DATA PROTECTION POLICY
Organisation: GCM Online Services (Belfast) Scope of policy: This policy covers the offices / warehouses of the above- named companies across Northern Ireland and Ireland.
Policy operational date: This policy is adopted May 2018
Policy prepared by: MR Loughlin – Data Advisor
Date approved by Board/ Management Committee: The Management have read and approved this policy
Policy review date: April 2021
PURPOSE OF POLICY
This document is written to comply with the GDPR (EU General Data Protection Regulation) coming into force on 25th May 2018. This document also updates our PERC compliance. This document sets out clearly our commitment to follow good practice, to enable protection of data held on clients, staff and other individuals (potential clients). This document helps to protect all involved within the organization going forward.
TYPES OF DATA & WHY WE PROCESS DATA
We hold on our accounting systems the following information:
- Delivery Addresses
- Contact Telephones
- Contact Mobiles
- Contact Emails
This information is part of our contract with the individual to provide financial records, as we are legally obliged to do.
For payment by credit cards, we process your details, we do not keep your card details if written down these are immediately shredded / permanently destroyed.
Our representatives, who visit and or meet with potential clients will also take record of the following information for the purposes of providing quotations and additional information required by the client. This information may be written in a diary/notebook and will only ever contain:
- Contact Telephones
- Contact Mobiles
- Contact Emails
- General Requirements
- Any emails sent/received are kept in line with this policy
Referrals from online companies may be passed to us, as per your request. We hold the data you have submitted.
For Marketing purposes, we have a separate database for the use of marketing contact. This database is only accessible by Management or senior members/representatives of the companies. We will also seek your permission before you are added to this database.
Employees – we hold:
- Contact Telephone Date of Birth
- Bank Account Details
- NI Number
- Email address (if provided)
- Information provided by HMRC / Pension provider (Please see separate data statement)
We may collect the following types of information:
- When you access GCM Online Services via a browser our servers automatically record certain information. These server logs may include information such as your web request, your interaction with a service, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account.
- When you send an email or other communications to GCM Online Services, we may retain those communications in order to process your inquiries, respond to your requests and improve our services. We may use your email address to communicate with you about our services.
In addition to the above, we may use the information we collect to:
- Provide, maintain, protect, and improve our services and develop new services; and
- Protect the rights or property of GCM Online Services or our users. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use. GCM Online Services processes personal information on our servers in the UK.
Our company is committed to complying with both the law and good practice in protecting and respecting your privacy. When you purchase from us we need to hold the above- mentioned information in order that we can process your transaction.
We respect individuals’ rights and only hold data that is shown above on our accounting software. Hard copies of printed invoices, statements or financial reports may be printed for the use of staff/directorst of the company.
All emails, correspondence and communications to and from the company can be accessed by senior management and directors. Names and telephone numbers are taken down within a notebook/diary for massage purposes and passed on. The original record of the call is kept for reference.
CCTV – across our sites we operate a CCTV system for the purposes of security, health and safety and monitoring purposes.
External suppliers – Access from time to time may be required from our external suppliers for maintenance purposes. The supplier will only have access to a limited part of the computer systems and all personal data will not be made or allowed access to.
Passwords – All computer equipment which has access to data is passworded. These passwords are to be changed regularly.
Payments – For payment by credit cards we process your details, we do not keep your card details if written down these are immediately shredded / permanently destroyed. The merchant copy is maintained for financial / accounting records in a lockable drawer. These are kept for a period of 6 months following your transaction then permanently stored in line with accounting requirements.
All telephone calls are logged for billing purposes.
In the event of a data processing error, we will notify the Information Commissioner voluntarily, even if this is not required.
When processing data we aim to do so securely, efficiently and minimize any risk involved. All data is processed in a separate area, with computer screens and desk not readily available to being overlooked.
When we make client contact, our representatives do gather information as listed above to enable them to provide the information requested. This information can be gathered in two ways, directly onto our Accounting program by way of iPhone / Iipad App or manually in a notebook / Diary. We do not use loose paper to make notes. These books are then securely stored.
THE BOARD / COMPANY DIRECTORS
They have overall responsibility for ensuring that the organization complies with its legal obligations.
EMPLOYEES & VOLUNTEERS
All staff and volunteers have read, understand and accept these policies and procedures that relate to the personal data they may handle in the course of their work. (From now on, where ‘employees’ is used, this includes both paid employees, representatives and volunteers.)
