Acorn Construction Ltd follows the guidance and laws set out in the EU General Data Protection Regulation (GDPR).
This document outlines to current parts of the policy relevant to Acorn Construction Ltd and its staff. All members of staff who handle personal information of staff, customers, suppliers or other parties must read and comply with this document.
Author: David Wylie (data protection officer)
Last updated: 31/7/2019
Anything which could be used to identify an individual e.g. someones name is personal data but one anonymous user on a website is not. This includes their email, address or any other details which are specific to them.
The new GDPR makes personal data into personal property. This means that an individual has the same rights over their data as they do over their house or car. It is entirely up to them who uses it and how they use it.
Companies who don’t follow the rules or who make it difficult for people to control their data get landed with heavy fines.
Individual data rights are summarised here:
All personal data must be securely stored. Physical copies must be stored securely with access restricted to those who work with it. Online data must be password protected.
All pathways which data travels through must be secured, this includes post, website and email data.
All mail received should be securely stored until processed. This will be in the Preston office before being stored in the liverpool office filing system.
No personal data is to be stored on third party plugins unless approved by the information officer. Currently approved online storage:
The website must be protected to ensure no data breaches. All information gathering plugins must be reviewed and their GDPR policies assessed.
All emails which are not necessary for business such as past quotes are to be deleted. Upon consent, current customer information can be stored for up to 1 year for our records or indefinitely for marketing purposes.
Last updated: 17/07/2019
Data protection officer: David Wylie
The data protection officer will be responsible for the security of information processing systems. Requests relating to data or the GDPR should be directed to the data protection officer via the email address: email@example.com or through the data protection contact form.
All personal data which has no business use should be deleted. Once a month the data protection officer should review stored data to ensure it is GDPR compliant.
All data owners must consent in order for us to store their data. This cannot be assumed and must be clear on our communications.
Opting out must also be easy. This particularly applies to marketing. The opt out option should be obvious, simple and lead to effective opting out.
The data policy for customers should be displayed clearly. Where possible consent should be mandatory before proceeding to store data.
All members of the team who deal with personal data should have specific training on data protection. This will be conducted by the information officer on starting the role and then at least once per year going forwards.
Any personal data stored is managed by the company and can be transferred with ownership of the company. This clause must be included in all GDPR communications:
“Any data you consent to being stored and processed will be kept by the company Acorn Construction Ltd. If Acorn Construction Ltd were to change hands any data will change hands to the new owner. The new owner will only be able to use your data for purposes you have already consented to.”
If you have any questions or would like any action to be taken regarding your personal data, please get in touch with the information officer at: firstname.lastname@example.org