GDPR Policy

This regulation replaces our current Data Protection Policy and is in line with the EU data protection framework being adopted from 25th May 2018. All Next Steps employees are responsible for compliance and ensuring that personal information maintained by Next Steps is not disclosed orally or in writing or accidentally or otherwise to any unauthorised third party. Any deliberate breach of this policy by any employee may lead to disciplinary action being taken against them. These regulations set out procedures which are to be followed when dealing with personal data. The procedures set out herein are followed by Next Steps, its employees, contractors, agents, consultants, partners and any other parties working on behalf of Next Steps. Next Steps views the correct and lawful handling of personal data as the key to its success and dealings with third parties and its employees. Next Steps shall ensure that it handles all personal data correctly and lawfully.

Our Data Protection Principles:

All Personal Data:

  • Must be processed fairly and lawfully
  • Must be obtained only for specified and lawful purposes and shall not be processed in any manner which is incompatible with those purposes;
  • Must be adequate, relevant and not excessive in relation to the purposes for which it is processed;
  • Must be accurate and, where necessary, kept up-to-date;
  • Must be kept for no longer than is necessary for the purpose(s) for which it is obtained
  • Must be processed in accordance with the rights of data subjects;
  • Must be protected against unauthorised or unlawful processing, accidental loss, destruction or damage by the implementation of appropriate technical and organisational measures; and
  • Must not be transferred to a country or territory outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Personal Data

Personal data is defined as data which relates to a living individual who can be identified from that data or other information which in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The regulations also define “sensitive personal data” as personal data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

Employees’ Personal Data

Next Steps only holds personal data which is directly relevant to its employees. That data will be held and processed in accordance with the data protection principles and with these regulations. The following are examples of data which may be collected, held and processed by Next Steps:

  • Identification information relating to employees including, but not limited to, names and contact details;
  • Equal opportunities monitoring information including age, gender, race, nationality and religion;
  • Health records including details of sick leave, medical conditions, disabilities and prescribed medication;
  • Employment records including, but not limited to, interview notes, curricula vitae, application forms, assessments, performance reviews and similar documents;
  • Details of salaries including increases, benefits and expenses;
  • Records of disciplinary matters including reports and warnings, both formal and informal;
  • Details of grievances including documentary evidence, notes from interviews, procedures followed and outcomes.

Other Person’s Personal Data

Information relating to individuals will be obtained for the delivery of services. This could include confidential information such as names, addresses, personal circumstances, credit or debit card details, bank details etc. Care is taken to ensure that the information being obtained is adequate, relevant and not excessive for the purpose it is intended to be used for. The information will not be processed or stored in any manner incompatible with that purpose. The information will be kept safe from unauthorised access, accidental loss or destruction, and will not be maintained for longer than is necessary.

Access to Data

Employees and other individuals that Next Steps hold information about have the right to access any personal data maintained about them electronically or in paper files. The application must be made in writing, accompanied by the correct fee before the application is processed. Upon receipt of a Subject Access Request, Next Steps shall have a maximum period of 40 days within which to respond

Data Breach

Next Steps will notify the GDPR of data breaches where appropriate. This will be done without undue delay, and where feasible, within 72 hours of awareness. Next Steps will provide a reasoned justification if this timeframe cannot be met. Where relevant, the data controller (or Next Steps representative) will also notify the affected data subject without undue delay. Additionally, Next Steps will also contact the UK ICO in the event that a serious breach has occurred. Next Steps will not notify the GDPR if the breach is unlikely to result in a risk to the rights and freedoms of individuals. The threshold for notification to data subjects is that there is likely to be a “high risk” to their right and freedoms. Next Steps ensure that procedures are adopted internally for handling data breaches in all cases.


Next Steps ensure that any request for consent will be verbal, prominent and separate from any business terms and conditions that may need agreeing to. We will specify in clear, plain language why we require personal data and what our intentions are relating to the data. Next Steps will name our organisation and any third parties that data may be shared with in any communication or correspondence relating directly to consent. Next Steps will not use personal data for the act of marketing so no consent will be required for this purpose. In the event that consent if deemed necessary for this purpose, Next Steps will make it clear and easy for the individuals to withdraw their consent at any time and publicise how to do so. Next Steps will act on withdrawals of consent as soon as practicably possible and no individual will be penalised for wishing to withdraw their consent