Data Protection


This Data Protection Policy document is intended to help us comply with our obligations under the General Data Protection Regulation (GDPR) and the UK Data Protection Regulations 2018.


All staff, suppliers and sub-contract workers are required to be aware of, understand and comply with our Data Protection policies and procedures which are designed to help keep personal data safe and to reduce the risks to personal data held by Elan Homes.


Elan Homes encompasses the following business’s whose trade takes place from a number of locations:


   Elan Homes Holdings Limited


  Elan Homes Limited


 Elan Homes Land Limited


    Elan Homes Properties Limited


  Elan Homes Midlands Limited


 Elan Homes Lancashire Limited


 Elan Homes Strategic Limited


       Elan Homes Scotland Limited

  Elan Homes SEQ Limited


 Erie Basin Limited




What are the Risks?

Extreme care must be taken when processing personal data.


Processing’ applies to anything that can be done to records, including obtaining, recording, holding, storing, disclosing, publishing, typing, writing, destroying or disposing.


Information must be kept secure. Lost or stolen data can be used to commit offences such as fraud or identity theft. As such, personal data is a high value commodity on the black market and it is our responsibility to keep it safe and secure.

The risks of not looking after data properly include:


Customer detriment

Adverse publicity / reputational damage

Business interruption

Enforcement action

Financial crime / Cyber crime


We don’t take these risks lightly and all staff are expected to play a part in protecting our business, our customers and the personal data in our possession.


What is “Personal Data”?


To understand and use this policy, it is important to understand what ‘personal data’ is.


‘Personal Data’ is defined by the Information Commissioners Office (ICO) as:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic or social identity of that natural person

To consider whether a living person is ‘identifiable’, we need to consider if the information we hold would enable an unauthorised 3rd party to identify and contact them e.g. an unusual surname, telephone number, email or postal address.


Personal data may be stored in different forms, for example, on computer, CCTV images, photographs, or in paper based manual files.

We must take additional care where we process ‘special categories’ of data and any data relating to criminal convictions. This is because the loss, theft or accidental disclosure of this type of information could potentially be damaging to the individual and put Elan Homes at risk of punitive actions by the ICO.


 ‘Special Categories’ of personal data:

▪ Racial or ethnic origin

▪ Political opinions, religious or philosophical beliefs

▪ Trade union membership

▪ Genetic and biometric data

▪ Health

▪ Sex life or sexual orientation


Complying with GDPR & the Data Protection Principles

To comply with the GDPR, we must:

  • Process personal data fairly, lawfully and in accordance with the rights of the data subject and the six Data Protection Principles.
  • Be able to demonstrate how we comply with the above (this is referred to as the “accountability” principle).


We have a Group Data Protection Manager designated for data protection compliance. We have assessed the criteria for a formal Data Protection Officer (DPO) to establish Elan Homes does not require a DPO i.e. not a public authority, no automated decision making, no regular or systematic monitoring of individuals nor do we process large scale special category data.

There are six Data Protection Principles & this is how we comply:

1. Personal data shall be processed fairly and lawfully and in a transparent manner in relation to the data subject (the principle of “lawfulness, fairness and transparency”);

  • Under GDPR, we must identify a ‘legal basis’ for each different category of personal data we process. If we don’t have an appropriate legal basis for processing each category of data, then the processing would be classed as unlawful.
  • We have carried out a data audit to identify which legal basis we use to process various categories of data and we have documented this in our Record of Processing Activities, using the template provided by ICO on their website.
  • We provide a Privacy Notice to our customers, where applicable. This document explains to our customers what we do with their data, on what legal basis we process it, how long we keep it for, how we keep it safe and whether it will be disclosed to anyone else.
  • The Privacy Notice also contains other information (required by GDPR) including an explanation of customers’ rights in relation to their personal data. Further information about our policies and procedures for dealing with the rights of Data Subjects is set out later in this document.

2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

  • We tell our customers (in our Privacy Notice) why we are collecting their data and what we use it for.
  • We only collect information needed for a specific purpose and we don’t use it for anything else.

3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the principle of “data minimisation”);

  • We only collect information we need for the purposes we need it, we don’t collect, store or otherwise process irrelevant or extra information that we don’t need.


  1. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (the principle of “accuracy”)
  • We try at all times to make sure all personal data we process is accurate, relevant and kept up-to-date.
  • When the data is no longer required, we will delete it in line with our Data Retention policy, which is set out later in this document.

