MTH Cleaning Equipment Limited
- Respecting Your Privacy:
We are committed to supporting the relevant laws & regulations which set clear standards for the collection, access, storage and use of personal information which we obtain as part of our business operations. Our respect for our customers' right to privacy of their personal information is paramount. We have policies and procedures to ensure that all personal information, no matter how or where it is obtained, is handled sensitively, securely, and in accordance with correlated privacy principles.
- What personal information do we collect and store?
So that we can provide services to you, we may ask for personal details such as your name, address, telephone number or e-mail address. Some examples of where we may need these details are pre-orders, home deliveries, promotions etc. Privacy law requires us to collect personal information about you only from you if it is reasonable and practical to do so. We take all possible measures to ensure your personal information is protected from unauthorized access, loss, misuse, disclosure or alteration. We also take measures to destroy or permanently de-identify personal information when it is no longer required. The types of measures we take vary with the type of information, and how it is collected and stored. Generally, you have no obligation to provide any information requested by us. If you choose to withhold requested information however, we may not be able to provide you with the goods and services that depend on the collection of that information, particularly if the collection of that information is required by law.
- How is personal information used?
The personal information that we ask for is generally used to provide goods or services to you. For example, for a credit card transaction we need your card number. Where possible, we try to ensure that our disclosure of information to other organizations is in a way which does not personally identify individuals.
- Data Security & Storage
MTH Cleaning Equipment Ltd has appropriate technical and organisational security procedures in place to protect personal data and information from loss, misuse or destruction. Additionally, we aim to ensure that access to your personal data is limited to those who need to access it.
Those individuals who have access to the data are required to maintain the confidentiality of such information.
Information Security Policy Statement
MTH Cleaning Equipment Limited is committed to maintaining and improving information security within the organisation and minimising its exposure to risks. It is therefore MTH Cleaning Equipment Limited policy to ensure that:
The confidentiality of corporate, client and customer information will be assured
Sensitive information (however stored) will be protected against unauthorised access
The integrity of information will be maintained
Information will be made available to authorised business processes and employees when required
Regulatory and legislative requirements will be met
Business continuity plans for mission critical activities will be produced, maintained and tested
Information security training will be made available to all staff
All breaches of information security, actual or suspected, will be reported to and investigated by MTH CLEANING EQUIPMENT LIMITED security personnel.
MTH Cleaning Equipment Limited
Compliance Policy Report For The GDPR. (5 Steps For Compliance) 18th April 2018
Who is protected by the GDPR?
Any EU citizen. So, basically, anyone who is registered as living in or possessing a passport of an EU country. It doesn't matter where in the world they are based; if our contacts, leads, customers and so on are EU citizens then the GDPR applies to us.
Individuals whose data personally identifies them. For example, Chris@mthcleaning.co.uk clearly identifies an individual. If we can identify who the person is from our data, then we absolutely need to comply with the GDPR.
To summarise, any EU citizen that is personally identifiable in our records is protected by the GDPR. We need to look through our systems, spreadsheets, emails, etc. and collate all of the data, we need to create master file. (A record of all locations data is stored) Once we have discovered who we can personally identify and whether they're an EU citizen, we only need to make the effort to follow the rules for that particular data.
Knowing the rights of our data subjects (identifiable people)
Below are a few of the rights our data subjects are entitled to:
Right to be Informed
Our data subjects have the right to be informed about what their data is being used for and how you're using it.
Right of Access
They can request the personal or additional data we have on them. Their copy of the data must be crystal-clear and not contain any codes that would be meaningless to them.
Right to Correction
Any data that is inaccurate needs to be corrected. All data must be kept up to date.
Right to Erasure
This is the "right to be forgotten". If they ask us to remove or delete all the data we hold about them, we have got to.
If We Don't Comply ...
We could end up facing some seriously huge fines if not careful with our data. Firstly, we would be warned, then reprimanded, then banned from data processing, and lastly -fined.
This explains what makes the data we are storing personally identifiable, how to organise our data, and why minimising our data is super vital.
What Personal Details Are We Storing & Using?
The more obvious data is of course: Name, Email, Phone and Address.
If we are also storing/using Browser Cookies, Passports, ID Numbers, Driving License Numbers and Credit Card Details, then we certainly can't escape the regulation.
Personally identifiable data, also referring to any data that derives from or is related to the above. Other data to consider ...
- Quotes, sales, orders & deliveries
- Customer service enquiries
- Tracking online with browser cookies
This data may not hold any personally identifiable data itself, but the fact that it's related to such means that we have got to ensure that we stay firmly within the rules.
Breaking our data down into these categories is an excellent way for us to start organising our data. So, if one of our customers (sadly) asks us to remove their data from our systems, we'll know exactly where to find that data, access it, and delete it. So we need to start organising our data in this way to comply.
