White Swan Garage - 2a Adelaide Road, Southall, Middlesex, UB2 5PX
PRIVACY POLICY

CHAPTER 1: AUDIT OF DATA PROCESSING AND FLOW
  
RISK ASSESSMENT – IDENTIFICATION OF RISKS
The various ways we at White Swan Garage keep and process data has been identified in the sections below:
·         Diary Entries
·         On our Computer System
·         Hard Copy of Fail/Pass record
·         Data shared with 3 parties (for ordering parts/services)
·         Card Payment Slips, their safe-keeping and Transit
·         Number plate (RNPS) Record Sheets
The Diary:
Our Diary is kept in a secure part of our office in a ‘Staff only’ area and is not shared with 3 parties, the information is for our own day to day activity, once the calendar year is complete, the diary is kept in a locked filing location for ONE further year (reference purposes) and is destroyed and disposed of after this.
(Diary) Risks Posed:
Our day to day diary is not at risk of being lost as it does not leave its resting location in our office neither does last years stored diary which is locked away, the only risk posed is theft.
Theft of our current diary would be picked up within the hour as we use it for reference hourly and we would be able to report a breach to the ICO well within the specified timeframe.
Theft of the previous years ‘stored’ diary would require breaking in entry and again would be picked up within an hour as our staff would be witness to it if during business hours. Outside our business hours our alarm system would notify directors and the police the moment our site has detected an intruder, we would therefore be able to report a breach within the specified timeframe set by the ICO. The effect to our business would be minimal as diary data entries are transferred to our computer system once a vehicle arrives onsite; all that would be lost are pending appointments.
The Computer System:
Our computer system stores customer information such as Names, Address, Telephone numbers and vehicle specs, it is located in a secure part of our office in a ‘Staff only’ area and information kept herewith is stored for 5 years. The system has 2 levels of password protection and the passwords are changed quarterly. 3 members of staff have access to this information and the computer is NOT connected to the internet in anyway whatsoever to eradicate the risk of an internet breach. The Software and data is backed up internally and automatically at the end of each working day.
Although failure of the Computer would cause loss of access, the data would be eventually recoverable and in the interim the previous years diary can be used for reference and contact details.
 
