General Data Protection Regulation (GDPR) Policy

 

Version

Date

Status

Author

Changes

Next update due

0.1

24.04.2018

Draft

Keith Roberts

First draft

N/A

1.0

25.04.2018

Final

Keith Roberts

Agreed version KR/HFR

25.10.2018

1.1

25.10.2018

Final

Keith Roberts

No changes

30.06.2019

1.2

27.08.2019

Final

Keith Roberts

Activity categories added for 2018/2019, Hilary updated

28.02.2020

 

Introductory Remarks

Wessex Image Coach is committed to ensuring that any personal data supplied by its clients is handled safely and with the utmost confidentiality.

It is aware that a business, irrespective of its size, must comply with the General Data Protection Regulation (hereinafter referred to as the GDPR) if it is involved in the regular “processing” of certain categories of personal data, including health data, information on individuals’ racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data and sexual orientation.

Wessex Image Coach has taken guidance from DTHR Solutions in Bridport on the need to ensure compliance with the GDPR. DTHR’s recommendation is that there is no specific need for Wessex Image Coach to comply with the GDPR subject to the following:

Most of your information is in the public domain, i.e. LinkedIn profiles, Facebook pages, business email addresses etc., so [GDPR is] not a concern. If you do have confidential information on file that relates (or can be linked) to individuals you may want to review and check it is relevant and necessary to keep. I am sure you have good anti-virus software etc. and that should be enough to protect what you need to keep. You may want to put a disclaimer at the bottom of your [business] emails …

All of the above points have been taken into account in the present policy document.

Furthermore, given that the focus of Wessex Image Coach’s business portfolio has – in the past two to three years - moved away totally from the only activity involving the processing of personal data, namely one-to-one image coaching (see section 2 below), the requirements of the GDPR are not currently applicable to Wessex Image Coach. The actions set out in this policy document will, however, apply to any future one-to-one image coaching activities.

1.   Awareness

Wessex Image Coach is a joint partnership between Hilary Fecher-Roberts and Keith Roberts, both of whom have acquainted themselves with the general requirements of the GDPR.

It does not deploy the services of any other human resources (whether in-house or external) or third parties, so no specific GDPR-related training is deemed necessary.

Both partners have worked together to identify areas that could cause compliance issues under the GDPR. This work was carried out on 24 April 2018.

Keith is responsible for keeping himself informed of any changing requirements and for informing Hilary accordingly.

2.   Information Held

Wessex Image Coach’s business can be broken down into three categories:

·         Blog writing – no personal data is shared with the client.

·         Classroom training – no personal data is shared with the client and/or training participants.

·         One-to-one image coaching – one-to-one image coaching “orders” are agreed verbally with clients, with no standard paperwork being completed or issued. The scope is agreed verbally on a case-by-case basis. The Wessex Image Coach website does not offer the option of placing an order online. Clients provide details of their names, telephone numbers and email address plus, where appropriate, a read-only link to their Facebook/LinkedIn/Twitter accounts. They may also provide details of their home and/or business address, employer if appropriate, as well as a hard and/or soft copy of their curriculum vitae. Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person in question (e.g. face, fingerprint and iris recognition) are not relevant. In all cases the person’s personal “profile” is assessed and reviewed verbally and in writing.

In the 2018/2019 tax year these three categories of activity accounted for the following shares of Wessex Image Coach’s total sales:

Blog writing                                       99 %        No personal data processed

Classroom training                            1 %        No personal data processed

One-to-one image coaching         0 %        Subject to processing of personal data

The corresponding shares in 2017/2018 were as follows:

Blog writing                                       84 %        No personal data processed

Classroom training                          16 %        No personal data processed

One-to-one image coaching         0 %        Personal data processed

and in 2016/2017:

Blog writing                                       92 %        No personal data processed

Classroom training                            8 %        No personal data processed

One-to-one image coaching         0 %        Personal data processed

It can be seen from the business volumes above that no personal data has been collected or processed since 2015/2016 when the business strategy moved more in the direction of blog writing and classroom training. Consequently, compliance with the GDPR is not currently required.

Other relevant information:

·         Encryption is not currently used to protect online files and other information. However, personal client data is password-protected and is stored temporarily on Hilary’s and/or Keith’s standalone laptops before being backed up to an external hard drive. Anti-virus and malware software is loaded on each laptop and is automatically updated daily.

·         No personal data is collected or processed on the Wessex Image Coach website or on its Facebook, LinkedIn and Twitter pages.

·         Both standalone laptops are password-protected and are backed up weekly to an external drive.

·         Clients’ phone numbers and email addresses are stored in MS Outlook and are backed up to iCloud on a weekly basis. They are accessible on password-protected iPhones and iPads.

·         Only data required for the needs of the client in question is stored. Wessex Image Coach is not legally required to hold client data for tax or other purposes.

3.   Communication of Privacy Information

Emails sent from the business email account (info@wesseximagecoach.com) include the following disclaimer:

This email and any attachments thereto may be of a confidential nature and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must not take any action based upon its contents, nor may you copy it or show it to anyone. Please delete the e-mail and any attachments. You should contact info@wesseximagecoach.com if you believe you have received this email in error. Any dissemination, distribution, copying or use of this communication and its attachments without the prior permission of the addressee is strictly prohibited.

