AUDIT OF DATA PROCESSING AND FLOW
RISK ASSESSMENT – IDENTIFICATION OF RISKS
The various ways we at White Swan Garage keep and process
data has been identified in the sections below:
On our Computer System
Hard Copy of Fail/Pass record
Data shared with 3 parties (for
Card Payment Slips, their safe-keeping and
Number plate (RNPS) Record Sheets
Our Diary is kept in a secure part of our office in a ‘Staff
only’ area and is not shared with 3 parties, the information is
for our own day to day activity, once the calendar year is complete, the diary
is kept in a locked filing location for ONE further year (reference purposes)
and is destroyed and disposed of after this.
(Diary) Risks Posed:
Our day to day diary is not at risk of being lost as it does
not leave its resting location in our office neither does last years stored
diary which is locked away, the only risk posed is theft.
Theft of our current diary would be picked up within the
hour as we use it for reference hourly and we would be able to report a breach
to the ICO well within the specified timeframe.
Theft of the previous years ‘stored’ diary would require
breaking in entry and again would be picked up within an hour as our staff
would be witness to it if during business hours. Outside our business hours our
alarm system would notify directors and the police the moment our site has
detected an intruder, we would therefore be able to report a breach within the
specified timeframe set by the ICO. The effect to our business would be minimal
as diary data entries are transferred to our computer system once a vehicle
arrives onsite; all that would be lost are pending appointments.
The Computer System:
Our computer system stores customer information such as
Names, Address, Telephone numbers and vehicle specs, it is located in a secure
part of our office in a ‘Staff only’ area and information kept herewith is
stored for 5 years. The system has 2 levels of password protection and the
passwords are changed quarterly. 3 members of staff have access to this
information and the computer is NOT connected to the internet in anyway
whatsoever to eradicate the risk of an internet breach. The Software and data
is backed up internally and automatically at the end of each working day.
Although failure of the Computer would cause loss of access,
the data would be eventually recoverable and in the interim the previous years
diary can be used for reference and contact details.
Our computer is not at risk of being lost as it is not
portable and is a fixed desktop PC; the only risk posed is theft of the
Although theft would be picked up by us and reported well
within the specified timeframe the added double password protection would
further protect the data contained within the system if it is stolen.
Hardcopy of MOT
Fail/Pass record (known onsite as a VT40):
We are required by VOSA regulations to store 3 months of
VT40 records, although this document doesn’t contain the customers personal
details it does contain details about their vehicle. The current structure we
have in place includes 3 folders kept in the ‘staff only’ part of our office, 1
file is for the ‘current’ month and 1 each for the previous 2 months. Once the
‘current’ month is complete, the oldest file is removed of its contents (which
are responsibly destroyed) and the empty file becomes the new file for the
(VT40) Risks posed
The only risk posed is theft as these files do not leave our
The ‘current’ file is accessed by a member of our team on a
daily basis as new VT40’s are added to it daily and therefore we will be
alerted quickly if there were to be a breach.
The previous 2 months files however may not be touched for
30-60 days which although WILL eventually be picked up by our team, it could be
outside the specified timeframe to report a breach and therefore a structure
and solution for this has been found and put into action, this has been
2 month records of
VT40 – Changes in Practice – Risk Reduction
In order to tighten the security and to alert us earlier in
the event of a breach, both previous months files will now be stored in a
locked part of the office (same as ‘last year’s diary’). This significantly
reduces the chances of a breach and enables the breach to be picked within the
hour and reported to the ICO within the specified timeframe (72 hours).
Data Shared with 3
Data shared with 3 parties is split into 2
sections (A) in cases where only the car
details are disclosed to order parts or services and (B) cases where the clients personal details
must be confirmed when dealing with their insurer/warranty companies.
Case (A) Where only vehicle details are disclosed:
This case requires us to use a vehicle registration and or
chassis number to order parts or services from a Main Dealer or Parts supplier
and in the event of an MOT test details must be given to VOSA. In all these
cases we must furnish the agent/partner with the car details to order parts or
VOSA to issue an MOT certificate.
Risks to Case (A) – Where only vehicle details are
The main risk posed here is how our agents or partners
process this information and that they do so in line with the new GDPR
regulations, although we can’t regulate this as this is the role of the ICO, we
have shown an extended duty of care by ensuring our documentation is
safeguarded by alarms, locks, passwords and safe storage.
Case (B) Where client’s personal details AND vehicle details
In certain cases clients’ vehicles are covered by warranties
and insurance policies that require us to provide subject data to third parties
regarding their claim. This includes providing client Name Address, membership
number(s) and Vehicle details.