5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

  • We will only hold as much data as needed and only for as long as we need it.
  • We have explained this further in our Data Retention Policy, set out later in this document.


6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (the principle of “integrity and confidentiality”)

  • We must keep data secure and protect it from being inappropriately used, lost, disclosed or stolen.
  • Our Data Security Policy, set out on the following pages, outlines our internal policies and explains the organisational and technical measures we have put in place to protect personal data.
  • We do not transfer any data to a country outside the EU.



Rights of Data Subjects & How we deal with them

The right to be informed

Individuals have the right to be informed about what is happening with their personal data (including what we use it for and why).

Under GDPR we have to give certain information to individuals whose personal data we intend to process. We do this by providing them with a Privacy Notice, which contains all the information they need and that we are required to give them.

A Privacy Notice is available on our website and a copy must be given to all individuals where we intend to process their personal data.

The right of access

Individuals have the right to access their personal data. This means they can ask for a copy of the personal data we hold on them and we are required to give it to them.

Our internal policy for Dealing with Subject Access Requests is set out later in this document.

The right to rectification

Individuals have the right to insist that we correct any inaccurate or incomplete personal data we hold on them.

If a data subject requests rectification of the data we hold on them, we will co-operate internally to action this request as quickly as possible.

We consider it equally important for us to hold correct data on our data subjects as it is for our data subjects.

The right to erasure

If an individual requests erasure of the personal data we hold on them, we will comply with this request only where:


  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • The individual has withdrawn consent and there are no other legal grounds for the processing;
  • The personal data have been unlawfully processed;
  • The personal data must be erased for compliance with a legal obligation in UK law to which we are subject.


This is a complex matter and all requests for the erasure of personal data should be referred to the GDPR Steering Committee who will evaluate them on a case by case basis.

The right to restrict processing

Individuals have the right to request that we temporarily stop processing their personal data in certain circumstances:


  • Where they contest the accuracy of the personal data;
  • Where the processing is unlawful;
  • Where we no longer need the personal data for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims;
  • Where they have objected to processing, but we need to verify whether the legitimate grounds for processing override those of the individual data subject.

In all cases, the GDPR Steering Committee will deal with these requests on a case by case basis.

The right to data portability


Due to the nature of our business and lack of automated decision making we do not expect to receive such requests.

Where a request is made for data portability, this should be referred to GDPR Steering Committee.

The right to object

All individuals have the right to object to processing of personal data at any time.

Where we receive an objection to processing from an individual data subject, this should be referred to the GDPR Steering Committee who will assess whether it is possible to meet this request or whether another legal basis for processing may prevent this.

If an individual data subject objects to receiving direct marketing material, no further processing will take place for marketing purposes, other than to record the objection on a suppression list.

Rights in relation to automated decision making and processing


Due to the nature of our business and lack of automated decision making, this does not apply to Elan Homes.

Right to lodge a complaint with ICO

In addition to the rights described above, individual data subjects also have the right to make a complaint to ICO and we are required to tell them about this right.


It is our policy to include this information in our Privacy Notice.


Data Security Policy

Office Security

  • Our Head Office is fitted with an alarm, CCTV, door buzzers and key pad entry.
  • Our Midland Office is fitted with an alarm, CCTV, door buzzers, and key pad entry.  
  • Access to all offices is restricted and all visitors are recorded in a signing-in book.
  • All visitors are supervised, including third party contractors, such as office cleaners.
  • Staff are trained to understand the importance of security and how to keep personal data safe.
  • We promote a clear-desk approach and do not leave personal data where unauthorised staff and/or third party providers can access it.                                                                
  • Paper records containing personal data are stored in locked filing cabinets.
  • Personal data that is no longer required is securely disposed of, regardless of its format (e.g. paper or electronic).
  • Confidential waste is shredded via an appointed 3rd party specialist contractor who issues a Destruction Certificate for each batch of shredding.
  • Additional care is required for special categories of customer data, for example, health information and any information relating to criminal convictions.
  • Office equipment such as laptops, desk top pcs, which are no longer required, have their hard drives destroyed by a 3rd party specialist who provide certification to confirm completed.
  • Any mobile phones are factory reset when an employee leaves, if stolen they are remote wiped, if damaged they are sent to a 3rd party specialist for shredding and a destruction certificate is issued.
  • Any leased office equipment such as photocopiers are data purged prior to return to supplier.




