The laws on Data Protection changed on 25th May 2018. Total Supplies Ltd’s priority is keeping your data safe so we have therefore implemented some new practices to comply with the new GDPR laws with regards to storing and processing your personal data. Bear in mind that we only hold names and addresses on file. Any payment details are handled by Barclaycard’s secure platform.
What is personal data?
Information which relates to a living individual who can be identified from the data or from the data and other information which is in the possession of, or is likely to come into the possession of Total Supplies Ltd.
The information may be in either electronic or manual (ie paper) form.
Emails held, in automated form, in live, archive or back-up systems, or have been deleted from the live system but are still capable of recovery.
Manual data (data recorded on paper only)
Correspondence including letters, orders, invoices, receipts which include personal details.
What is meant by processing?
Obtaining, recording and holding data; performing any operation on the data, including the erasure or destruction of the data.
Inline with the ICO’s recommendations we shall take the following 12 steps to remain compliant with the new regulations:
- Awareness. All employees at Total Supplies will be made aware of the importance of the privacy of your personal data.
- Information we hold. The information we hold on customers is stored in 1 of only 2 places: Electronically, on our website database which can only be accessed by a 2 stage password. This information is only names and addresses. Any payment details are made through a secondary secure platform such as Paypal or Barclaycard who will have their own privacy policies. Manually in filing cabinets in our office. Again only names and addresses are kept on file. All secure payment data is shredded after use. All files over 18months old are shredded by an external company. Shredding certificates are kept. The only data we will ever share is your name and address if you wish to be sent items by post or by a third party delivery company such as Parcelforce..
- Communicating privacy information We have reviewed our privacy notices and have updated in accordance with new GDPR laws.
- Individual’s rights. We have checked our procedures to make sure no individuals rights are breached.
- Subject access requests. We have updated our procedures by appointing a data controller who will be responsible for processing data and erasing all spent data. In some cases external contractors process data on our behalf. These are known as data processors.
- We will not charge for complying with a request. We will respond within 30 days. We will refuse requests that are manifestly unfounded or excessive, in this instance we will tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy.
- Lawful basis for processing personal data. The only reason we hold personal data is for the sole use of serving our customers.
- Consent. We will send an email out every year and offer customers the option of opting out of us holding their personal data. In this instance we will delete all electronic files, old emails and shred any paper files.
- Children. Given that we are a wholesaler of cleaning supplies we would condsider it unnecassary to verify ages of any customers.
- Data Breaches. Firstly we would make any customer potentially affected aware of a breach. We would also make ICO aware. Our website is managed by a digital partner who would handle any breach of our electronic data. A breach of manual would involve an intruder breaking into our office and stealing files. In this instance the police would be called and relevant measures would be taken.
- A Data Protection Impact Assesment is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data, by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the. In other words, a DPIA is a process for building and demonstrating compliance. The following is the results of us having completed the ICO’s online Processors Checklist:
Processors checklist report
10 May 2018
Your overall rating was green.
0: Not yet implemented or planned
0: Partially implemented or planned
17: Successfully implemented
1: Not applicable
GREEN: successfully implemented
Your business has conducted an information audit to map data flows.
Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.
Your business has an appropriate data protection policy.
Where required, your business has appointed a Data Protection Officer (DPO). In other cases, you have nominated a data protection lead.
Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.
Your business provides data protection awareness training for all staff.
Your business only processes data on the documented instructions of a controller and there is a written contract setting out the respective responsibilities and liabilities of the controller and your business.
Your business has sought prior written authorisation from the data controller before engaging the services of a sub-processor.
Your organisation has effective processes to identify and report any personal data breaches to your controller.
Your business has a process to respond to a controller's request for information (following an individuals' request to access their personal data).
Your business has processes to ensure that the personal data you hold remains accurate and up to date.
Your business has a process to routinely and securely dispose of personal data that is no longer required, in line with the agreed timescales stated in your contract with the controller.
Your business has procedures to respond to a controller's request to suppress the processing of specific personal data.
Your business can respond to a request from the controller to supply the personal data you process in an electronic format.
Your business has an information security policy supported by appropriate security measures.
If your business operates outside the EU, you have appointed a representative within the EU in writing.
- Data Protection Officer Considering our limited use of personal data and that we are not a public authority, an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions we do not need to appoint a Data Protection Officer.
- International Not applicable.