Data Protection
Grand Masters Construction Practical Guide to Data Protection Table of Contents
1. Scope and Objectives
2. Governance
2.1. Grand Masters Construction Group
2.1.1. The Group Data Privacy Manager
2.1.2. The Group Privacy Operations Committee
2.2. Grand Masters Construction UK & Ireland Business Unit
2.2.1. The Executive Board
2.2.2. Data Protection Officer
2.2.3. Information Security
2.3. Divisions and Central Functions
2.3.1. Business and IT Owners
2.3.2. Data Protection Correspondent (DPC)
2.3.3. All Managers and Staff
3. Technical Measures
4. Organisational Measures
5. Data Processor's Obligations
5.1. Grand Masters Construction as a Data Processor
6. Special Category or Sensitive Personal Data
6.1. Criminal Convictions
6.2. Children
7. Privacy by Design
7.1. Data Protection Impact Assessments
8. Contracts
9. International Transfers of Personal Data
10. Privacy Notices 11. Awareness and Training
12. Data Subject's Rights
12.1. Data Subject Access Requests (DSAR or SAR)
12.2. Erasure
12.3. Rectification
12.4. Limitation on Processing
12.5. Data Portability
13. Requests from Third Parties for Access to Personal Data
13.1. The Grand Masters Construction Group/Other UK Entities
13.2. The Police 13.3. Other Third Party Requests
14. Incidents and Personal Data Breaches
14.1. Suspected Incident or Personal Data Breach
14.2. Breach Management
14.3. Notification to the Regulator, Data Subjects, and the Group
14.4. Remediation
14.5. Breach Register
​
1. Scope and objectives Grand Masters Construction group is organized by way of business units and divisions. In practical terms, this means that Grand Masters Construction UK & Ireland cannot be a Data Controller in its own right as it is not a legal entity. However, each of the legal entities which make up the Grand Masters Construction UK business unit and which Process Personal Data (e.g., Grand Masters Construction Services Limited) will be a Data Controller. The Data Protection Policy and this Practical Guide to Data Protection (further referred to as the "Policy") is primarily intended to apply to Data Processing activities for which a Grand Masters Construction entity is the Data Controller. We recognize that in many situations Grand Masters Construction will process Personal Data on behalf of our customers as part of our service delivery to those clients. In those situations, the client will typically be the Data Controller, and Grand Masters Construction staff working on those contacts should follow the client's data protection policy and procedures. In the absence of such client documents, the governance within this Policy should be adhered to. All employees and persons engaged by Grand Masters Construction must observe this Policy. Guidance can be obtained by contacting info@gmcltd.co.uk or from the Data Protection Officer or local Data Protection Correspondent (see further below).
​
2. Governance Following the Group Data Privacy Policy (Group Policy), overall responsibility for compliance will lie at the UK & Ireland business unit level. The sections below describe the respective roles and responsibilities within Grand Masters Construction.
2.1. Grand Masters Construction Group
2.1.1. The Group Data Privacy Manager The main duties of the Group Data Privacy Manager are to ensure the effective implementation of the Group Policy and to coordinate the related activities of the local Data Protection Officers / Managers in the Group's business units.
2.1.2. The Group Privacy Operations Committee The Group Privacy Operations Committee ("PROCOM") meets quarterly and manages activities concerned with Group-wide data protection activity. Grand Masters Construction UK & Ireland will be represented at the PROCOM by the UK Data Protection Officer (see 2.2.2. below) or his/her nominated deputy.
2.2. UK & Ireland business unit
2.2.1. The Executive Board The Executive Board is ultimately responsible for the day-to-day management of the business (including with regards to data protection). It requires that all areas of the business comply with all relevant data protection legislation. It shall formally appoint the Data Protection Officer ("DPO") and support the General Counsel in ensuring that the Data Protection Officer is given the necessary resources and time to fulfill the missions assigned in accordance with the Group Policy.
2.2.2. Data Protection Officer The Group Policy places the responsibility for the protection of personal data with the Legal Director of each Business Unit (being the General Counsel for Grand Masters Construction UK & Ireland), to whom the Data Protection Officer reports. The DPO coordinates activities relating to the protection of personal data within the business unit and will be the primary point of contact for the Group Data Privacy Manager.