For both above cases (A & B) we have provided a list of
our suppliers/agents/processors that can be found in ‘Appendix A’, the list
also contains their GDPR compliance status.
PCI DSS Compliant
Card Payment Slips, their safe-keeping and Transit:
Merchant copies of card payment slips must be retained by us
for passing onto our accountant for processing our accounts, We at White Swan
Garage ltd are PCI DSS compliant which in itself ensures a high level of
security and sensitivity. Upon printing our ‘merchant copy’ it is locked into a
safe locked area of our office with the remaining of the current quarters slips
and is only removed at the end of the quarter to send on to our accountant.
Risk posed by
retaining card payment slips and their transit:
The main risk posed to this data is theft, but as it is
stored in our safe along with other sensitive data (as mentioned in other
sections) any breach would require forced entry and we will be alerted
immediately in good time to report a breach.
A secondary risk posed is loss or theft when our paperwork
is in transit to our accountant; our GDPR compliant accountancy firm (listed in
Appendix A) has a measure in place for security since we first began working
with them. No paperwork is sent by post; paperwork is sealed within a large bag
and is collected in person and delivered to our accountant by their dedicated
in house driver. Even though we are no longer in possession of the data when we
pass it over and it becomes our accountants duty to comply with GDPR
regulations, we have requested that we are informed instantly in the case of a
Number plate (RNPS)
Client details must be taken when making new or replacement
number plate as part of DVLA regulations, we are instructed to keep these
records for 3 years and must be made available to the police and or trading
standards. Nothing has changed with the security of this book since the
introduction of GDPR laws as it is kept in a locked part of the office at all
times and all records older than 3 years are destroyed, thus complying with the
regulations set by the ICO.
Number plate (RNPS)
Record Sheets – Risks Posed
The only risk posed to this file is theft, but this would
involve breaking in entry during or outside business hours and would be
immediately picked up by staff during business hours and by our alarm system
outside business hours.
CHAPTER 2: STAFF GUIDANCE AND EFFECTIVE PROCEDURES
In a case where staff may require support on GDPR related
information, staff are encouraged to consult Mr Amardeep S Sehmi (DPO)
regarding any queries they may have, they are each provided an emergency contact
number in the event Mr Sehmi is offsite even though a nominated monitor will be
onsite at all times to assist.
Tangible factors have been covered in a staff training
program and in this document, but any intangible factors can be dealt with on a
case by case basis and by consulting Mr Amardeep S Sehmi regarding any concerns
or queries prior to disclosing or saving and personal details. Training will be
refreshed every calendar year in the first week of January and/or when any
changes to legislation or business processes are due to take effect
We have introduced new processes in addition to reiterating
the importance of some of our old safeguarding processes in order to comply
with GDPR principles.
Storage and Management
Where the current diary should be kept
Where the previous diary is kept
Data to be entered into the diary (keeping in
compliance with GDPR and VOSA)
System data Entry and Password Access
Password changing routine
Locking the screen when vacating
Only add details for the fields provided
of Fail/Pass record (VT40)
Storing and destroying these documents
shared with 3 parties (for ordering parts/services)
The importance of keeping our vendors list up to date
Adding and removing vendors
the associated receipt(s) and their safe-keeping
Processing a card payment
Safeguarding the retained receipt
plate records and safeguarding
Our legal requirements
Continued Safe storage
Approaching the Client
Saving to Tablet
Storage and Retention
General training has also been conducted for some
good preventative practices, to ensure details are written directly into the
diary and or onto our computer system and not onto note pads, in the event a
customer is not present and or details are handed to a member of staff or taken
in note form, a ‘transfer and destroy’ process is in place, whereby the
information is transferred to our records and any notes are immediately
CHAPTER 3: INFORMATION ASSET REGISTER
Our Information Asset Register can be found in Appendix B
CHAPTER 4: LAWFUL BASIS FOR PROCESSING PERSONAL DATA:
White Swan Garage complies with the GDPR lawful processing
of customer data guidelines set by the ICO.
Depending on the service(s) requested by the data subject the lawful
basis for processing personal data can vary. Below is an outline of how we
comply with the guidelines through our varying products/services.
