Acorn Construction Ltd GDPR policy 


Acorn Construction Ltd follows the guidance and laws set out in the EU General Data Protection Regulation (GDPR). 

This document outlines to current parts of the policy relevant to Acorn Construction Ltd and its staff. All members of staff who handle personal information of staff, customers, suppliers or other parties must read and comply with this document. 

Author: David Wylie (data protection officer) 

Email: [email protected] 

Last updated: 31/7/2019

What is personal data?

Anything which could be used to identify an individual e.g. someones name is personal data but one anonymous user on a website is not. This includes their email, address or any other details which are specific to them. 

Data rights

The new GDPR makes personal data into personal property. This means that an individual has the same rights over their data as they do over their house or car. It is entirely up to them who uses it and how they use it. 

Companies who don’t follow the rules or who make it difficult for people to control their data get landed with heavy fines. 

Individual data rights are summarised here: 

  1. The right to be informed; Anyone processing your data must make it clear what they are processing, why they are processing it and who else it may be passed to. 
  2. The right of access; your right to see what data is held about you
  3. The right to rectification; having your data corrected or amended if it is incorrect
  4. The right to erasure; This is the right to have your data erased if it is no longer needed or if you withdraw your consent or if it has been unlawfully processed. 
  5. The right to restrict processing; you can ask for a temporary halt to processing of data
  6. The right to data portability; you have the right to ask for any data supplied directly to the data controller to be provided in a structured, commonly used, machine readable format 
  7. The right to object; The data subject has the right to object to further processing of their data which is inconsistent with the primary purposes for which it was collected, 
  8. Rights in relation to automated decision making and profiling; You have the right not to be subject to a decision made solely based on automated processing. 

Data security 

All personal data must be securely stored. Physical copies must be stored securely with access restricted to those who work with it. Online data must be password protected. 

All pathways which data travels through must be secured, this includes post, website and email data. 


All mail received should be securely stored until processed. This will be in the Preston office before being stored in the liverpool office filing system. 


No personal data is to be stored on third party plugins unless approved by the information officer. Currently approved online storage: 

  • Google suite 
  • Google Analytics 

The website must be protected to ensure no data breaches. All information gathering plugins must be reviewed and their GDPR policies assessed. 


All emails which are not necessary for business such as past quotes are to be deleted. Upon consent, current customer information can be stored for up to 1 year for our records or indefinitely for marketing purposes. 


Data protection risk assessment

Last updated: 17/07/2019 





  1. Hacking from outside
  2. Email provider misusing email addresses
  1. Check email security 
  2. Check email data protection policies. 


  1. Hacking 
  2. Plugins breaching data protection 
  1. Ensure adequate web security to avoid tampering with contact forms. . 
    1. Keep no personal data in the website
  2. Check plug in data protection policies. 
    1. Do not let plug-ins store collected data. 


  1. Post falling into the wrong hands in shared workspace
  2. Lost information through poor storage. 
  1. Separate lock access mail box for Acorn Construction 
  2. Systematic use of filing system. 


  1. Opt in/ opt out system resulting in wrong outcome.
  1. Thorough design and test of system. 


Data protection officer: David Wylie 

The data protection officer will be responsible for the security of information processing systems. Requests relating to data or the GDPR should be directed to the data protection officer via the email address: [email protected] or through the data protection contact form. 

Unused data

All personal data which has no business use should be deleted. Once a month the data protection officer should review stored data to ensure it is GDPR compliant. 

Consent and opting out

All data owners must consent in order for us to store their data. This cannot be assumed and must be clear on our communications. 

Opting out must also be easy. This particularly applies to marketing. The opt out option should be obvious, simple and lead to effective opting out. 

Displaying data policy

The data policy for customers should be displayed clearly. Where possible consent should be mandatory before proceeding to store data.  


All members of the team who deal with personal data should have specific training on data protection. This will be conducted by the information officer on starting the role and then at least once per year going forwards. 

Assignment clause 

Any personal data stored is managed by the company and can be transferred with ownership of the company. This clause must be included in all GDPR communications: 

“Any data you consent to being stored and processed will be kept by the company Acorn Construction Ltd. If Acorn Construction Ltd were to change hands any data will change hands to the new owner. The new owner will only be able to use your data for purposes you have already consented to.”

If you have any questions or would like any action to be taken regarding your personal data, please get in touch with the information officer at: [email protected]