Attachments to this e-mail may contain software viruses that could damage your computer systems. Wessex Image Coach have taken every reasonable precaution to minimise this risk but we advise that any attachments should be virus checked before they are opened.

The following privacy notice is issued to all clients providing personal data:

Wessex Image Coach is a business partnership comprising Hilary Fecher-Roberts and Keith Roberts. Any information and personal data you supply to both or either of the partners will be processed with the utmost confidentiality and will be used exclusively for the purposes of enhancing your personal image and brand in line with your specific remit. All such information and personal data will be deleted on completion of your order. You have a right to request deletion of your personal data at any time and to complain to the Information Commissioner’s Office (ICO) should you feel there is a problem with the way Wessex Image Coach is handling your data.

 

Signed (Wessex Image Coach)                                   Date

Signed (Client)                                                                   Date

4.   Individuals’ Rights

Clients have full rights in respect of their personal data:

·         Personal data is deleted from all standalone laptops and the external storage drive as soon as the final report or other documentation has been handed over to the client.

·         Electronic files supplied to the client will be created in a format readable by the client’s own software. The formats currently offered are MS Word, MS Excel, MS PowerPoint, pdf, jpg, png.

·         Upon request clients may access their personal data held by Wessex Image Coach, request that said data be rectified where appropriate and that data be erased and/or its processing be restricted.

·         Clients have the right to request data portability and to object to the way in which their data is used.

·         Wessex Image Coach does not subject clients to automated decision-making.

·         Should Wessex Image Coach’s IT systems be subject to a security breach clients whose personal data is being stored prior to permanent erasure will be notified without delay.

5.   Subject Access Rights

Wessex Image Coach will investigate all client requests relating to the requirements of the GDPR free of charge and within one calendar month of receipt.

Should a request be deemed to be manifestly unfounded or excessive, it may be refused and the reason or reasons for said refusal will be explained in writing to the individual concerned. The individual’s right to complain to the supervisory authority and to a judicial remedy will also be explained without delay (but within one calendar month at the latest).

6.   Lawful Basis for Processing Personal Data

Clients provide personal data voluntarily and are at all times free to withhold details if they prefer.

Given that they are consenting to the provision of data they have a clear right to have their data deleted by Wessex Image Coach.

7.   Consent

Wessex Image Coach accepts the following basic principles in terms of obtaining client consent:

·         We make the request for consent prominent and separate from our terms and conditions.

·         We ask people to positively opt in.

·         We do not use pre-ticked boxes, or any other type of consent by default.

·         We use clear, plain language that is easy to understand.

·         We specify why we want the data and what we are going to do with it.

·         We have named our organisation and any third parties.

·         We tell individuals they can withdraw their consent.

·         We ensure that the individual can refuse to consent without detriment.

·         We do not make consent a precondition of a service.

·         We keep a record of when and how we got consent from the individual.

·         We keep a record of exactly what they were told at the time.

·         We regularly review consents to check that the relationship, the processing and the purposes have not changed.

Wessex Image Coach is aware of the requirement to separate consent from its business terms and conditions. However, since it does not have any terms and conditions this requirement is not relevant.

8.   Children

Wessex Image Coach offers no services relating to children.

Should an adult wish to engage Wessex Image Coach’s services for a child in future, Wessex Image Coach will consider all aspects of said request. Should it decide that it would be appropriate to provide such services the age of the child will be verified and parental or guardian consent in writing will be sought for any data processing activity.

9.   Data Breaches

Clients’ personal data is stored – temporarily, see section 4 above - on one or both standalone laptops, which are backed up weekly to an external storage drive. Both laptops have full anti-virus and anti-malware protection which is run and renewed automatically. Windows, MS Office and Apple (iPhone and iPad) applications are also updated automatically.

No personal data is stored on the Wessex Image Coach website. This website together with the WIC business email account is hosted and protected by Sentinel Data Solutions Limited. Private email accounts are not used to communicate with clients.

Personal data (contact details) is stored in MS Outlook, which can be accessed by the partners’ iPads and iPhones. All are password-protected.

In the highly unlikely event of a data breach potentially resulting in a risk to the rights and freedoms of an individual, e.g. discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage, Wessex Image Coach will notify the ICO of said breach as well as said individual.

10.        Data Protection by Design and Data Protection Impact Assessments (DPIA)

Wessex Image Coach sees no reason to assess situations where it will be necessary to conduct a DPIA in situations where data processing is likely to result in high risk to individuals, e.g.

·         Where a new technology is being deployed.

·         Where a profiling operation is likely to significantly affect individuals.

·         Where there is processing on a large scale of the special categories of data.

11.        Data Protection Officer

Keith Roberts, as co-proprietor and joint partner of Wessex Image Coach, assumes overall responsibility for data protection compliance. He agrees to keep up-to-date with the legal requirements, to update the Wessex Image Coach documentation accordingly, and to inform Hilary of all relevant changes.

12.        International Activities

Wessex Image Coach does not operate with clients or businesses located outside the United Kingdom.

13.        Policy Updates

The present policy document will be reviewed and updated every six months or should the requirements of the GDPR or the nature of Wessex Image Coach’s business change at any stage in the future.