(Computer) Risks Posed:
Our computer is not at risk of being lost as it is not portable and is a fixed desktop PC; the only risk posed is theft of the computer.
Although theft would be picked up by us and reported well within the specified timeframe the added double password protection would further protect the data contained within the system if it is stolen.
Hardcopy of MOT Fail/Pass record (known onsite as a VT40):
We are required by VOSA regulations to store 3 months of VT40 records, although this document doesn’t contain the customers personal details it does contain details about their vehicle. The current structure we have in place includes 3 folders kept in the ‘staff only’ part of our office, 1 file is for the ‘current’ month and 1 each for the previous 2 months. Once the ‘current’ month is complete, the oldest file is removed of its contents (which are responsibly destroyed) and the empty file becomes the new file for the month ahead.
(VT40) Risks posed
The only risk posed is theft as these files do not leave our office.
The ‘current’ file is accessed by a member of our team on a daily basis as new VT40’s are added to it daily and therefore we will be alerted quickly if there were to be a breach.
The previous 2 months files however may not be touched for 30-60 days which although WILL eventually be picked up by our team, it could be outside the specified timeframe to report a breach and therefore a structure and solution for this has been found and put into action, this has been explained below.
2 month records of VT40 – Changes in Practice – Risk Reduction
In order to tighten the security and to alert us earlier in the event of a breach, both previous months files will now be stored in a locked part of the office (same as ‘last year’s diary’). This significantly reduces the chances of a breach and enables the breach to be picked within the hour and reported to the ICO within the specified timeframe (72 hours).
Data Shared with 3 parties:
Data shared with 3 parties is split into 2 sections (A) in cases where only the car details are disclosed to order parts or services and (B) cases where the clients personal details must be confirmed when dealing with their insurer/warranty companies.
Case (A) Where only vehicle details are disclosed:
This case requires us to use a vehicle registration and or chassis number to order parts or services from a Main Dealer or Parts supplier and in the event of an MOT test details must be given to VOSA. In all these cases we must furnish the agent/partner with the car details to order parts or VOSA to issue an MOT certificate.
Risks to Case (A) – Where only vehicle details are disclosed:
The main risk posed here is how our agents or partners process this information and that they do so in line with the new GDPR regulations, although we can’t regulate this as this is the role of the ICO, we have shown an extended duty of care by ensuring our documentation is safeguarded by alarms, locks, passwords and safe storage.
Case (B) Where client’s personal details AND vehicle details are disclosed:
In certain cases clients’ vehicles are covered by warranties and insurance policies that require us to provide subject data to third parties regarding their claim. This includes providing client Name Address, membership number(s) and Vehicle details.
For both above cases (A & B) we have provided a list of our suppliers/agents/processors that can be found in ‘Appendix A’, the list also contains their GDPR compliance status.
PCI DSS Compliant Card Payment Slips, their safe-keeping and Transit:
Merchant copies of card payment slips must be retained by us for passing onto our accountant for processing our accounts, We at White Swan Garage ltd are PCI DSS compliant which in itself ensures a high level of security and sensitivity. Upon printing our ‘merchant copy’ it is locked into a safe locked area of our office with the remaining of the current quarters slips and is only removed at the end of the quarter to send on to our accountant.
Risk posed by retaining card payment slips and their transit:
The main risk posed to this data is theft, but as it is stored in our safe along with other sensitive data (as mentioned in other sections) any breach would require forced entry and we will be alerted immediately in good time to report a breach.
A secondary risk posed is loss or theft when our paperwork is in transit to our accountant; our GDPR compliant accountancy firm (listed in Appendix A) has a measure in place for security since we first began working with them. No paperwork is sent by post; paperwork is sealed within a large bag and is collected in person and delivered to our accountant by their dedicated in house driver. Even though we are no longer in possession of the data when we pass it over and it becomes our accountants duty to comply with GDPR regulations, we have requested that we are informed instantly in the case of a breach.
Number plate (RNPS) Record Sheets
Client details must be taken when making new or replacement number plate as part of DVLA regulations, we are instructed to keep these records for 3 years and must be made available to the police and or trading standards. Nothing has changed with the security of this book since the introduction of GDPR laws as it is kept in a locked part of the office at all times and all records older than 3 years are destroyed, thus complying with the regulations set by the ICO.
Number plate (RNPS) Record Sheets – Risks Posed
The only risk posed to this file is theft, but this would involve breaking in entry during or outside business hours and would be immediately picked up by staff during business hours and by our alarm system outside business hours.
CHAPTER 2: STAFF GUIDANCE AND EFFECTIVE PROCEDURES
In a case where staff may require support on GDPR related information, staff are encouraged to consult Mr Amardeep S Sehmi (DPO) regarding any queries they may have, they are each provided an emergency contact number in the event Mr Sehmi is offsite even though a nominated monitor will be onsite at all times to assist.
Tangible factors have been covered in a staff training program and in this document, but any intangible factors can be dealt with on a case by case basis and by consulting Mr Amardeep S Sehmi regarding any concerns or queries prior to disclosing or saving and personal details. Training will be refreshed every calendar year in the first week of January and/or when any changes to legislation or business processes are due to take effect
We have introduced new processes in addition to reiterating the importance of some of our old safeguarding processes in order to comply with GDPR principles.
Training Includes:
·         Diary Storage and Management
Where the current diary should be kept
Where the previous diary is kept
Data to be entered into the diary (keeping in compliance with GDPR and VOSA)
·         Computer System data Entry and Password Access
Password changing routine
Locking the screen when vacating
Only add details for the fields provided
·         Hard Copy of Fail/Pass record (VT40)
Storing and destroying these documents
·         Data shared with 3 parties (for ordering parts/services)
The importance of keeping our vendors list up to date
Adding and removing vendors
·         Card Payments, the associated  receipt(s) and  their safe-keeping
Processing a card payment
Safeguarding the retained receipt
·         Number plate records and safeguarding
Our legal requirements
Continued Safe storage
·         Client Consent records
Approaching the Client
Recording information
Saving to Tablet
Storage and Retention
 
