GDPR – POLICY DOCUMENT
The nature of Willowbrook Plant Ltd.’s business; construction plant sales and service, requires them to collect and store data. Such data relates to customers, suppliers, business contacts, employees and any other people with whom the organisation has a relationship or may need to contact. This policy details how this data should be collected, stored and used to ensure compliance with GDPR.
2. COLLECTION OF DATA
The company will collect and store data collected during the sale. This will include the client’s name and address, business email address, telephone number. Financial information may also need to be collected. Such information will be stored for 6 years for accounting purposes. After this time, the data controller will assess whether the information will be retained or disposed of and deleted from all systems.
Sales prospects’ data is also collected . This can be by means of a contact form on Willowbrook Plant Ltd.’s website or following a telephone consultation or physical meeting with sales staff. In order to comply with both purpose limitation and data minimisation, Willowbrook Plant Ltd. will only collect such information as is required to enable future contact. This data will only be used for the purpose of future contact, and will never be sold to a third party. If there is no expectation of future business the information will be deleted as part of an annual review of all data during April.
3. DATA CONTROLLER & DATA PROCESSORS
Mr Graham Perkins is the Data Controller for Willowbrook Plant Ltd. He will determine which data is processed and the purpose of that data. He will also ensure that all data is destroyed and deleted when it is no longer useful or required for processing purposes. With regard to storage limitation, Willowbrook Plant Ltd. will always ensure that personal data is only kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing.
The majority of employees at Willowbrook Plant Ltd. are involved in handling and processing data. This is necessary in order to ensure the prompt and efficient completion of everyday business. These are all deemed to be Data Processors and will undergo video training prepared by Carl Peach of Peachy Marketing. This is to ensure that they understand their responsibilities under GDPR and will fully comply with both this policy and with the law.
4. DATA PROTECTION AND SECURITY
Data protection and security is vitally important. All servers are secured with firewall protection. They are regularly checked and updated to avoid the risk of a data breach. In the unlikely event of a breach in which hackers successfully obtained sensitive information, Willowbrook Plant Ltd. will immediately inform those affected and aim to make appropriate reparation. This will be followed by a full review of security.
Certain data processors, such as salesmen and service facilitators must take their work laptops and other electronic data storage devices offsite. All work laptops, phones and tablets are password protected, and these passwords are not shared between coworkers. Each laptop is backed up to a main server and data storage devices are only ever used in the daily business of the company from their site to potential clients and suppliers sites. The information stored on them is never shared informally.
5. ACCURACY OF DATA
All employees who work with data should take reasonable steps to ensure that it is kept as accurate and up-to-date as possible. Employees are encouraged to take every opportunity to keep the data subject’s information accurate. This could be by asking subjects with whom there is only occasional contact to confirm their details, or by making clients aware of how they can update their own information.
6. DATA SUBJECTS ACCESS REQUESTS
Willowbrook Plant Ltd. collects data, which can sometimes be sensitive information. Willowbrook Plant Ltd. aims to ensure all Data Subjects are aware of:
- How the data is being used
- How to exercise their rights in respect of that data
Any natural persons who have data held by Willowbrook Plant Ltd. have the right to access and information relating to the data stored about themselves. They can access this by completing a Subject Access Request Form. (An example of this form is appended at the end of this document)
Willowbrook Plant Ltd. respects the right of individuals who require their data to be removed from any systems and processes that occur within the company and will respectfully adhere to any such requests.
Willowbrook Plant Ltd. will provide the following information to Data Subjects upon request:
- What information the company holds about them and why.
- How long the information will be stored.
- How to gain access to that information.
- Whether any third parties have access to their personal data and be given the contact information for such persons.
- How the company is meeting its data protection obligations.
All Subject Access Requests that are submitted will be processed by the Data Controller. No-one else within the company has the right to provide such information. The Data Controller will always verify the identity of anyone making a subject access request, at which point the subject must complete a standard request form. Information will be provided within 40 days of receipt of this form.
Willowbrook Plant Ltd. has the right to withhold information if the subject access request has not been received from the data subject, or from their legal parent or guardian in the case of minors.
In certain circumstances, the General Data Protection Regulation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, Willowbrook Plant Ltd. will disclose requested data. However, the Data Controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary before any information is disclosed.
7. STAFF GUIDELINES
- When data is stored on paper, it should be kept in a secure place where unauthorised people cannot access it.
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees should make sure paper and printouts are not left where unauthorised people could see them.
- Data printouts should be shredded and disposed of securely when no longer required.
- When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking.
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media, these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud based storage service.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- Data should never be saved directly to laptops or other mobile devices like tablets or smartphones.
- All servers and computers containing data should be protected by robust security software and a firewall.
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
- Data must be encrypted before being transferred electronically.
- Personal data should never be transferred outside of the European Economic Area (EEA).
- Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
- Data will be held in as few places as necessary. Never create any unnecessary additional data sets.
- Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call or visit the business premises.
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the databases/files.
This Policy will take effect from 9th May 2018. It has been approved and will become directly binding to Willowbrook Plant Ltd. Ltd. including all branches, staff and affiliates of the company moving forward of this date.
First Review Date: Monday 12th November 2018: The policy was found to be accurate and relevant and no changes were required. Next review is due in May 2019
All parties involved in the creation of this policy will adhere to all responsibilities and regulations underlined within it, and will to the best of their knowledge and abilities ensure compliance with the terms of this policy as well as the law.
Willowbrook Industry Estate, Corby
Northamptonshire, NN17 5XJ
+44 (0)1536 261671
Convenient and Accessible
Keep In Touch
Social Media Updates
Follow us now on Twitter, Facebook and LinkedIn for regular updates on new specification equipment and business news. You will also have access to all of our used machinery stock as soon as it becomes available.