GDPR UK compliance.
Overview :
I am retired as of the end of the tax year 2021/2022. I am no longer a small business or even a one man band cottage industry. I no longer work to commission for clients. I do not advertise. I do not contact former clients for commercial reasons. I remain entitled to protection under GDPR as an individual, and for that reason of security some of my personal details are not disclosed, or they are disclosed on a need to know basis. GDPR is for everyone. I have a need to retain commercial records for HMRC purposes for a number of years, should any queries arise; my Accountant similarly holds records going back a nunber of years on his own secure system. Therefore, if you are a past client, or for any other current reason of record keeping purposes, the following GDPR will continue to be observed until expiry of any requirement means records can be destroyed. The wording below is left to reflect the status before my retirement, and does not in any way indicate that I am running a commercial business, small, cottage or otherwise. I am retired.
1. Personal Data :
A lean amount of personal data is generated during the enquiry or process of commissioning me to work for a client ; this will include the Client name, address, telephone number, email, details of the work commissioned, and my fees charged for such work in agreement with the client ; in some cases IP addresses will be held as a result of using my website. I operate a 'lean system' for the retention and use of client data, in other words, the minimum required to operate as an artist with clients. When a client pays by cheque for the work I perform, details of the cheque will be retained until such time as the cheque has cleared through the banking process, after which details of the cheque will be destroyed apart from the amount paid ; only the amount paid will go forward through my accountancy to my Chartered Accountant who is GDPR compliant. I sometimes have model railway items for sale that appear on my Shop page ; these items are purchased by clients through the secure servers of PayPal, and I do not see your card details when you pay for items in your shopping basket. I do not have card payment facilities, and therefore payment card details are not gathered or held.
2. Consent :
It is absolutely necessary when contacting me, or engaging me in a commission, that certain basic data, listed above at 1. Personal Data is made available to me so that I can meet my operational and legal business requirements, and meet my legal requirements to HMRC ; therefore, the client consents to this data being held and used for this specific purpose, otherwise the business cannot operate, and the purpose of GDPR is not to stop legitimate and morally sound businesses from operating. If we cannot communicate we cannot do business. I market my business by physical advertisements in the model railway publications that seem appropriate, and thus rely upon responses from clients and potential clients to my advertisements ; by responding to my advertising you are opting-in to imparting information to me about you personal details, so far as is necessary, to make enquiry or commission me to work for you.
3. Security of Data :
The data I hold is manually produced and kept upon paper, in other words manual book keeping ; whilst some data will also be kept electronically, typically memory stick or upon computer hard drive ; the computer is protected by a professional virus / threat attack software that is fully up to date, the computer is regularly scanned for threats.
4. Access Requests :
Requests for information, or indeed access to your personal data, such as the limited amount I hold, will be dealt with within the one-month time-frame. I will have to satisfy myself, before I release information, that you are the person that you say you are, and therefore you will need to satisfy my enquiries before I release your data.
5. Serious Breach :
In the event that a serious breach of data does occur, such serious breach will be reported within 72 hours of becoming aware of such serious breach of data.
6. Due Diligence :
Due-diligence will be applied, so far as reasonably practicable for a person without authority over suppliers, contractors, and third parties, to ensure that such suppliers, contractors, and thirds parties are themselves compliant with GDPR.
7. Fair Processing Notice :
Such data as I do retain has very limited use, it goes into my annual accounts that I deliver to my professional Chartered Accountant who operates a secure data system, such information as he holds goes directly to HMRC. Both my Chartered Accountant and I retain a copy of my annual accounts as proof and copy of details submitted to HMRC. This data has no commercial or marketing purpose. The use of IP addresses is limited to understanding the success or failure of my website to attract and interest users on a page by page evaluation ; by this evaluation it is possible to determine whether the website design needs to be changed to meet visitor expectations.
8. Data Protection Officer (DPO) :
My core activities do not involve regular or systematic monitoring of data subjects on a large scale, and nor do they involve processing of large volumes of special category data (sensitive data) and therefore as a (very) small business I do not require to employ a Data Protection Officer (DPO).