General training has also been conducted for some good preventative practices, to ensure details are written directly into the diary and or onto our computer system and not onto note pads, in the event a customer is not present and or details are handed to a member of staff or taken in note form, a ‘transfer and destroy’ process is in place, whereby the information is transferred to our records and any notes are immediately destroyed.
 
CHAPTER 3: INFORMATION ASSET REGISTER
Our Information Asset Register can be found in Appendix B
CHAPTER 4: LAWFUL BASIS FOR PROCESSING PERSONAL DATA:
White Swan Garage complies with the GDPR lawful processing of customer data guidelines set by the ICO.  Depending on the service(s) requested by the data subject the lawful basis for processing personal data can vary. Below is an outline of how we comply with the guidelines through our varying products/services.
(A)   GENERAL REPAIRS & MAINTENANCE – Consensual basis
Vehicle mechanical or body repairs where the data subject is wholly paying for the product or service and no 3 party is liable for payment or involved in assessment whether a private body, a warranty company or an insurer are processed with the consent of the data subject. By issuing the vehicle to White Swan Garage and providing us personal and vehicle data, subjects are entering a contract of consent trusting White Swan Garage rely on the data provided for one or more of the following purposes; to contact the data subject for authorisation of repair, to report a problem with the planned works, to update or report findings, to discuss costs, to arrange collection of their vehicle and a granular option for White Swang garage to contact the client at a later date to notify subjects of overdue maintenance works on their vehicle(s). Clients’ vehicle details and specs will also need to be shared with suppliers and partners of White Swan Garage (listed in Appendix A) on behalf of the data subject to purchase parts and/or services for a data subject’s vehicle. Details will not be shared with any third parties for marketing or sales purposes.
By opting in, clients recognise that White swan Garage relies on the processing of their data to order components, data or services pertaining to the repair on the subject’s vehicle.
 
(B)   MOT TESTING – Public task with Legal obligations
Processing of subject data is necessary for White Swan Garage to conduct and update the government (VOSA) database. The connection between our VOSA system and VOSA’s main database is a secured internet connection for the safeguarding of the information processed; the actions exercised are under official authority vested in us by VOSA.
Processing in this instance is also necessary for compliance with the legal requirements and obligations set by VOSA when processing your MOT, this data is not sold or shared with 3 parties for any marketing or sales activity.
Personal details pertaining to the data subject will remain on our system and are not shared with VOSA however opting in on our granular consent form allows White Swan Garage to contact a client when their vehicles next maintenance/test is due.
(C)   WARRANTY, INSURANCE REPAIRS – Consent & Contract
In the event we are repairing a vehicle whereby a portion or the invoice is to be paid by the data subject’s insurer or warranty provider we will be required to process data with the 3 party for them to assess and/or authorise or reject a claim.  Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a repair contract
By opting-in clients give White Swan garage the authority to discuss the works with their insurer, warranty company, underwriters or agents acting on behalf of these parties, also accident management firms and any other parts/services suppliers pertaining to the repair or resolution that the client has contracted us to conduct.
(D)   Replacement Number Plates – Public task with legal obligation
We are entrusted by the DVLA to follow strict guidelines for documenting and storing details in order to reproduce replacement number plates for our clients; these details are stored in our records for 3 years and locked in a stored cupboard unless updating records.
By opting in clients are made aware that they give White Swan Garage permission to store these details to comply with DVLA Legislation in the event the clients’ vehicle requires a number plate.
(E)    GDPR CONSENT FORMS – Public task with legal obligation
We are required to keep client consent forms on file as part of the regulations set by the ICO, every 3 years these records will be destroyed. Your hardcopy is scanned and saved to a tablet device which is kept in a locked part of our office. Any breach of its security would require breaking in entry and would be immediately noticed by staff or by our alarm system outside business hours
The hardcopy is safely destroyed upon being transferred to the tablet device
 