Minimising Our Data
From now, we begin trying to minimise the amount of data that we hold. The less data we have, the less of a risk it poses to our organisation under the GDPR.
We've got to learn to reduce our data so that there's less risk of us illegally storing data that we just don't need.
The firm and individuals within our organisation need to start thinking about ways in which we can minimise our data so that we stay safely on the right side of the GDPR.
The GDPR lets us know that we MUST have a reason for why we're storing and using personal data.
What Are These Reasons?
As a business affected by the GDPR, we absolutely need to have a reason for why we are holding onto and using EU citizens' personally identifiable data.
These reasons are the following:-
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interests
- Special Category
- Criminal Offence
Use the Data for Its Specific Purpose Only
So, we have collected some data on an individual through a particular lawful reason. The GDPR says that once we've collected data for a specific purpose(s), that data cannot be used for any other purpose beyond the one(s) for which it was initially collected.
For example, let's say that we've collected an individual's name and email address to provide them with a certain service. Under the regulations, we can't simply decide that the data we've collected would make a fantastic marketing tool and start to use it for another purpose (unless we've gone the extra mile to get further permission from the individual).
3 Relevant Lawful Reasons
As above, there are 8 lawful reasons to collect someone's data, but only 3 are most likely to be relevant to us.
One of the 3 is pretty difficult to get, but once we've got it then it's a super-strong reason to store and use an individual's details.
One of the 3 is fairly flexible BUT there is a risk of us being challenged and prosecuted under the regulations.
And, lastly, one of the 3 is rather tricky to get and will most likely limit the types of communications we send.
This step refers to WHEN the data we are storing is no longer needed.
When Is It Time to Part with Our Stored Data?
According to the GDPR, the data we are storing should only be kept for the period required to fulfil its purpose. Under the regulations, we don't want data hanging around in our systems that isn't being used or needed in the business. If it's not needed, it's time to get rid of it!
Remember the WHY step? Think about the lawful reason we have that means we are allowed to store and use this data. If there is no lawful reason ( e.g. the individuals in the list have not consented to receive our services), then it's unlikely that this data will or can be used. So, the safest decision to make is to delete it..
Data can be kept for longer than its specific purpose, but ONLY if it no longer contains any personal info -and this is when we should anonymise that data. (Remove identifying particulars or details from something for statistical purpose)
How to Establish When the Data Is No Longer Needed
Important Note: There is no right or wrong answer -just an answer that is appropriate for our business.
We should regularly check our data to identify if it's up to date ..
In order to check if that data is out of date, it makes sense to record the date that the specific data landed in our database, so that we know how long we have had it.
Also, we need to give members of our team the means to update their own data. This not only gives us one less job to do, but also means that everyone's data will be accurate. Updating data is also important because referring to the
WHAT step?) minimising and removing data we don't need, reduces the risk to our business.
Once we have reached the conclusion that certain data is no longer needed, it's time to determine what to do with it.
Keep Records of Everything
The best thing to do is keep a record of all our data; make sure everything is documented. That way we can demonstrate, the business is taking all the right steps to be able to do the right thing, we will be in a much better position with the authorities than if we have done nothing.
Where we are storing our data, best practices for when we share our data, and keeping track of it within our systems.
Where Are We Storing Our Data?
It's an absolute must that we document exactly where we are storing data on EU citizens. This is because they reserve the right to be forgotten, the right of access, and the right to accurate data - among many other rights.
So, if we receive a request from an individual that means they want their data to be deleted, they want access to it, or they want it to be corrected, we will know exactly where to go to find that data and make those arrangements.
Where we could be storing data:
- Accounting Systems
- HR System
- CRM System
We need to make a note of all the systems we use to hold data, so that we can refer to it whenever necessary.
Tracking Data within Our Internal Systems
Our internal systems are those systems above, the systems that give us and our team access to data within our business. We need to ensure that the people in our business only have access to personally identifiable data if they absolutely need it.
Below is what we need to capture in our internal systems so that we can keep track of all the personally identifiable (and related) data we have.
- WHAT: The data that identifies an EU citizen e.g. Name, Email, Phone Number etc.
- WHY: The lawful reasons we have for storing and using that data e.g. Consent.
- WHEN: Make a note of when these data records have been created and updated.
Sharing Our Data with Third Parties
Under the GDPR, we ARE allowed to share data with third party organisations. We must be very careful, though.
Third parties, referring to other organisations like ours that we may be in partnership with or have set up an affiliated scheme in which we can exchange data.
Here are a few of the best practices when it comes to sharing our data with other organisations:
- We can only share data with other organisations that are GD PR-compliant and also have permission
- If we plan to share data with other organisations, we need to tell the individual
- The consent the individual gives has to include the specific organisation we want to share their data with