  • We carry out identity and background/reference checks when hiring a new member of staff.
  • Staff are trained in our data protection policies and procedures, including how we deal with the data subject’s rights under GDPR. Training is repeated at least annually.
  • Staff are required to comply with the six Data Protection Principles and with our data protection policies and procedures.
  • To prevent unauthorised disclosure of personal data over the telephone, staff will only communicate with the authorised contact details held on file.
  • Access to personal data is restricted – staff do not have access to personal data they do not need.
  • Access to special categories of data and data relating to criminal convictions is restricted.
  • Access rights to personal data are removed promptly if a staff member changes roles or leaves.
  • Staff members are not allowed to share passwords and log-on details and are not allowed to write their passwords down.
  • Staff members are responsible for ensuring that personal data is not disclosed either verbally or in writing to any unauthorised third party.
  • Staff members are not allowed to store personal data at home.
  • A periodic risk assessment and audit will take place to check our procedures remain sufficient, are being followed and to suggest improvements.


IT Security


  • All Window systems are password protected. Passwords must be a minimum of 8 characters and changed regularly. 
  • Access to application such as Sitestream, HR Online require additional passwords, following successful initial logon to the main Windows system.
  • Only specific employees hold personal data on portable devices, which require passwords to access.
  • We maintain a record of staff issued with laptops and other portable devices.
  • We carry out random checks of laptops and other portable devices to ensure that only the staff authorised to hold personal data on their laptops are doing so.
  • Data is backed up daily and stored securely off-site.
  • Back-up data is encrypted.
  • Staff access to inappropriate web sites or content is restricted.
  • We do not use unsecured email to transfer personal data.
  • All systems are logged off when they are not in use.
  • Elan Homes has entered into a number of third party relationships (e.g. NHBC, In-House, NPA) to enable it to offer its range of services to its customers.  These relationships have meant that we have allowed access to specific customer information by exporting data from our systems or in some case allowing access to our systems. Elan Homes ensures the security of its data in these circumstances via its IT security arrangements.
  • All scanned images must be stored within the relevant department electronic filing system within the H drive and not locally on desktops.

Governance and Management


We have completed an Inventory of Processing Activities to document our processing events.

The GDPR Steering Committee are responsible for overseeing data protection within Elan Homes and ensuring we comply with the requirements.

Our recruitment and staff management processes are designed to help reduce the risk of data misuse or theft within Elan Homes.

We conduct due diligence on all third parties with access to our customers’ personal data, making sure we understand how they treat our customer data and how securely they keep it.

We have a business appropriate disaster recovery plan.

Any breaches (and near misses) must be reported to the GDPR Steering Committee.

We support an open and honest culture and encourage all staff to report any data security concerns to the Group IT Manager


As a Data Controller Elan Homes is registered with the ICO as follows:



Company Numbers

ICO Registration Numbers

Elan Homes Holdings Ltd



Elan Homes Ltd



Erie Basin Ltd



Elan Homes Strategic Ltd



Elan Homes Land Ltd



Elan Homs SEQ Ltd



Elan Homes Lancashire Ltd



Elan Homes Midlands Ltd



Elan Homes Properties Ltd



Elan Homes Scotland Ltd


To be registered August 2021


Risk Appetite & Data Protection Impact Assessment Statement


Elan Homes is committed to ensuring that its information is authentic, appropriately classified, properly stored (hard copies and electronically) and managed in accordance with legislative and business requirements. We have a low appetite for the compromise of processes and procedures governing the use of information, its management and publication.


All our efforts are geared to ensuring that the personal information we hold is not:

  • inaccurate, insufficient or out of date;
  • excessive or irrelevant;
  • kept for too long;
  • disclosed to those who the person it is about does not want to have it;
  • used in ways that are unacceptable to or unexpected by the person it is about; or
  • not kept securely.

Based upon the above and the nature of our business we do not believe the publication of a DPIA is a requirement at this point in time.

Data Retention Policy


We process various categories of personal data which are kept for different periods of time.


The length of time we keep each category of data is outlined in detail in our Inventory of Processing Activities. This is managed and reviewed on an annual basis by Group Data Protection Manager


Where data is no longer required, it is encrypted and archived. At the end of the retention period (as specified in our Inventory of Processing Activities) it is securely destroyed.