REPAIRS & MAINTENANCE – Consensual basis
Vehicle mechanical or body
repairs where the data subject is wholly paying for the product or service and
no 3 party is liable for payment or involved in assessment whether
a private body, a warranty company or an insurer are processed with the consent
of the data subject. By issuing the vehicle to White Swan Garage and providing
us personal and vehicle data, subjects are entering a contract of consent
trusting White Swan Garage rely on the data provided for one or more of the
following purposes; to contact the data subject for authorisation of repair, to
report a problem with the planned works, to update or report findings, to
discuss costs, to arrange collection of their vehicle and a granular option for
White Swang garage to contact the client at a later date to notify subjects of
overdue maintenance works on their vehicle(s). Clients’ vehicle details and
specs will also need to be shared with suppliers and partners of White Swan
Garage (listed in Appendix A) on behalf of the data subject to purchase parts
and/or services for a data subject’s vehicle. Details will not be shared with
any third parties for marketing or sales purposes.
By opting in, clients recognise
that White swan Garage relies on the processing of their data to order
components, data or services pertaining to the repair on the subject’s vehicle.
TESTING – Public task with Legal obligations
Processing of subject data is
necessary for White Swan Garage to conduct and update the government (VOSA)
database. The connection between our VOSA system and VOSA’s main database is a
secured internet connection for the safeguarding of the information processed;
the actions exercised are under official authority vested in us by VOSA.
Processing in this instance is
also necessary for compliance with the legal requirements and obligations set
by VOSA when processing your MOT, this data is not sold or shared with 3
parties for any marketing or sales activity.
Personal details pertaining to
the data subject will remain on our system and are not shared with VOSA however
opting in on our granular consent form allows White Swan Garage to contact a
client when their vehicles next maintenance/test is due.
INSURANCE REPAIRS – Consent & Contract
In the event we are repairing a vehicle whereby a portion or
the invoice is to be paid by the data subject’s insurer or warranty provider we
will be required to process data with the 3 party for them to
assess and/or authorise or reject a claim.
Processing is necessary for the performance of a contract to which the
data subject is party or in order to take steps at the request of the data
subject prior to entering into a repair contract
By opting-in clients give White Swan garage the authority to
discuss the works with their insurer, warranty company, underwriters or agents
acting on behalf of these parties, also accident management firms and any other
parts/services suppliers pertaining to the repair or resolution that the client
has contracted us to conduct.
Replacement Number Plates – Public
task with legal obligation
We are entrusted by the DVLA to follow strict guidelines for
documenting and storing details in order to reproduce replacement number plates
for our clients; these details are stored in our records for 3 years and locked
in a stored cupboard unless updating records.
By opting in clients are made aware that they give White
Swan Garage permission to store these details to comply with DVLA Legislation
in the event the clients’ vehicle requires a number plate.
CONSENT FORMS – Public task with legal obligation
We are required to keep client
consent forms on file as part of the regulations set by the ICO, every 3 years
these records will be destroyed. Your hardcopy is scanned and saved to a tablet
device which is kept in a locked part of our office. Any breach of its security
would require breaking in entry and would be immediately noticed by staff or by
our alarm system outside business hours
The hardcopy is safely destroyed
upon being transferred to the tablet device
CHAPTER 5: RIGHTS TO AMMEND OR REMOVE
Regardless of the nature or the clients repair/service all
subject data remains on our computer system (for 5 years) which is NOT
connected to the internet and is protected by 2 levels of password security,
basic contact details may remain in our diary for 1 year from the end date but
are kept in secure locations and only accessible by our office team. No details
are sold or given to 3 parties for marketing or sales purposes.
All clients (data subjects) have the right to request deletion of their personal
details and the right to amend data stored by White Swan Garage ltd and can do
so in the form of a letter, email, in person or by telephone and notifying us
of the amendment or removal they require.
Data Protection Officer (DPO) – Mr Amardeep Singh
Address: White Swan Garage, 2a Adelaide Road,
Southall, Middlesex, UB2 5PX
Telephone: 020 8574 2193
CHAPTER 6: Data
Protection Fee & Registration:
White Swan Garage ltd is currently registered with
the Information Commissioner’s Office and our practices comply within the
CHAPTER 7: RIGHT TO BE INFORMED
All Clients have the right to be informed when their data is
collected and whom we are sharing it with, this has been highlighted in the
previous chapter and is supported by a list of our suppliers (Appendix A), the
associated risks and safeguarding measures in Chapter 2 (Risk Assessment) of
this document, The retention details and further statistics can be found in
Appendix B. All personal data we obtain is taken directly from the data subject
(client) and not from any third parties.