CHAPTER 5: RIGHTS TO AMMEND OR REMOVE
Regardless of the nature or the clients repair/service all subject data remains on our computer system (for 5 years) which is NOT connected to the internet and is protected by 2 levels of password security, basic contact details may remain in our diary for 1 year from the end date but are kept in secure locations and only accessible by our office team. No details are sold or given to 3 parties for marketing or sales purposes. All clients (data subjects) have the right to request deletion of their personal details and the right to amend data stored by White Swan Garage ltd and can do so in the form of a letter, email, in person or by telephone and notifying us of the amendment or removal they require.
Data Protection Officer (DPO) – Mr Amardeep Singh Sehmi
Address: White Swan Garage, 2a Adelaide Road, Southall, Middlesex, UB2 5PX
Telephone: 020 8574 2193
 
CHAPTER 6: Data Protection Fee & Registration:
White Swan Garage ltd is currently registered with the Information Commissioner’s Office and our practices comply within the guidelines set.
CHAPTER 7: RIGHT TO BE INFORMED
All Clients have the right to be informed when their data is collected and whom we are sharing it with, this has been highlighted in the previous chapter and is supported by a list of our suppliers (Appendix A), the associated risks and safeguarding measures in Chapter 2 (Risk Assessment) of this document, The retention details and further statistics can be found in Appendix B. All personal data we obtain is taken directly from the data subject (client) and not from any third parties.
CHAPTER 8: RIGHT OF ACCESS:
Much like Chapter 5 (right to amend or remove), White Swan Garage offer 4 ways a client can access their data stored with us. Once a request is received and we are satisfied of their identity, a member of our office team will make any records we have stored available to the data subject. This includes but not limited to their personal information, information pertaining to their vehicle(s) and any prior invoices they have on file with us. Also included in this is VT40 information that is retained by us for a 3 month period from the date of a vehicles MOT test. In most cases this information will be made available with immediate effect however in some cases can take up to one calendar month. Typically this information is provided free of charge however White Swan Garage reserve the right to charge a 45p (plus VAT) per page fee whether printed or emailed to cover the cost of admin, materials and handling if a request is deemed to be manifestly unfounded or particularly if it is excessive or repeat information being provided.
 
