Derek Green trading as [gawr-juhs] – hereafter referred to as [gawr-juhs], we, us or our – needs to gather and process personal information about individuals for core business purposes, such as accounting, staff administration and marketing. Individuals can include customers, suppliers, contractors, business contacts, employees and other people the organisation has a relationship with, or may need to contact.
This policy explains how personal data is collected, stored, and handled in order for us to comply with our own organisation’s privacy and data protection standards – and to adhere to the European Union’s General Data Protection Regulation, which becomes law on 25 May 2018.
This data protection policy ensures [gawr-juhs]:
Complies with data protection laws and follows good practice.
Protects the rights of our staff, our customers and partners.
Is open and transparent about how we store and processes the data of individuals.
Protects [gawr-juhs] from the risks of a data breach.
The General Data Protection Regulation describes how organisations — including [gawr-juhs] — across all 28 European member states must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper, or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
GDPR defines Personal Data as any information that can directly or indirectly identify an individual and includes: forename; surname; title; photo; address; email address; IP address; Location data; Cookies; and Profiling and Analytics data.
The Regulation also places much stronger controls on the processing of Special categories of personal data including: Race; Religion; Political opinions; Trade Union membership; Sexual orientation; Health information; Biometric data; and, Genetic data.
This policy applies to:
The head office of [gawr-juhs].
All staff and volunteers of [gawr-juhs].
All contractors, suppliers and other people working on behalf of [gawr-juhs].
This policy applies to all data that [gawr-juhs] holds relating to identifiable individuals, even if that information technically falls outside of the General Data Protection Regulation Act 2018. This can be made up of:
Identity Data including first name, surname, marital status, title, gender and photo.
Contact Data including business name, billing address, postcode; email address and telephone numbers.
Financial Data including bank account and payment card details.
Transaction Data including details about payments, invoices, and receipts between you and [gawr-juhs], and other details of products and services we have purchased from one another.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our services.
Profile Data includes your online username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
Usage Data includes information about how you use our website, and our products or services.
Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
Third Party Services Data includes account user names and passwords for email accounts, internet service providers, social media channels and File Transfer Protocol (FTP) access that you provide to [gawr-juhs] in order to setup, control and maintain your internet presence.
[gawr-juhs] collects data from you:
Directly when you contact us by telephone, email, or completed and submit any form that is included on our website.
Indirectly when you take some action on our site (passive data).
We may also have personal data about you, if you:
Have met a member of [gawr-juhs] in person.
Are a supplier to [gawr-juhs].
Are a contractor, former-contractor, employee or former employee of [gawr-juhs].
You have established a connection with us online, using third-party social media websites that [gawr-juhs] has accounts with.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages of our site are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
[gawr-juhs] also uses third party cookies for tracking and analytics services, such as Google Analytics, Adobe Analytics or similar services provided to us by individual internet service providers. In addition we may link or embed elements, for example YouTube videos, Vimeo videos or Google Fonts, into our site in order to provide visitors with a fuller experience.
These organisations are Data Processors and have obligations to confirm to the European Union GDPR laws so that [gawr-juhs] is unable to use their services to track, collect, or upload any data that personally identifies an individual (such as a name, email address or billing information), or other data which can be reasonably linked to a Visitor.
In addition, and where possible, [gawr-juhs] has actively switched on IP Anonymisation to disable the collection of Personal Identifiable Information (PII) through third party cookies to ensure that the individual IP addresses of Visitors to our site are masked and are not identifiable.
Data Protection Risks
This policy also helps to protect [gawr-juhs] from some very real data security risks, including:
Breaches of confidentiality. For example, information being given out inappropriately.
Failing to offer choice. For example, all individuals should be free to choose how the company uses data relating to them.
Reputational damage. For example, [gawr-juhs] could suffer if hackers successfully gained access to sensitive data.