CHAPTER 8: RIGHT OF ACCESS:
Much like Chapter 5 (right to amend or remove), White Swan
Garage offer 4 ways a client can access their data stored with us. Once a
request is received and we are satisfied of their identity, a member of our
office team will make any records we have stored available to the data subject.
This includes but not limited to their personal information, information
pertaining to their vehicle(s) and any prior invoices they have on file with
us. Also included in this is VT40 information that is retained by us for a 3
month period from the date of a vehicles MOT test. In most cases this
information will be made available with immediate effect however in some cases
can take up to one calendar month. Typically this information is provided free
of charge however White Swan Garage reserve the right to charge a 45p (plus
VAT) per page fee whether printed or emailed to cover the cost of admin,
materials and handling if a request is deemed to be manifestly unfounded or
particularly if it is excessive or repeat information being provided.
CHAPTER 9: RIGHT TO RECTIFICATION AND DATA QUALITY:
Data subjects have the right to
have personal data rectified if it is inaccurate or if it is not complete, if
an individual’s details change for any reason these can be easily amended too,
please see Chapter 5 ‘Right to amend or
As you will have read in Chapter
8 data subjects also have the right to remove their personal data from our
records. In some cases clients may wish to block or restrict the processing of
their data in which case this is entirely acceptable however if a fee is
charged to White Swan Garage ltd by a third party to facilitate the clients
request, this fee will be chargeable to the individual wishing to block or
cancel the request.
Rectification can all be
processed with immediate effect if a client personally visits or calls us,
alternatively it can take up to (but no longer) than a calendar month if we are
informed in writing for most cases. Clients will be asked to confirm their
name, address and vehicle registration in order to perform amendment or
deletion of records and failure to confirm their identity will result in a
request being refused. We also reserve the right to refuse if we are not
satisfied with the identity check and may ask to physically see proof of
identity in the form of a visit.
Deletion or erasure can only be
performed if it is no longer necessary for seeing out activities or our legal
CHAPTER 10: RIGHT TO DATA PORTABILITY
Clients can request to move, copy or transfer their data
from our stand alone computer database to another. Our Main computer is NOT
connected to the internet for the safeguarding of our clients details,
therefore the only means of transfer would be via an electronic memory device
that the client would be required to provide, the device must meet and pass a
virus check before it will be interfaced with our system and data can be
transferred, copied or moved to their own device for them. Direct transfer to
another environment is not technically feasible due to internet restrictions.
CHAPTER 11: RIGHT TO OBJECT
Our clients have the right to object to the processing of
their personal data in certain circumstances. In cases of MOT Testing it is our
legal obligation to provide vehicle details to VOSA as you will see in sections
‘Lawful basis processing’ & ‘purpose for processing’ therefore we are required
to process this data as a legal obligation through the official authority
vested in White Swan Garage by VOSA. Similarly in Warranty and Insurance
related cases where a contractual agreement is in place between the data
subject and the insurance/warranty company whereby their terms and conditions
give the 3 party access or power to request such data from us (the
repairer) and we are authorised to process it by the data subject.
With regards to day to day Mechanical, body or electrical
private repairs a client can object to the processing of their personal data
prior to beginning their works. Therefore no record of their personal data will
be kept on file only a repair on that date of that nature to that vehicle.
CHAPTER 12: AUTOMATED DECISION MAKING INCLUDING PROFILING
No decisions are made using your data by artificial means,
all data is used with human intervention and no systems exist in our
environment that are automated or use profiling or automated decision making
CHAPTER 13: Accountability:
Our data protection policy has for many years operated in a
stringent and consistent manner, we are delighted that with the guidance of the
ICO it has been further strengthened and complies with the principles set by
White Swan Garage ensure we remain compliant to changes in
environment and processes both internal and external and manage changes in
trends via the DPO and our Monitors whom together take responsibility of day to
day practices. Our DPO (Mr A Sehmi) is accountable for staying abreast of developments
and provides staff training and hand outs in addition to notices placed around
the work place to serve as a reminder. We ensure staff read and understand our
Privacy Statement and are aware of the Do’s and Don’ts that are incorporated
within it (See Appendix D)
CHAPTER 14: Processor
As mentioned in aforementioned chapters on occasion client
data is processed via suppliers, agents and partners. Our accountancy firm and
VOSA are the only companies that are provided with sensitive data, both are
governed by bodies that set legal requirements and understand their
responsibilities and liabilities and are both compliant to GDPR regulations.
White Swan Garage take data protection very seriously and
our staff understands the risks to our company and understand that falling
outside the strict guidelines set is in breach of company policy.