2.2.3. Information Security The Chief Information Security Officer (CISO) and his/her team shall work with the DPO in ensuring that appropriate technical measures as required by law are in place by offering their expertise and support in the area of data privacy, both for the purposes of data processes hosted internally and with a third party. The CISO's primary functions in this area are as follows: - Advising on the appropriateness of technical measures taken by (potential) Data Processors; - Advising on the selection of Data Privacy functions and systems, commenting on the appropriateness of the technical measures taken and making recommendations; - Being the contact point for all matters relating to the security of Data Processing activity; - Advising the Data Protection Officer if any audit which they conduct reveals breaches, issues, or significant concerns with respect to Data Processing.
2.3 Divisions and Central Functions Each Division is responsible and accountable for the data processing activity that it undertakes (or that it has implemented by a Data Processor), and the respective Divisional Chief Executive Officer ("DCEO") shall be responsible for ensuring compliance with this Policy and with all data protection legislation applicable to it.
2.3.1. Business and IT Owners Each system, application, or process identified as Processing Personal Data shall have a Business Owner and an IT Owner assigned. These shall be responsible for making business decisions (e.g., retention period; permission levels and staff categories for access, etc.) and IT implementation and technical protections respectively.
2.3.2. Data Protection Correspondent ("DPC") Each Division shall appoint a DPC whose duties shall include the following: - Provide local advice and help to embed a compliant culture with respect to data protection, including promoting this policy and relevant procedures. - Ensure that the DPO is made aware of all new systems, applications, and Data Processing activity. - Identify local training needs and consult with the DPO as to delivery. - Ensure that all data subject access requests are notified to the DPO promptly, assisting in information gathering and the response as required. - Ensure that all Personal Data Breaches are notified to the DPO in accordance with section 14 below. - To take an active role in the completion of Data Privacy Impact Assessments (see section 7 below). - Such other activity as may be delegated or assigned by the DPO. The DPO, or his/her nominated deputy shall act as the DPC for central/support functions.
2.3.3. All Managers and staff All managers and staff are responsible for: - Understanding their data protection responsibilities in relation to their role. - Ensuring that data protection requirements are observed throughout their work area and by their staff. - Understanding and complying with this Policy, associated guidance, processes, and procedures as well as other relevant policies such as Cyber and Information Security Policies and Procedures. - Contacting their Manager, the DPC, or the DPO for guidance if they are in any doubt about how they should deal with any Personal Data or consult Information Security if they have any concerns about how to keep Personal Data secure. - Only processing Personal Data in the manner that is authorized for the purpose of performing their role or with management authorization. - Ensuring any Personal Data which they handle is kept securely and in accordance with all Grand Masters Construction policies, procedures, processes, and guidance. - Not disclosing orally or in writing or otherwise to any third party any Personal Data unless authorized. - Not sending Personal Data outside of Grand Masters Construction (including to clients) without express authority. Grand Masters Construction Personal Data must never be communicated by personal email or any form of internet-based information transfer site e.g., Dropbox or peer to peer communications such as Skype. - Consulting the DPC before processing Personal Data for a new purpose. - Promptly informing the DPO/DPC of any Subject Access Requests or complaints / inquiries relating to the treatment of Personal Data (see also section 12). - Promptly informing the DPO/DPC of any Personal Data Breaches of which they become aware (see also section 14).
3. Technical Measures All appropriate protection measures must be taken in light of the nature of the data, general accepted practice in the UK/Ireland, and the possible negative consequences to the Data Subject presented by the data. These measures must ensure that all data is kept confidential. To ensure the security and confidentiality of Processed Personal Data, measures such as Pseudonymisation, Anonymisation, and Encryption should be considered. Measures adopted should cover data in transit as well as at rest. Test environments using live Personal Data (as opposed to dummy or anonymized data) must also comply with this Policy and with data protection legislation. The appropriateness of technical measures should be regularly reviewed to ensure continued appropriateness given advances in technology. The responsibility for ensuring that appropriate technical measures are taken lies with the IT Owner, except for access controls for which the Business Owner is responsible for deciding their operation and the IT Owner their application. Information Security shall review the technical measures taken in relation to each system/application/process containing Personal Data and advise as to their adequacy and make recommendations. All access controls are to be reviewed no less than annually to ensure that they are operating effectively and that only individuals who legitimately require access to that Personal Data are afforded access to it. (The operation of access controls is not part of the Information security review referred to above).
