GDPR Compliance for Stephen Waldron Architects (SWA): Data-mapping and Justification statement
1.1 The new GDPR Regulations came into effect on Friday 25th May 2018.
1.2 These require organisations to map all areas affected by Data Protection (DP) law and have strategies to deal with these, both looking inwardly as well as dealing outwardly with real and potential impacts on customers data and privacy under the policies set out below.
1.3 There are 7 key principles of Data Protection that SWA has examined and have mapped in forming our own response:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
1.4 This document sets out SWA’s analysis and provides a justification statement for the way GDPR will be actioned and applied within SWA.
1.5 All data within SWA is held on Dropbox, a ‘cloud-based’ secure storage system with password protection. Dropbox has its own GDPR compliance strategy. More about how Dropbox sets out its response to GDPR compliance can be found at: https://www.dropbox.com/security/GDPR
2. Data mapping
2.1 SWA is limited company providing architect services to the public, voluntary sector, and businesses. We set out below a review of relevant data protection (DP) areas of concern that come under the remit of the GDPR Regulations
2.2 SWA does not carry out multiple mailings from databases. Rather it deals with enquiries from clients or potential clients who approach SWA to request us to provide architect/design services and voluntarily offers contact and other background data relevant to the project to enable this to happen.
2.3 SWA offers to select and work with sub-consultants, contractors, or specialists in pursuit of the goal of the design commission. This is done by agreement using data that the client has freely given an agreed in writing for this express purpose as part of our legitimate business including the marketing of the project.
2.4 SWA will not release details of payments and fees paid to SWA on a contract to the public. However such data is accessed for accountancy and financial compliance purposes to HMRC etc. who have provided their own GDPR policies to satisfy us.
2.5 SWA has very occasionally purchased databases for a mail shot or has paid others to do a mailshot to potential customers. These databases are available for a fee by anyone on the open market. They hold name and address details, including telephone numbers and emails, but no personal or sensitive data. Such companies have to satisfy us with their own GDPR strategy and analysis as to the data provided.
2.6 All SWA files are, nevertheless, held on Dropbox, which is password protected and accessible only to restricted SWA staff, who and trained and aware of the GDPR impacts on privacy.
2.7 Addresses and contact data is held on a single Excel spreadsheet on Dropbox.
2.8 The address and names of clients is shown on all drawings produced by SWA for that client. We see this as being in the public domain since it is held, for example, on Local Authority planning files which are publicly accessible.
2.9 Photos are taken on most occasions of the inside of a client’s property, with their full permission and for the purposes of survey and design. These are held on Dropbox. Where these are published on our website or in any marketing, it is only done with the written permission of the clients in each case or by virtue of a clause in our terms and conditions and which client’s may challenge or adjust of they do not want public disclosure.
2.10 Staff contact data is held on the restricted access part of Dropbox in confidential files, which is only accessible to Stephen Waldron. This also includes time sheets, disciplinary records, salary details, performance reviews.
2.11 Such data is not given to third parties except our payroll consultant, who has provided us with their own GDPR compliance policy for handling this data appropriately.
2.12 SWA policy in giving references for ex-staff seeking employment elsewhere is that SWA is willing, unlike many organisations, to disclose their view of the performance of such staff including absence and disciplinary records, but will not disclose personal data that is deemed irrelevant for the purpose of assessing the suitability of that person for employment. This would include for example information of family members, personal preferences, sexual/religious/ethnic data, or hobbies.
2.13 SWA will not time-limit the holding of such data, believing from experience that ex-staff may for the rest of their career wish SWA to provide information on how they performed to potential employers.
IT security data
2.14 IT security data is held on Dropbox in the Director’s area, which is only accessible to Stephen Waldron. This data is only disclosed to SWA’s IT consultants on the strict understanding that it is not released to third parties and they have satisfied us with their own GDPR policies and systems.
3. Public statements
3.1 As a result of the above assessment we propose that the following policy statement is placed on our website and terms and conditions:
“SWA has carried out a full review of its responsibilities and duties under the GDPR Regulations in respect to its professional duties. SWA will continue to do all it can through its procedures, IT systems, and training to comply with the requirements of Data Protection regulations in the UK.
SWA keeps all its data on a secure ‘cloud-based’ data system (Dropbox) which is password protected. SWA has a contacts database with address and all contact data on clients, consultants and third parties, which is deemed to be given freely and in the public domain. If in the course of a project a client or third party discloses what may be deemed personal and sensitive data SWA will not protect that data further unless specifically requested to do so by the party involved.
SWA takes and produces photographic and visual images on its projects or potential projects. This is a vital part of our business and design delivery. SWA reserves the right to use such data freely for publicity and promotion purposes and will not provide special data protection to such material.
SWA will release data on past employees to those seeking references. However this will not include any sensitive personal data such as religion/ethnicity/sexual orientation. In the case of disability, if this is deemed relevant to the specific project (such as access to high structures) this may be noted.
SWA will respond to any request by an individual who wishes to know what data is held on them in an efficient and helpful manner.”