes regular review to ensure it remains appropriate and effective. Reviews consider changes in legislation, technological developments, and operational requirements. Updates are communicated to all staff, with additional training provided when significant changes occur.

Contact Information

For all data protection enquiries:

Data Protection Officer
Gravitas Studio Ltd
Popeshead Court Offices
Peter Lane
York
YO1 8SU

All rights reserved. © Gravitas Studio Ltd 2024

Connect
studio@gravitasengland.com
+44 (0) 1904 530 583
Client Portal    |    Book a Meeting    |     Service Status
Newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Information
HomeProjectsAboutGovernanceArticlesContactRate Cards
Specialised Services
Complex IndustriesPre-seed MarketingSpace & AerospaceDesigns for Defence
Services
Bespoke Website Development
Headless CMS
Omnichannel Marketing
Data Driven Marketing
Creative Services
Branding Services
Consultation & Support
SEO Optimisation
PPC & SMM
Development Services
Integrated Solutions
Business Development Support
AI & Programmatic Marketing
Copywriting and Content Marketing
Our Other Brands
Gravitas Reach
Gravitas Enterprise360
Delta V
Birkwood Research
Gravitas Optimise
Flow
Copyright Gravitas Studio Ltd 2025. All Rights Reserved    |    Company Number 11708586
Cookies Preferences
Accessibility Options