4. Organisational Measures Organisational measures must be put in place to ensure that all Personal Data is processed in accordance with data protection legislation and the business unit's expectations as stated by the CEO in the Data Protection Policy. These measures can consist of controls (such as segregation of duties, supervisory checking, and access controls), written processes/procedures/guidance, training, and reviews/audits. The organisational measures put in place shall ensure the effective implementation of the data protection principles.
5. Data Processor's Obligations In circumstances where a Grand Masters Construction entity subcontracts Data Processing activity to a Data Processor, the Grand Masters Construction entity (as the Data Controller) remains responsible for the protection of that Personal Data. Data Processors must be selected for their ability to offer guarantees in respect of Personal Data protection. A contract or written agreement must be established providing for the Data Processor's obligations to comply with Personal Data protection rules including confidentiality and security measures (see also section 8 below). All Data Processors must be subject to Grand Masters Construction's privacy due diligence procedure before they may undertake any Data Processing activity on behalf of Grand Masters Construction. This procedure is available on the EMS or alternatively, please consult the DPO/DPC for further advice and guidance. 5.1. Grand Masters Construction as a Data Processor Where a Grand Masters Construction entity has been engaged by a client as a Data Processor, any written instructions from that client or terms in the contract which contradict this Policy will take precedence in relation to any Processing undertaken under that contract. The Data Controller rather than Grand Masters Construction shall be responsible for ensuring that Data Subject Requests (section 13) and privacy requirements (sections 7 and 10) are met. 6. Special Categories or Sensitive Personal Data Some types of Personal Data are deemed to be sensitive and require additional care and controls. The following types of Personal Data are deemed Special Category or Sensitive Personal Data. Information concerning: 1. Racial/ethnic origins 2. Political opinion/affiliation 3. Religious/philosophical beliefs (including lack of belief) 4. Trade union membership 5. Genetic or biometric data 6. Mental/physical health 7. Sexual orientation/activity Additional levels of control/technical/organisational measures must be applied to the Processing of Special Category Personal Data. Access should be limited to the minimum level of staff necessary. The DPO/DPC and Information Security must be involved if any new Special Category Personal Data processing activity is contemplated or if major changes are being implemented to existing Processing activity. 6.1 Criminal Convictions Personal Data which relates to criminal convictions and offences (this will include the fact that an individual does not have any convictions) are not to be stored. It is, however, permissible to record/store the fact that a Disclosure and Barring Service ("DBS") check has been carried out as well as its reference number and the date of the DBS certificate. Criminal record checks shall only be carried out in accordance with Grand Masters Construction's agreed procedure(s). The above definition of offences includes motoring offences. 6.2. Children While the Personal Data of children is not classified as Special Category Personal Data, it is to be given a similar treatment in terms of control/technical/organisational measures. Where the information is not collected directly from a parent or guardian, their written consent (or that of the child if over 14 years old) is to be obtained where Grand Masters Construction is the Data Controller. The written consent is to be kept as long as the Personal Data to which it relates. 7. Privacy by Design Privacy by design is a fundamental aspect of data protection legislation and encompasses two main elements: Privacy by Design: This principle ensures that the privacy rights of Data Subjects are taken into account at all stages of data processing. It involves incorporating specific technical and organizational measures into the processing to minimize the impact on Data Subjects. A Data Protection Impact Assessment (DPIA) should be completed to document this process. Privacy by Default: This principle dictates that only the Personal Data strictly necessary for the identified purposes should be processed. This includes limiting the amount of Personal Data collected, the extent of processing, the retention period of the data, and controlling access to the data. 7.1. Data Protection Impact Assessments: To address privacy concerns at all stages of processing, a Data Protection Impact Assessment (DPIA) must be completed when using new technologies or undertaking any processing likely to result in a high risk to the rights and freedoms of Data Subjects. DPIAs should be conducted at the earliest stage of design and development of new systems, applications, or processes. The Data Protection Officer (DPO) should assist in completing the DPIA, identifying potential weaknesses, and recommending mitigations or improvements. All DPIAs must be reviewed and approved by the DPO before commencing the relevant data processing activity. 