Everyone who works for, or with, [gawr-juhs] has some responsibility for ensuring data is collected, stored and handled appropriately. Anyone that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
The only people able to access data covered by this policy should be those who need it for their work. Data should not be shared informally. When access to confidential information is required, staff and contractors can request it from Derek Green, Creative Director of [gawr-juhs].
Staff and contractors should keep all data secure, by taking sensible precautions and following the guidelines below:
In particular, strong passwords must be used and they should never be shared.
Personal data should not be disclosed to unauthorised people, either within the company or externally.
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
Staff and contractors should request help from Derek Green, Creative Director of [gawr-juhs] if they are unsure about any aspect of data protection.
[gawr-juhs] will ensure that all our staff and contractors are made aware of these guidelines, read them, and help them understand their responsibilities when handling data.
These rules describe how and where our data should be safely stored.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored digitally but has been printed out for some reason:
When not required, the paper or files should be kept in a locked drawer or filing cabinet.
Authorised people should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
Data printouts should be shredded and disposed of securely when no longer required.
When data is stored digitally, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
Data should be protected by strong passwords that are changed regularly and never shared between unauthorised people.
If data is stored on removable media (like a CD, DVD or USB Flash Drive), these should be kept locked away securely when not being used.
Data should only be stored on designated drives and servers, and should only be uploaded to approved cloud computing services.
Servers containing personal data should be sited in a secure location, away from general office space.
Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
All servers and computers containing data should be protected by approved security software and a firewall.
If you have any further questions about storing data safely these can be directed to Derek Green, Creative Director of [gawr-juhs].
We do not share your personal data with any third parties. However personal data is of no value to us unless [gawr-juhs] can make use of it for our day-to-day core business purposes.
It is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
When working with personal data, our staff and contractors should ensure the screens of their computers are always locked when left unattended.
Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
If possible data should be encrypted before being transferred electronically.
Personal data should never be transferred outside of the European Economic Area.
Staff and contractors should not save copies of personal data to their own computers. Always access and update the central copy of any data.
The law requires [gawr-juhs] to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of our staff and contractors, who work with data, to ensure it is kept as accurate and up to date as possible.
Data will be held in as few places as necessary and additional data sets will not be created.
We take every opportunity to ensure data is updated, for example, by confirming a customer’s details when they call.
Where possible, [gawr-juhs] will make it easy for individuals to update their own data that we hold about them, for example, via our website.
We update data when inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it is removed from the database.
All individuals who are the subject of personal data held by [gawr-juhs] are entitled to:
Ask what information we hold about them and why.
Ask how to gain access to it.
Be informed how to keep it up to date.
Be informed how we are meeting our Privacy and General Data Protection Regulation obligations.
If an individual contacts [gawr-juhs] requesting this information, this is called a Subject Access Request.
You may request details of data which we hold about you under the EU’s General Data Protection Regulation. Subject Access Requests should be made by email to Derek Green, Creative Director at firstname.lastname@example.org. In accordance with the new regulations, we aim to provide all the relevant data to you within 30 days and for no fee.
We will always verify the identity of anyone making a Subject Access Request before handing over any information.
In certain circumstances, the EU General Data Protection Regulation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, [gawr-juhs] will disclose requested data. However, we will ensure the request is legitimate, seeking assistance from legal advisers where necessary.
[gawr-juhs] retains different types of data for different lengths of time.
Identity Data, Contact Data, Profile Data and Marketing & Communications Data: for the length of time that an individual is a customer of, or a supplier to, [gawr-juhs].
Contact Data, Financial Data and Transaction Data: for a minimum of seven years, in accordance with guidelines provided to us by the UK Government’s HM Revenue and Customs.
Technical Data and Usage Data: for 7 months.
Google Data Retention: for 14 months. For more information please see Google’s Support pages.
Third Party Services Data: for the length of time that an individual is a customer of [gawr-juhs].
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
This Policy was prepared by Derek Green, Creative Director at [gawr-juhs] and becomes operational on 25 May 2018.