We have designed our documenting system to significantly
reduce the chances of a breach, such as password protection in addition to lock
and key protection for documentation and computer data. The computer that
stores data is not connected to the internet to eradicate any chance of an
CHAPTER 15: DPIA’s – Data
Protection Impact Assessments
Due to little or no in-house changes expected on a short
term basis an assessment will be conducted at the beginning of the calendar
year prior to staff refreshment training. However as with staff training should
there be a major change in the way we store or take data or a change in
legislation and/or a change in the way a processors process data, a spot
training exercise will be formulated and conducted.
Our data protection officer (Mr Amardeep S. Sehmi) will
address any changes to IT, diary entries, payments, the way our accountant
collects our paperwork, any changes VOSA make to the way MOT’s are processed,
any changes reported by our processors
and of course any amendments made by the ICO, should any of these
factors affect the way we process data or fall outside our guidelines, changes
may need to be made to our structure in line with the regulations set by VOSA,
PCI DSS compliancy and of course the ICO.
Senior Management (Directors) will also be conducting site
audits when any changes take place both internally or externally, these do not
have fixed time frames as of now, however may become a regular time based
audit. Staff will be notified should this become a fixed time scale audit.
CHAPTER 16: DATA SECURITY & BREACH NOTIFICATION:
Our levels of security include a step by step buffered
security system, the frontline is the ‘staff only’ enclosed work area, the next
stage is password protection on IT system at (2-levels) and the next stage is
lock and key. One or all of these factors would need to be breached in order to
access subject data and during business hours any breach to these factors would
be picked up within an hour or by the next business day. Similarly outside
business hours our site is protected by an alarm system that notifies directors
and the police immediately. Further details on each attribute, its risks and
the safeguarding in place can be seen in Chapter 2.
International transfer protection does not currently apply
to White Swan Garage as all our operations are conducted within the EU/UK;
however should this change we will implement rules and regulations in line with
the requirements of GDPR.
“ANY BREACH MUST BE REPORTED TO THE DPO IMMEDIATELY OR BY
THE END OF THAT BUSINESS DAY, HE WILL ADVISE ANY IN HOUSE ACTIONS TO BE TAKEN,
HE WILL NOTIFY ALL PARTIES WHOSE DATA HAS BEEN COMPROMISED (AND WHICH DATA) AND
WILL NOTIFY THE ICO OF THE BREACH WELL WITHIN THE GIVEN TIMEFRAME OF 72 HOURS”
(Taken from staff
bulletin handed to staff May 2018)
CHAPTER 17: SECURITY POLICY & REPSONSIBILITY –
procedures’ section in Chapter 2. These chapters also cover other
aspects of security too but this section focuses on the security of the
Sensitive and Personal data we store. This program has been implemented and is
monitored by our data protection officer Mr Amardeep Sehmi and is subject for
review should any internal or external factors change the way we process data
and at the beginning of each calendar year.
we use data for, this section underlines how this data is kept secure, most
factors are covered throughout the manual however some detailed factors have
been outlined below for our staff and clients to be made aware of:
The Computer system
(where client data is stored):
The system has 2 levels of password protection and the
passwords are changed quarterly. 3 members of staff (and directors) have access
to this information and the computer is NOT connected to the internet in anyway
whatsoever to eradicate the risk of an internet breach. None of the details are
sold to 3 parties and data is only used in conjunction with the
contract of repair. Staff are not to share information with any 3
party and if a request is made to access the data a series of security
questions are asked to satisfy our team member of the identity of the requestor
prior to disclosure of any information held. Our IT system is never to be
networked or connected to the internet and or moved from site. No hardware of
software is added to the system without being scanned by up to date virus and
malware detection software, first tested on another standalone machine. Our
systems are designed to automatically back up files at the end of each working
day; any log in attempts and activity by our staff members can be monitored by
directors and our DPO. The information allows management to monitor who logged
in, times of login in addition to the data that was accessed; accessing data
without a genuine operational reason is in breach of company policy and outside
the guidelines set by the ICO. These cases will be taken very seriously by
White Swan Garage ltd and the resulting consequences to the offender could be
anything from retraining to dismissal.
The Diary is a hardcopy where client bookings are taken,
although details can be vague or in note form we still hold the security of our
diary at a high level, the diary is kept behind our counter and in a ‘staff
only’ part of the office, we had thought about updating this to tablet form
however this makes the tablet-diary more susceptible to theft, therefore we
believe a hardcopy diary is a far safer means of documenting this data. The
diary is kept in a locked and alarmed part of the building overnight and is
kept for 1 year after the expiration date of the diary for reference purposes.