8. Contracts: Data protection legislation imposes certain requirements on all contracts involving the Processing of Personal Data. These requirements include: - Clearly identifying the Data Controller and stating high-level details of the processing. - Prohibiting sub-processing without the Data Controller's consent. - Ensuring all instructions from the Data Controller are in writing. - Securely destroying the Personal Data or returning it to the Data Controller after the provision of services ends. - Committing to confidentiality and allowing for inspections or audits. Legally compliant model data protection clauses under English and Welsh law are available from the DPO. When Grand Masters Construction is the customer or client, its model data protection clauses should be used where possible. 9. International Transfers of Personal Data: Special care must be taken when Grand Masters Construction or a Data Processor on its behalf proposes to transfer or access Personal Data outside of the UK. While transfers within the European Union/European Economic Area (EU/EEA) are generally permitted without additional governance or safeguards, transfers to countries or territories outside the UK/EEA require certain conditions to be met. Consultation with the DPO/DPC is necessary regarding restricted transfers. 10. Privacy Section: Data Subjects have the right to control the information relating to them (their Personal Data). They shall be informed of any Processing of their Personal Data prior to the effective start of that Processing activity, and they benefit at any time from the rights outlined in section 12 below. As a Data Controller it is therefore imperative that we ensure that the Data Subjects whose Personal Data we process, fully understand the reasons why Grand Masters Construction processes their Personal Data, how we handle that data and what we do with it. Therefore, basic information must be provided to Data Subjects via a Privacy Notice which can be a standalone document or part of a Privacy Policy on a website. Information contained within the Privacy Notice will include, but is not limited to: The Privacy Notice provided to Data Subjects should include the following information: 1. Name of Grand Masters Construction entity processing the Personal Data and contact details of the Data Protection Officer (DPO). 2. Purposes of the Processing and the legal basis for it. 3. Explanation of legitimate interests if Processing is based on this ground. 4. Information on any transfer of Personal Data outside the European Economic Area (EEA), including lawful basis or appropriate safeguards. 5. Retention period for the Personal Data. 6. Data Subjects' rights, including access, rectification, erasure, restriction of Processing, objection to Processing, and data portability. 7. Right to withdraw consent if Processing is based on consent. 8. Right to lodge a complaint with the relevant Supervisory Authority. 9. Explanation of any automated decision-making and its consequences if applicable. 11. Awareness and Training: All Grand Masters Construction employees are obligated to complete mandatory Personal Data Protection training. Additionally, staff whose roles involve frequent processing of Personal Data must receive further training, with records maintained. The Data Protection Officer (DPO) is responsible for raising awareness of personal data protection within their division and arranging additional training as necessary. 12. Data Subject's Rights: Data protection legislation grants Data Subjects various rights regarding the Processing of their Personal Data, summarized as follows: 12.1. Data Subject Access Requests (DSAR or SAR): Any requests from Data Subjects for copies of their Personal Data, referencing data protection legislation, specific terms, or relevant authorities, are treated as requests for access under data protection legislation. These requests must be acknowledged and responded to within the statutory timeframe, with a log maintained by the DPO. 12.2. Erasure: Data Subjects have the right to request the erasure of all or part of their Personal Data, known as the right to be forgotten, subject to certain conditions. Requests for erasure must be referred to the DPO for consideration on a case-by-case basis. 12.3. Rectification: Data Subjects can request the correction of inaccurate Personal Data. If a system does not permit changes, a file note may be inserted to record the correction. Local processes should enable Data Subjects to exercise this right, with referrals made to the DPO/DPC. 12.4. Limitation on Processing: Data Subjects have the right to object to the continued processing of their Personal Data, even if they previously consented to the Processing. Such requests must be referred to the DPO/DPC promptly. 12.5. Data Portability: Data Subjects have the right to data portability, allowing them to obtain a copy of their Personal Data in a machine-readable format for transfer to themselves or a third party. Requests for data portability should be referred to the DPO/DPC. 13. Requests from third parties for access to Personal Data This section does not apply to requests from Data Subjects (see section 12.1 above). 13.1. The Grand Masters Construction Group / other UK entities All transfers of Personal Data to other members of the Grand Masters Construction Group must be made under a signed contract meeting the provisions of section 8 (contracts) and section 9 (international transfers) as appropriate. 