CHAPTER 9: RIGHT TO RECTIFICATION AND DATA QUALITY:
Data subjects have the right to have personal data rectified if it is inaccurate or if it is not complete, if an individual’s details change for any reason these can be easily amended too, please see Chapter  5 ‘Right to amend or remove’. 
As you will have read in Chapter 8 data subjects also have the right to remove their personal data from our records. In some cases clients may wish to block or restrict the processing of their data in which case this is entirely acceptable however if a fee is charged to White Swan Garage ltd by a third party to facilitate the clients request, this fee will be chargeable to the individual wishing to block or cancel the request.
Rectification can all be processed with immediate effect if a client personally visits or calls us, alternatively it can take up to (but no longer) than a calendar month if we are informed in writing for most cases. Clients will be asked to confirm their name, address and vehicle registration in order to perform amendment or deletion of records and failure to confirm their identity will result in a request being refused. We also reserve the right to refuse if we are not satisfied with the identity check and may ask to physically see proof of identity in the form of a visit.
Deletion or erasure can only be performed if it is no longer necessary for seeing out activities or our legal obligations.
CHAPTER 10: RIGHT TO DATA PORTABILITY
Clients can request to move, copy or transfer their data from our stand alone computer database to another. Our Main computer is NOT connected to the internet for the safeguarding of our clients details, therefore the only means of transfer would be via an electronic memory device that the client would be required to provide, the device must meet and pass a virus check before it will be interfaced with our system and data can be transferred, copied or moved to their own device for them. Direct transfer to another environment is not technically feasible due to internet restrictions.
CHAPTER 11: RIGHT TO OBJECT
Our clients have the right to object to the processing of their personal data in certain circumstances. In cases of MOT Testing it is our legal obligation to provide vehicle details to VOSA as you will see in sections ‘Lawful basis processing’ & ‘purpose for processing’ therefore we are required to process this data as a legal obligation through the official authority vested in White Swan Garage by VOSA. Similarly in Warranty and Insurance related cases where a contractual agreement is in place between the data subject and the insurance/warranty company whereby their terms and conditions give the 3 party access or power to request such data from us (the repairer) and we are authorised to process it by the data subject.
With regards to day to day Mechanical, body or electrical private repairs a client can object to the processing of their personal data prior to beginning their works. Therefore no record of their personal data will be kept on file only a repair on that date of that nature to that vehicle.
 
 
CHAPTER 12: AUTOMATED DECISION MAKING INCLUDING PROFILING
No decisions are made using your data by artificial means, all data is used with human intervention and no systems exist in our environment that are automated or use profiling or automated decision making means.
CHAPTER 13: Accountability:
Our data protection policy has for many years operated in a stringent and consistent manner, we are delighted that with the guidance of the ICO it has been further strengthened and complies with the principles set by GDPR.
White Swan Garage ensure we remain compliant to changes in environment and processes both internal and external and manage changes in trends via the DPO and our Monitors whom together take responsibility of day to day practices. Our DPO (Mr A Sehmi) is accountable for staying abreast of developments and provides staff training and hand outs in addition to notices placed around the work place to serve as a reminder. We ensure staff read and understand our Privacy Statement and are aware of the Do’s and Don’ts that are incorporated within it (See Appendix D)
CHAPTER 14: Processor Contracts:
As mentioned in aforementioned chapters on occasion client data is processed via suppliers, agents and partners. Our accountancy firm and VOSA are the only companies that are provided with sensitive data, both are governed by bodies that set legal requirements and understand their responsibilities and liabilities and are both compliant to GDPR regulations.
White Swan Garage take data protection very seriously and our staff understands the risks to our company and understand that falling outside the strict guidelines set is in breach of company policy.
We have designed our documenting system to significantly reduce the chances of a breach, such as password protection in addition to lock and key protection for documentation and computer data. The computer that stores data is not connected to the internet to eradicate any chance of an internet breach.
CHAPTER 15: DPIA’s – Data Protection Impact Assessments
Due to little or no in-house changes expected on a short term basis an assessment will be conducted at the beginning of the calendar year prior to staff refreshment training. However as with staff training should there be a major change in the way we store or take data or a change in legislation and/or a change in the way a processors process data, a spot training exercise will be formulated and conducted.
Our data protection officer (Mr Amardeep S. Sehmi) will address any changes to IT, diary entries, payments, the way our accountant collects our paperwork, any changes VOSA make to the way MOT’s are processed, any changes reported by our processors  and of course any amendments made by the ICO, should any of these factors affect the way we process data or fall outside our guidelines, changes may need to be made to our structure in line with the regulations set by VOSA, PCI DSS compliancy and of course the ICO.
Senior Management (Directors) will also be conducting site audits when any changes take place both internally or externally, these do not have fixed time frames as of now, however may become a regular time based audit. Staff will be notified should this become a fixed time scale audit.
 
