Risk Management Process
Leo’s will maintain an information asset register and map and risk assess its data flows.
Regarding information collection, Leo’s will ensure it is explicit about what how it plans to use collected data. Explicit consent must be given in an intelligible and easily accessible form, and it will be as easy to withdraw consent as it is to give it. Parental consent will be required to process the personal data of children.
The Right to be Forgotten (Also known as Data Erasure) entitles the data subject to have the data controller erase his/her personal data and cease further dissemination and Leo’s will respect and action this on request.
It is important to remember that explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice.
Subject access requests
Under GDPR, all data subjects have the right to obtain from the data controller (Leo’s) confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, Leo’s will provide a copy of the personal data, free of charge, in an electronic format if requested to do so, within legal deadlines