This is kept in a locked safe until it is destroyed. Staff are reminded never
to move the diary outside its resting location in our ‘staff only’ part of the
office and should the diary or content held within be compromised, lost or
stolen it must be reported to the data protection officer Mr Amardeep S Sehmi
Card Payment Slips
Although our staff are trained on this for White Swan Garage
to be PCI DSS compliant, which in itself ensures a high level of security and
sensitivity. Merchant copies of payment
slips are locked into a safe with the remainder of the current quarter’s slips
and is only removed at the end of the quarter to send on to our accountant.
Daily slips are locked in a till and moved to the safe at the end of the
working day. Extracts from our hand outs (provided to staff) on taking card
payments and the safeguarding of the data is available in Appendix C and we
encourage our clients and partners to read these too.
VT40’s 7 Number Plate
The security of the VT40’s has been updated since the
introduction of GDPR. As you will see from our risk assessment in Chapter 1,
only the current months data is kept outside of a locked area of the office for
day to day reference purposes. Our policy is to keep 3 months of these records
as required by VOSA
Number plate record
The Number plate record book is stored in a locked part of
our office at all times and is protected by lock and key when not in use. We
only keep 3 years records of this data as legally required by the DVLA
Chapter 18: Marketing
White Swan Garage does not partake in any direct Marketing
activities and our reasons for contacting a data subject are outlined in our
Privacy Statement (Appendix D). We have a granular opt-in or opt-out policy
made available to clients when providing consent for using their details for
conducting the repair or service requested for their vehicle(s). Our practices
strictly operate in line with the guidelines set by the ICO (GDPR) and by the
Privacy and Electric Communications Regulations (PECR).
This allows the client to authorise White Swan Garage
ltd to use the data provided by the client to conduct a repair or perform
maintenance, modification, bodywork or MOT Test on a vehicle at the client’s
request. This includes but not limited to, producing number plates ordering
parts or services, calling the client with updates/reports, to notify the
client of a problem, to recover payment and calling the customer for collection
of their vehicle.
This section provides lawful consensual basis that
authorises White Swan Garage ltd to use the data provided by the client to
contact them when an MOT test or timed maintenance is due or overdue on their
vehicle(s). This service helps remind the client and allows them to address the
necessity for maintenance in due course. The client has the option to take a
positive action to opt-in for this service (See Appendix D).
Opting out of
both of these factors can occur by:
request, (Telephone, Writing or by visiting us)
Opting out of Maintenance Due/Overdue Notifications can be achieved by:
By Client request, (Telephone, Writing or by
Automatically removed as
part of our retention policy whereby a client’s reminder service is
automatically removed from our system if a client misses due maintenance.
Example: if a client does not use White Swan Garage
ltd for next year’s MOT, they will not be reminded for the MOT due date the
following year as our system will automatically remove the reminder
notification when breaking the chain.
CHAPTER 19: Records Management Policy
All records are kept on one
machine and managed by the DPO, it will be spot reviewed if there are any
changes to the way we store or process data. Invoice records are required by
law to be kept for 5 years after the 31
January submission deadline of the relevant tax year and are not accessed or
updated unless a customer return visits or requests information. Records are not at risk of being lost as the
Computer is not portable; the only risk posed is theft of the computer. Theft would be
picked up by our team and reported by our DPO well within the allotted
timeframe and the added double password protection would further protect the
data contained within the system if the machine were stolen.
Data remains in our system until
a client notifies us of sale or disposal of a vehicle, a change of address or
name or a client request to have their data removed from our database.
Annual training (or refreshment)
is scheduled for the first week of the calendar year or if any changes internal
or external are made that effect the way we store or process data.
Monitoring is conducted by the
DPO or the staff member managing the office, the monitor ensures practices are
conducted within the guidelines presented in this document.
Other roles conducted by the
DPO/monitor include the safe storing of archived records mandatory annual training
in January however spot-training will be held in the event data processes
change due to internal or external factors.
Each Quarter our hardcopies of
paperwork from our accountancy firm are archived in a secure onsite location
with restricted access; these are required to be kept under government
Our computer records are
scheduled to be significantly reduced each January, records older than 5 years
(that have not been accessed or updated) will be entirely removed from our
system and disposed from retention.
Any hard copies of data that are
to be destroyed will be shredded and disposed of in a confidential manner,
should the requirement arise to dispose of large amounts of hard copy data, an
external GDPR compliant organisation
will be contracted to conduct the process.