CHAPTER 16: DATA SECURITY & BREACH NOTIFICATION:
Our levels of security include a step by step buffered security system, the frontline is the ‘staff only’ enclosed work area, the next stage is password protection on IT system at (2-levels) and the next stage is lock and key. One or all of these factors would need to be breached in order to access subject data and during business hours any breach to these factors would be picked up within an hour or by the next business day. Similarly outside business hours our site is protected by an alarm system that notifies directors and the police immediately. Further details on each attribute, its risks and the safeguarding in place can be seen in Chapter 2.
International transfer protection does not currently apply to White Swan Garage as all our operations are conducted within the EU/UK; however should this change we will implement rules and regulations in line with the requirements of GDPR.
“ANY BREACH MUST BE REPORTED TO THE DPO IMMEDIATELY OR BY THE END OF THAT BUSINESS DAY, HE WILL ADVISE ANY IN HOUSE ACTIONS TO BE TAKEN, HE WILL NOTIFY ALL PARTIES WHOSE DATA HAS BEEN COMPROMISED (AND WHICH DATA) AND WILL NOTIFY THE ICO OF THE BREACH WELL WITHIN THE GIVEN TIMEFRAME OF 72 HOURS”
 (Taken from staff bulletin handed to staff May 2018)
 
CHAPTER 17: SECURITY POLICY & REPSONSIBILITY – SENSITIVE/PERSONAL DATA
Our security policy works hand in hand with our privacy policy (Appendix D) and our ‘staff guidance and effective procedures’ section in Chapter 2. These chapters also cover other aspects of security too but this section focuses on the security of the Sensitive and Personal data we store. This program has been implemented and is monitored by our data protection officer Mr Amardeep Sehmi and is subject for review should any internal or external factors change the way we process data and at the beginning of each calendar year.
Although our privacy policy outlines our principles and what we use data for, this section underlines how this data is kept secure, most factors are covered throughout the manual however some detailed factors have been outlined below for our staff and clients to be made aware of:
The Computer system (where client data is stored):
The system has 2 levels of password protection and the passwords are changed quarterly. 3 members of staff (and directors) have access to this information and the computer is NOT connected to the internet in anyway whatsoever to eradicate the risk of an internet breach. None of the details are sold to 3 parties and data is only used in conjunction with the contract of repair. Staff are not to share information with any 3 party and if a request is made to access the data a series of security questions are asked to satisfy our team member of the identity of the requestor prior to disclosure of any information held. Our IT system is never to be networked or connected to the internet and or moved from site. No hardware of software is added to the system without being scanned by up to date virus and malware detection software, first tested on another standalone machine. Our systems are designed to automatically back up files at the end of each working day; any log in attempts and activity by our staff members can be monitored by directors and our DPO. The information allows management to monitor who logged in, times of login in addition to the data that was accessed; accessing data without a genuine operational reason is in breach of company policy and outside the guidelines set by the ICO. These cases will be taken very seriously by White Swan Garage ltd and the resulting consequences to the offender could be anything from retraining to dismissal.
The Diary:
The Diary is a hardcopy where client bookings are taken, although details can be vague or in note form we still hold the security of our diary at a high level, the diary is kept behind our counter and in a ‘staff only’ part of the office, we had thought about updating this to tablet form however this makes the tablet-diary more susceptible to theft, therefore we believe a hardcopy diary is a far safer means of documenting this data. The diary is kept in a locked and alarmed part of the building overnight and is kept for 1 year after the expiration date of the diary for reference purposes. This is kept in a locked safe until it is destroyed. Staff are reminded never to move the diary outside its resting location in our ‘staff only’ part of the office and should the diary or content held within be compromised, lost or stolen it must be reported to the data protection officer Mr Amardeep S Sehmi immediately.
Card Payment Slips
Although our staff are trained on this for White Swan Garage to be PCI DSS compliant, which in itself ensures a high level of security and sensitivity.  Merchant copies of payment slips are locked into a safe with the remainder of the current quarter’s slips and is only removed at the end of the quarter to send on to our accountant. Daily slips are locked in a till and moved to the safe at the end of the working day. Extracts from our hand outs (provided to staff) on taking card payments and the safeguarding of the data is available in Appendix C and we encourage our clients and partners to read these too.
VT40’s 7 Number Plate Record Book
The security of the VT40’s has been updated since the introduction of GDPR. As you will see from our risk assessment in Chapter 1, only the current months data is kept outside of a locked area of the office for day to day reference purposes. Our policy is to keep 3 months of these records as required by VOSA
 