We retain a suppression list of individuals who have opted out of receiving marketing or other information from us. This list is retained indefinitely so that we do not inadvertently contact an individual who has already expressed a wish not to be contacted.


Policy Exemptions:

  • In the event of litigation all relevant data (paper & electronic) must be retained.
  • Where the law requires a transaction to be in writing to be effective (e.g. transfers of land, share transfers, NHBC and taxes) the original document should always be retained. 

Breaches Policy


In the event of a breach of data security, the GDPR Steering Committee will instigate the Breach Management Plan to ensure that we deal with it effectively and quickly.

The breach may arise from:


  • a theft
  • a deliberate attack on our systems
  • from the unauthorised use of personal data by a member of staff
  • from accidental loss or deletion
  • unauthorised access
  • denial of access
  • equipment failure
  • inadvertent disclosure of data




There are four important elements to our breach-management plan:

Containment and recovery

In the event of a breach of personal data, our response to an incident will include an emergency meeting, a recovery plan and, where necessary, procedures for damage limitation.

Assessing the risks

The GPDR Steering Committee will assess any risks associated with the breach, as these are likely to affect what we do once the breach has been contained.

In particular, it will assess any potential adverse consequences for individuals; how serious or substantial these might be; and how likely they are to happen.


Notification of breaches

All breaches must be recorded in the Data Breaches’ Log and the GDPR Steering Committee will consider whether the breach needs to be reported to the ICO.

GDPR Steering Committee will consider the Working Party 29 Guidance on Data Breaches and any other guidance available (for example, from ICO and / or the FCA) in deciding whether a breach is reportable.

A breach is reportable if it could pose a risk to the ‘rights and freedoms’ of an individual. If this is  likely the GDPR Steering Committee may also need to notify the individual(s) of the data breach, explaining the nature of the breach, the likely consequences, measures taken (or proposed to be taken) to address the breach and, where appropriate the measures taken to mitigate any adverse effects, along with contact details for further information.

If the breach is reportable, it must be reported within 72 hours of becoming aware of the breach.

If the breach is considered not reportable, the GDPR Steering Committee will document the reasons for this.

The GDPR Steering Committee will also consider notifying other regulatory bodies (for example the FCA), other third parties such as the police and the banks, or the media where relevant (for example, in the case of a large scale data breach).


Evaluation and response

It is very important that we investigate the cause(s) of any breach and also evaluate how effectively we responded to it via the steps detailed below.  If necessary, we will update our policies and procedures and our systems accordingly.

Incident Response Process

Technology Recovery Mitigation

Notification of breach / event

External migration

Forensic investigation

Internal migration

Control, restore, fix or audit event

Certify, test, audit

Remediation required


Test and reporting

Implementation of approved recommendations


Dealing with Subject Access Requests (SARs)

Individuals have the right to request a copy of the personal data we hold on them and this is called a Subject Access Request (SAR).


SARs can be received in any format (by email, over the phone, in person or via social media) and the individual doesn’t need to use the words ‘subject access request’. If an individual requests a copy of their data, then it is a SAR and we must deal with it appropriately.


Staff are trained to recognise a SAR and to refer to the Group Data Protection Manager.


All SARs must be referred to the Group Data Protection Manager and will be dealt with on an individual basis, as we do not envisage a high volume of requests. This policy will be revised if we begin to receive a high volume of requests (more than 4 per month).


It is our policy to respond to a SAR within 30 days.


It is our policy not to make a charge for SARs, but in limited circumstances (if the request is repeated, excessive or would require a disproportionate effort) we reserve the right to make a nominal charge to cover administrative costs, where appropriate.

If we anticipate it will take longer than 30 days to respond to the request, we will write to the individual data subject to advise them of this and to let them know when we expect to be able to respond.


When responding to a SAR, We will also provide a copy of the personal data undergoing processing and where the data has been requested electronically, we will respond, where possible, by providing the information in a commonly used electronic format.


We will provide information regarding:


  • The purpose of the processing.
  • The categories of personal data concerned.
  • The recipients or categories of recipients to who the personal data have been or will be disclosed.
  • The envisaged period for which the data will be stored, or if not possible, the criteria used to determine that period.
  • The existence of the right to request rectification or erasure of the personal data or to restrict or object to the processing of that data.
  • The right to lodge a complaint with ICO.
  • Where the personal data were not collected from the individual data subject, any available information as to their source.