13.2. The Police With the exception of a request to view CCTV footage of an ongoing incident, all requests from the police or the Garda seeking access to Personal Data shall be immediately referred to the DPO who will decide whether the requested Personal Data can be shared in a manner which complies with the data protection principles. The DPO may delegate authority to a DPC, in which case the DPC shall review the request and the Personal Data to be supplied in response to it. All requests for HR information shall be shared with the relevant HR Director and the Employment Legal Counsel or other person nominated by the General Counsel. In situations where Grand Masters Construction operates a CCTV system as a Data Processor on behalf of a client, all requests to review CCTV footage shall follow any policy or procedure specified by the client/Data Controller. In the event that the Data Controller has not published a specific policy or procedure, please consult the DPO or DPC at the earliest opportunity. 13.3. Other third-party requests All other requests from third parties are to be referred to the DPO for a decision on whether the requested Personal Data can lawfully be shared. Any sharing of Personal Data which does not comply with this section may well amount to unlawful Processing and should be referred to the DPO as a potential Personal Data Breach (see section 14 below). 14. Incidents and Personal Data Breaches 14.1. Suspected Incident or Personal Data Breach A Personal Data Breach or "Breach" is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The following are examples of a Breach: • A manager sending an e-mail containing an individual's outstanding holiday entitlement to the wrong person; • An administrator amending the personal details which Grand Masters Construction holds for an employee as the result of a phishing e-mail; • Access permissions being incorrectly applied to a system or shared site, enabling employees to access Personal Data which they should not have access to. Any employee who becomes aware of a potential Personal Data Breach shall immediately notify the DPO or the relevant DPC. Where applicable, any approved local Breach notification procedure must also be adhered to. 14.2. Breach management On becoming aware of a Personal Data Breach, the DPO shall risk assess the Breach, giving due consideration to the impact on the Data Subjects concerned. The DPO will advise the General Counsel (and the UK's Ethics Officer if a different person) of any Breaches which present a risk to the rights and freedoms of the individuals concerned. 14.3. Notification to the Regulator, Data Subjects, and the Group Data protection legislation prescribes that certain Breaches must be notified to the relevant Supervisory Authority and/or the individuals concerned within defined timescales. The decision as to whether this threshold has been met will be made by the General Counsel following discussion with the DPO. The DPO will also be responsible for coordinating any notification to Data Subjects where appropriate and shall act as the focal point for questions from Data Subjects. The DPO shall notify the Group Data Privacy Manager of a high-risk Breach or incident. 14.4. Remediation Following a high-risk Breach, the Data Protection Officer (together with other persons as appropriate) shall undertake a review of the Breach and its circumstances. The findings and any recommended remediations shall be reported to the General Counsel and management team of the relevant business/function. All remediations are to be actioned within a timeframe agreed with the DPO, and progress is to be reported monthly to the local Executive Board/senior leadership team. 14.5. Breach Register The DPO shall maintain a register of all Breaches across the business unit as required by data protection legislation, which shall be available for inspection by the Regulator on demand. Appendix 1: Definitions Anonymisation: Refers to any information related to a natural person where the person cannot be identified, either by the Data Controller or by any other person, taking into account all the means reasonably to be used to identify that individual. CISO or Chief Information Security Officer: The manager in charge of each business unit of the deployment of the Group Cyber Security Policy for its Entities with functional report to the Group Cyber and Information Security Officer. Data Controller: The natural or legal person responsible for determining the purpose and methods of the Data Processing that have been implemented or are to be implemented. The Data Controller is bound to take every precaution necessary to ensure Data Privacy. Data Protection Correspondent: The individual responsible for Personal Data protection in Grand Masters Construction UK and Ireland BU. Data Processing: Any operation or set of operations involving Personal Data, whatever the method or means used, particularly collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, blocking, deletion, or destruction. Data Processor: (Sub)contractor to whom the Data Controller assigns all or part of the operations relating to its Data Processing. Data Privacy/Data Protection: Set of actions, activities, methods, processes, organizations, and so forth aiming at protecting Personal Data and ensuring compliance with applicable data protection legislation and regulations. Data Privacy Management System: It is the framework of data protection activities, processes, and procedures by which the Group achieves compliance with Group Data Privacy Policy. Data Subject: A living individual whose