Number plate record book
The Number plate record book is stored in a locked part of our office at all times and is protected by lock and key when not in use. We only keep 3 years records of this data as legally required by the DVLA
Chapter 18: Marketing
White Swan Garage does not partake in any direct Marketing activities and our reasons for contacting a data subject are outlined in our Privacy Statement (Appendix D). We have a granular opt-in or opt-out policy made available to clients when providing consent for using their details for conducting the repair or service requested for their vehicle(s). Our practices strictly operate in line with the guidelines set by the ICO (GDPR) and by the Privacy and Electric Communications Regulations (PECR).
1)      Repair related authorisation:
This allows the client to authorise White Swan Garage ltd to use the data provided by the client to conduct a repair or perform maintenance, modification, bodywork or MOT Test on a vehicle at the client’s request. This includes but not limited to, producing number plates ordering parts or services, calling the client with updates/reports, to notify the client of a problem, to recover payment and calling the customer for collection of their vehicle.
2)      Maintenance Due/Overdue Notification:
This section provides lawful consensual basis that authorises White Swan Garage ltd to use the data provided by the client to contact them when an MOT test or timed maintenance is due or overdue on their vehicle(s). This service helps remind the client and allows them to address the necessity for maintenance in due course. The client has the option to take a positive action to opt-in for this service (See Appendix D).
Opting out of both of these factors can occur by:
·          Client request, (Telephone, Writing or by visiting us)
Opting out of Maintenance Due/Overdue Notifications can be achieved by:
·         By Client request, (Telephone, Writing or by visiting us)
OR
Automatically removed as part of our retention policy whereby a client’s reminder service is automatically removed from our system if a client misses due maintenance.
Example: if a client does not use White Swan Garage ltd for next year’s MOT, they will not be reminded for the MOT due date the following year as our system will automatically remove the reminder notification when breaking the chain.
 
CHAPTER 19: Records Management Policy
All records are kept on one machine and managed by the DPO, it will be spot reviewed if there are any changes to the way we store or process data. Invoice records are required by law to be kept for 5 years after the 31 January submission deadline of the relevant tax year and are not accessed or updated unless a customer return visits or requests information. Records are not at risk of being lost as the Computer is not portable; the only risk posed is theft of the computer.  Theft would be picked up by our team and reported by our DPO well within the allotted timeframe and the added double password protection would further protect the data contained within the system if the machine were stolen.
Data remains in our system until a client notifies us of sale or disposal of a vehicle, a change of address or name or a client request to have their data removed from our database.
Annual training (or refreshment) is scheduled for the first week of the calendar year or if any changes internal or external are made that effect the way we store or process data.
Monitoring is conducted by the DPO or the staff member managing the office, the monitor ensures practices are conducted within the guidelines presented in this document.
Other roles conducted by the DPO/monitor include the safe storing of archived records mandatory annual training in January however spot-training will be held in the event data processes change due to internal or external factors.
Each Quarter our hardcopies of paperwork from our accountancy firm are archived in a secure onsite location with restricted access; these are required to be kept under government legislation.
Our computer records are scheduled to be significantly reduced each January, records older than 5 years (that have not been accessed or updated) will be entirely removed from our system and disposed from retention.

Any hard copies of data that are to be destroyed will be shredded and disposed of in a confidential manner, should the requirement arise to dispose of large amounts of hard copy data, an external  GDPR compliant organisation will be contracted to conduct the process.