General Data Protection Act
Ruths Floral Design Studio
Prepared by G Staff Version 1. 18/5/2018
GDPR is regulations on how you collect, store and use your customer data. Itâs important to note that this is not a new data protection obligation. It replaces and mirrors the previous requirement to have âappropriate technical and organisational measuresâ under the Data Protection Act 1998 (the 1998 Act).
Ruths Floral Design Studio, collect Customer data and store this data using an Industry known Software âStrelitziaâ. Plus we also use a Credit Card Facility to pay for goods â face to face, Over the phone and Online. All systems comply to the New GDPR 25thMay 2018.
This policy is to outline the processes and procedures that are undertaken to adhere to the Data Protection Act 1998 and GDPR.
In this policy we will cover:
Collecting Customers Data on Strelitzia
Collecting Precipitant Data on Strelitzia
Shredding, Erasing and Disposal of Data â Strelitzia and Paper Copy
Storage of Data â Backup and Paper copy
Approval of Policy and Responsible DPP
Collecting Customer Data
We collect data in many ways:
Face to face in the shop. Name, Address, Phone number of the customer is entered into Strelitzia and a process of asking the customer if they wish us to store this data and if they will allow us to take an email to communicate with them at any time. There is a Tick Box on Strelitzia to allow reporting on who has given permission to retain this info. There is also a function to just enter a name and phone number if the customer does not wish for details to be stored. (Opting Out)
1.1 Account Customers Details
We have many Businesses that use our services and we store their data for invoicing purposes and communication. Our Policy on this is that if a Business Customer wishes not to use our services any more we will keep their information on our System (Strelitzia) for 6 years to satisfy HMRC regulations. Precipitant Name and Address and sometimes a Phone number will be collected and stored for the same period - Unless asked specifically to delete this after we have satisfied the order and the Order has been paid for. (Could be up to 90 days in some cases)
2. Collecting Recipient Data
Full Name, Address, and Sometimes Phone number is collected and stored. This data is then transferred onto a Delivery Sheet for our Driver's to use a Drivers Schedule Document and as proof of delivery of goods. In the case of an International or National order that is processed by another florist, this information is passed on to that florist.(passed on through a network based on the internet and reassurance that the company has its own GDPR POLICY â Noted on there own websiteâ Direct 2 Floristâ, âFlorist Exchangeâ and âFloral Queenâ) These details are still stored onto our system (Strelitzia) and can be removed if requested, after a period of 90 days to allow for traceability or discrepancies in the order to be investigated and actioned
Erasing and Disposal of Data â Strelitzia and Paper Copy
3.1 Shredding of Worksheets generated by Strelitzia to allow Work Scheduling and all relevant hand written notes will be shredded after a period of 30 days to allow discrepancies and tracking of hand written information to be use in case of Refunds or Custom Queries.
3.1.1 Shredded material will be put in a recyclable system on a weekly basis
3.1.2 Storage of Used worksheet before shredding will be tied in weekly bundles and Stored in a dry locked cupboard and key is owned by the DPP's
3.2 Erasing Data on Strelitzia
There is an Erase function on Strelitzia that will allow the DPP's to erase a customer and a choice of dates. This Function is protected by a Password and an authorised user.
3.3 Shredding or disposal of any customer details is a good practise
4. Storage of Data â Backup and Paper copy
4.1 Storage of Paper Copies
Worksheets/Handwritten notes and any other sensitive information will be stored on-site in a dry lockable cupboard. Keys for this cupboard and access is only by the Authorised DPP's On a monthly basis this information is reviewed and shredded according to our policy.
4.2 Backups of System Data
Backups of Strelitzia will be undertaken every two days and this back up stored in a Dry lockable Cupboard . Keys to this cupboard and access is only by the Authorised DPP's.
5. IT Structure
A Computer system capable of running various software functions will be used to allow the business to process any order, email, invoice, quote, store and other basic functions as required. This computer system will be ideally connected to the internet to allow for emails, online maintenance of software (updates of Anti Virus and Strelitzia).
A firewall be be used with security setting adequate to protect data, plus an Anti-Virus Software to protect the system from unwanted programmes.
Any data taken off the system by means of Back up or Print will be treated as per this policy.
5.1 It Structure consists of a Computer, Printer, Broadband Router, Keyboard, Mouse and Screen. (The Cash Machine/Till is not classed as part of the IT Structure as its not connected in any way to it)
5.2 PAT (Portable Appliance Testing) is carried out on all electrical equipment on a yearly basis and records kept.
5.3 POS (Point Of Sale) equipment maybe plugged into the broadband router and is also subject to PCI regulations.
Training of any New Employee will be carried out and monitored on all GDPR Policies that Ruths Floral Design Studio Maintain. Records will be kept and reviewed.
Authorised DPP's are to ensure that updated Policies are kept and training sort.
A breech of data security is serious and must be reported as the guidelines set out by the ICO (Information Commissioner Office).https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
7.1 A breech must be investigated and if found to be a Serious Breech this must be reported within 72 Hours to the ICO as per guidelines.
7.2 A Minor Breech must still be Noted and any actions taken to prevent any future occurrences happening, and noted with the report
8. Review Period
It is recommended that a 3 year period before review of this policy is undertaken. An on Going review will be done as and when necessary to prevent any serious Breech or Loss happening.
8.1 Review period of 3 years from date of approval by owners of Ruths Floral Design Studio
8.2 Record of Review to be held with the policy
8.3 Changes or additions to the policy must be authorised and if necessary a new revised document created, or an unamended to the policy attached.
9. Good Practises
Good practises are essential for the smooth operation of the day to day running of the business these include:
Ensuring that no Customer data is left around on a surface that maybe liable to picking up or read by an UN-authorised person.
The IT Structure must have a Login specific details followed by a Password. Logging off or automatic logging off must be used in all cases if the system is left unattended for long periods of time.
Shredding of customer sensitive information must be performed by an authorised DPP away from the general public.
Customer Invoices or Delivery Notes to be locked in a dry Cupboard away from the general public.
Any POS material to be shredded along with the customer information as er policy.
DO NOT leave any Floral Stickers with our address details on lying around in areas that can be open to public access.
CCTV must be checked on a monthly basis to ensure its recording and back ups maintained. Along with cleaning of any Lens.
Premises Alarm system is maintained by the installation company and monitored on a 24 hour basis by the response company. Ensuring that at all times they have upto date contact details.
DO NOT leave the shop unattended at ANY TIME. If need be lock the door and put a note in the door with access times or instructions.
DO NOT leave a member of the public (customer) along in the main shop at anytime.
Approval of Policy
Policy Approved 18/5/2018
Gary and Ruth Staff