I am retired as of the end of the tax year 2021/2022. I am no longer a small business or even a one man band cottage industry. I no longer work to commission for clients. I do not advertise. I do not contact former clients for commercial reasons. I remain entitled to protection under GDPR as an individual, and for that reason of security some of my personal details are not disclosed, or they are disclosed on a need to know basis. GDPR is for everyone. I have a need to retain commercial records for HMRC purposes for a number of years, should any queries arise; my Accountant similarly holds records going back a nunber of years on his own secure system. Therefore, if you are a past client, or for any other current reason of record keeping purposes, the following GDPR will continue to be observed until expiry of any requirement means records can be destroyed. The wording below is left to reflect the status before my retirement, and does not in any way indicate that I am running a commercial business, small, cottage or otherwise. I am retired.
1. Personal Data :
A lean amount of personal data is generated during the enquiry or process of commissioning me to work for a client ; this will include the Client name, address, telephone number, email, details of the work commissioned, and my fees charged for such work in agreement with the client ; in some cases IP addresses will be held as a result of using my website. I operate a 'lean system' for the retention and use of client data, in other words, the minimum required to operate as an artist with clients. When a client pays by cheque for the work I perform, details of the cheque will be retained until such time as the cheque has cleared through the banking process, after which details of the cheque will be destroyed apart from the amount paid ; only the amount paid will go forward through my accountancy to my Chartered Accountant who is GDPR compliant. I sometimes have model railway items for sale that appear on my Shop page ; these items are purchased by clients through the secure servers of PayPal, and I do not see your card details when you pay for items in your shopping basket. I do not have card payment facilities, and therefore payment card details are not gathered or held.
2. Consent :
It is absolutely necessary when contacting me, or engaging me in a commission, that certain basic data, listed above at 1. Personal Data is made available to me so that I can meet my operational and legal business requirements, and meet my legal requirements to HMRC ; therefore, the client consents to this data being held and used for this specific purpose, otherwise the business cannot operate, and the purpose of GDPR is not to stop legitimate and morally sound businesses from operating. If we cannot communicate we cannot do business. I market my business by physical advertisements in the model railway publications that seem appropriate, and thus rely upon responses from clients and potential clients to my advertisements ; by responding to my advertising you are opting-in to imparting information to me about you personal details, so far as is necessary, to make enquiry or commission me to work for you.
3. Security of Data :
The data I hold is manually produced and kept upon paper, in other words manual book keeping ; whilst some data will also be kept electronically, typically memory stick or upon computer hard drive ; the computer is protected by a professional virus / threat attack software that is fully up to date, the computer is regularly scanned for threats.
4. Access Requests :
Requests for information, or indeed access to your personal data, such as the limited amount I hold, will be dealt with within the one-month time-frame. I will have to satisfy myself, before I release information, that you are the person that you say you are, and therefore you will need to satisfy my enquiries before I release your data.
5. Serious Breach :
In the event that a serious breach of data does occur, such serious breach will be reported within 72 hours of becoming aware of such serious breach of data.
6. Due Diligence :
Due-diligence will be applied, so far as reasonably practicable for a person without authority over suppliers, contractors, and third parties, to ensure that such suppliers, contractors, and thirds parties are themselves compliant with GDPR.
7. Fair Processing Notice :
Such data as I do retain has very limited use, it goes into my annual accounts that I deliver to my professional Chartered Accountant who operates a secure data system, such information as he holds goes directly to HMRC. Both my Chartered Accountant and I retain a copy of my annual accounts as proof and copy of details submitted to HMRC. This data has no commercial or marketing purpose. The use of IP addresses is limited to understanding the success or failure of my website to attract and interest users on a page by page evaluation ; by this evaluation it is possible to determine whether the website design needs to be changed to meet visitor expectations.
8. Data Protection Officer (DPO) :
My core activities do not involve regular or systematic monitoring of data subjects on a large scale, and nor do they involve processing of large volumes of special category data (sensitive data) and therefore as a (very) small business I do not require to employ a Data Protection Officer (DPO).