Personal Data are being processed by a Data Controller or a Data Processor. Encryption: The process of encoding messages or information in such a way that only authorized parties can read it. Entity: Legal entity within the consolidated scope of the Group (global integration). European Economic Area (EEA): The area in which the Agreement on the EEA provides for the free movement of persons, goods, services, and capital within the internal market of the European Union (EU). Group Data Privacy Manager: The person appointed at Group level to define and disseminate good practices relating to Data Privacy and to ensure their application. Information System (IS): Structured groups of processes and organizational, material, and software resources that make it possible to acquire, process, store, distribute, and destroy information in electronic format. Irish Processing: Comes within the realm of Data Subjects in Ireland where Grand Masters Construction is required to comply. Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal Data Breach or Breach: Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Process, Processing, or Processes: Any operation or set of operations performed on Personal Data, including collecting, storing, structuring, recording, changing, sharing, or disclosing in any format (including paper). Pseudonymisation: Is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. Pseudonymisation, therefore, may significantly reduce the risks associated with Data Processing, while also maintaining the data's utility. Regulator: Means the UK Information Commissioner's Office Special Category Personal Data or Sensitive Personal Data: Means Personal Data that may affect the Data Subject's most intimate sphere or that, in case of misuse, could give rise to discrimination. It is defined in Section .6 Summary Record of Processing (SRP): Means the document which summaries how Grand Masters Construction UK & Ireland complies with data protection legislation, and the associated procedures and other evidence. Grand Masters Construction Data Protection Policy Grand Masters Construction UK ("Grand Masters Construction", "We" or "Us") acknowledges that the proper treatment of Personal Data is a fundamental requirement of our business and is essential to successfully manage our operations while maintaining customer confidence. We are committed to complying with all laws and regulations relating to the processing of personal data, and will protect the privacy of those individuals whose information we handle in the course of our day-to-day activities. These are values which are enshrined within our Group's Code of Ethics. Personal Data is any information relating to an identified or identifiable individual. This can be achieved either through reference to one or more elements specific to the individual (e.g., surname, first name, email address, IP address, etc.) or via an identification number (e.g., employee number or National Insurance number). "Processing" Personal Data will include any activity which Grand Masters Construction undertakes in relation to this data, and will include collecting, storing, sharing, or otherwise disclosing the data, regardless of whether this happens electronically or in paper format. Data protection legislation and this policy are based on seven key principles. We all must ensure that we apply these principles when handling Personal Data in the workplace. Failure to comply with these principles could render the relevant Processing activity unlawful and may expose Grand Masters Construction to the risk of enforcement action, fines, reputational damage, and compensation claims. The seven data protection principles are as follows: 1. Only Process Personal Data if you have a lawful basis for doing so under the UK GDPR, and in a manner which the individuals concerned have been notified of or could reasonably expect. 2. Always clearly identify the purposes for which Personal Data is Processed and do not use the data for unrelated or secondary purposes (i.e., the data cannot be "repurposed"). 3. Personal Data that we Process should be adequate, relevant, and limited to that which is strictly necessary to achieve the purposes for which the data was collected. 4. Personal Data that we Process must at all times be accurate and kept up-to-date. 5. Personal Data should not be kept for any longer than is necessary to achieve its purpose. 6. Grand Masters Construction shall ensure that an appropriate level of security is applied to any Personal Data to protect the data from unauthorized or unlawful access, loss, alteration, destruction, or damage. 7. As an organization, Grand Masters Construction must be able to demonstrate compliance with each of the above six principles. This Policy provides a framework and may be supplemented by specific policies, processes, or procedures as required. How these principles translate into best practices that we should all apply when Processing Personal Data is set out in the Practical Guide to Data Protection, which supplements this Policy. This policy should also be read in conjunction with Grand Masters Construction's Cyber and Information Security policies. This Policy applies to employees at all levels and to all temporary workers whether agency workers, consultants, or interim staff (collectively "staff"). This Policy does not form part of any employee's contract of employment and may be reviewed from time to time. Chief Executive Officer Grand Masters Construction UK