Our key staff have received one on one training to help cover the processing of the data they need.
Continuity / Risks
We use a cloud-based accounting / CRM system, which allows for safe and secure off-site data holding. This enables safe continuity if required going forward.
Our key employees can meet with you in your chosen location and your data can be accessed there, subject to mobile internet access. They can also work on your data remotely at home, at any of our offices or locations with internet access. Every effort will be made to do this privately and they will never make available in public spaces.
Each user has a dedicated login which is logged each and every time something is undertaken or the system is logged in or out of.
Our employees will not provide your personal information over the telephone. Emailed invoices/statements and financial reports will be made available by email to you. We can send these to you as required.
Data recording and storage
We can obtain our data directly from our clients / potential clients or from online referral companies. Where contact details are requested from you we will usually ask you to check we have it right. If it is not, we will amend within 8 working hours of notice.
UPDATING / RETENTION
We need to keep data and information in line with legal requirements. We retain data on the following basis:
- Employee Records – 6 years after date of termination
- Pension Records – 6 years after date of termination
- Photos / Videos – indefinitely
- CCTV – each machine is on a 30-45 day loop. Downloaded material required as part of an investigation will be kept for a period of up to 3 years after the incident
- Insurance Records – indefinitely
- Safeguarding matters – indefinitely or until advised by authorised authority
- Accident books – 3 years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21)
- Customer Records – reviewed every 3 years, updated when you ask
- Marketing Records – reviewed every 3 years
- Access Request Letters – Held for a maximum of 1 year following completion of request
- Sales leads – indefinitely
We aim to hold all information digitally, in our Accounts and CRM software including MS Outlook. Employee data is held on MS One drive and online payroll software with limited access by only those who require it. Pension information is also held online, and limited access is given
Please see above
In the event we have printed personal information, this will be stored only for a limited time until the purpose of this print has been addressed and completed. Once completed the printed material is then destroyed securely.
Right of Access
Should you require access to the information we hold please make contact as stated below.
PROCEDURE FOR MAKING REQUEST
Right of access requests must be in writing. This should be addressed to the Managing Director and provide the following: –
- Your Name
- Your Address
- Your Contact Number
- Your Email address
- Your request
We suggest that your letter is sent by recorded delivery if by post.
GCM Online Services 55-59 Adelaide Street, Belfast, BT2 8FE
Email address: [email protected]
PROVISION FOR VERIFYING IDENTITY
Where the person managing the access, the procedure does not know the individual personally we will make contact with you to verify you to the best of our ability.
We hold very limited data on you, this is detailed above. We may charge £15 to process and supply your data as requested.
PROCEDURE FOR GRANTING ACCESS
If the request is made electronically, we will provide the information in a commonly used electronic format.
If your request is in writing, please confirm in what way you would like your information to be provided back to you.
Our goal is to explain the type and how we use your data. This core document provides this information to you and includes
- for what purpose it is being processed
- what types of disclosure are likely, and
- how to exercise their rights in relation to the data
We aim to cover this as below:
New Clients – Briefly covered by our representatives during the initial meeting
Current Clients – Data Protection Policy made available to all openly – Link on the website, mentioned on the email footers
Employees – Verbally during training and conformation by letter.
Our key employees form part of this transparency and responsibility lies with the Managers to maintain and review in line with this policy
For employees, clients and potential clients, we only hold information which is required to complete our contracts with you and do so as required by law.
For Marketing purposes, you can opt out at any time from our online database. Every email we send will allow you to easily and quickly opt out.
We acknowledge that, once given, consent can be withdrawn, but not retrospectively. There may be occasions where the organisation has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn – in these cases, we may inform you.
Employee training & Acceptance of responsibilities
All employees who have access to any kind of personal data should have had their responsibilities outlined during their induction procedures
There are opportunities to raise Data Protection issues during employee training, team meetings, supervisions, etc. this is encouraged.
PROCEDURE FOR STAFF SIGNIFYING ACCEPTANCE OF POLICY
Each staff member has signed for a copy of this document and our Data Privacy Statement, acknowledging receipt and understanding.
The Directors and senior team members will review this policy as stated.
A complete review of the policy is undertaken during the period specified, consulting and change in the law, systems, stake holders and good practice.
The review will start in April 2021 and be completed by May 2021