GDPR Policy

Here at the Woodhart Group Limited including Woodhart Carpentry, Woodhart Construction and Woodhart Lofts & Extension (WHG) we want you to be absolutely confident that we are treating your personal data responsibly and that we are doing everything we can to make sure that the only people who can access this data have a genuine need to do so.

This notice details why we collect your personal data and what we do with it in accordance with the General Data Protection Regulation (GDPR).

This document to divided up into the following sections.

  • Your Data
  • Data Retention Policy
  • Data & Privacy Protection Policy
  • Your Rights
  • Data Breach Policy

 

 

Your Data

  • We never divulge data to 3rd parties unless they are paid consultants used in the operations of this company and to provide the services requested.
  • Before providing services, we will ensure all clients sign a Woodhart Group engagement agreement or have agreed through our website contact us form. In this document consent will be sought to hold your information which enables us to provide our service, along with permission to contact you for account management purposes. We will not provide any service without a signed consent form.  For clients that we have engaged prior to the implementation of GDPR, we will seek consent from all current clients, although we accept this will take some time to complete.
  • A digitally scanned copy of a signed agreement will be stored in the client project files on our secure server.

Website

  • We do have a website with an enquiry form to gather basic contact information, with consent permissions included. This meets the legal requirements of GDPR in relation to consent and will be deleted after 90 days.

 

Sales & Marketing

  • We will never use your data for sales and marketing.

 

Recruitment

  • As part of our recruitment activities, we gather CVs from agencies or online portals. These include personal data and are used to identify potential candidates to interview.  If we invite someone in for an interview, we also request a copy of any professional qualifications and relevant ID as proof of their entitlement to work in the UK. These are retained in line with the Data Retention Policy.

 

Data Retention Policy

  • All data held and processed by the company can be divided into different categories and sub categories. This table breaks down where and how this data is stored and the relevant retention policy we hold:
Data Catagory Sub Category Description Stored Where Who has access Why do we store it Retention Time Policy Action to be take at the end of the period
HR Job Applicants (Non Successful) CV & Notes Paper & Public Folder Email Managers & Directors Recruitment Purposes 3 Months Scheduled shredding of paper records and email archive.
HR Job Applicants (Interviewed) CVs, ID & Notes Paper & Email Managers & Directors Recruitment Purposes 6 Months Scheduled shredding of paper records and email archive
HR Employed Staff CVs, Contact details, General HR Files, Payroll details, copy of driving licence, passport Paper (Locked filing cabinet)m electronic files on server Office admin Manager, Directors Essential employment record keeping 7 Years Scheduled shredding of paper records and email archive.
HR User Account Network User Computer server network Admin, Managers, Directors Encrypted active directory (Server) 3 Months Password is reset upon departure of the staff members
Accounts Accounts Trading accounts Safe, safe backup on secure encrypted server Admin Office Manager, Directors HMRC requirements 7 Years Scheduled maintenance of Safe to clear older records, shredding of expired paper records
Accounts Accounts Supplier Sage, sage backup on secure encrypted server Paper Admin Office Manager, Directors Suppliers often used again, Labour force can be seasonal. 7 Years Scheduled maintenance of Safe to clear older records, shredding of expired paper records
Misc Client Data General Office General Emails Letters, paperwork Exchange Email, encrypted server Mailbox owner, Directors An audit trail for all company email communicati- ons, retained for legal reasons. 10 Years Automated Scheduled deletion of all company emails that are in excess of 10 years old.
Sales Sales Contact details, quote records Email, encrypted server All Staff To track our sales progress. 10 Years Automated Scheduled deletion of all company emails that are in excess of 10 years old.
Client Data Website Contact Details Contact Database in website Website Design Company, Directors To collate details of website enquiry forms Maximum of 9 months. Delete record from website history.

Data & Privacy Protection Policy

We will take all reasonable steps to protect data that we hold, including backups, anti-virus, encryption, software security, complex passwords and physical access.  Here is a breakdown of what how we protect the data we hold:

Local Backups 

We make a daily backup onto our in-house local encrypted server.

Cloud Backups  

We make a daily backup of all user and client data which is stored on our servers, and this is stored on a UK based cloud backup server.  The backup is encrypted.

Anti-virus 

We use MacAfee Internet security / Bitdefender which is on an annual rolling renewal.  This also carries out a full network scan

Email Security

We use in the cloud via Microsoft / Giacom , when they hit our local pcs they are inspected via the anti-virus on the device

Passwords   

All of our user network passwords must meet a minimum complex structure.

Mobile Devices   

All mobile devices with access to our systems will have an enforced pin code protection policy (We can erase the content of any phone remotely)

Firewall 

We have and maintain a have a hardware firewall on our router and also on you pcs /macs. All are turned on and enabled

Wireless network  

Our company wireless network is secured with the current best encryption method with an encryption key.

Software updates

We will endeavour to install all software updates as soon as we are aware they exist.  All Operating System updates are regularly installed as part of our Microsoft software management system.

Physical access

Our offices are protected by a intruder alarm, and access control is implemented and monitored to the main front/back doors as well as our internal sensitive areas.  Members of staff have a unique alarm code.

Hardware security   

When computers are decommissioned we employ a secure company to dispose of them responsibly

 Data Transmission Policy

On occasions we have to transmit/share personal data information such as personal names, addresses in order to carry out our services or provide payroll solutions. Whenever possible these are done via our anti-virus email hosting system  or authorised persons.

 Your Rights

You have the right in respect of our processing of your personal data which are

  • To access your personal data information about our processing of it. You also have the right to request a copy of your personal data.
  • To rectify incorrect personal data what we are processing
  • To request we erase your personal data if

We no longer need it

If we are processing your personal data by consent and you withdraw that consent

If we no longer have a legitimate ground to process your personal data or

We are processing your data unlawfully

If you want to exercise any of these rights please contact us on 01273 539124 or email [email protected]

 Data Breach Policy

In the event of a breach being detected, we will take the following action:

Level One: A virus infection

Definition – A virus or malicious software infection is detected.

Action – All computers will be scanned for viruses, and malicious software. If a computer cannot be cleaned to a satisfactory level, we will wipe the computer and rebuild from scratch.  If no proof is found of personal data leaving our network, no further action will be taken.

Level Two: A breach of our AD security

Definition – Proof that our Active Directory (network username and password system) has been breached, either electronically or by a person.

Action – All user passwords will be reset.  Reset all wireless passwords.  Scan Entire Network with Trend. Scan all devices with our anti-malicious software tools.  No further action will be taken if there is no evidence that data has been stolen.

Level Three: A breach has occurred and evidence exists that any of our data has been stolen.

Definition – Evidence has been found that suggests data has been stolen.

Action – Reset all passwords.  Reset all wireless passwords.  Scan entire network with Trend.  Scan all devices with our anti-malicious software tools.  Report the case to the Information Commissioners Office (ICO).

WHG is registered with the Information Commissionaire’s Office (iCO) Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF

Any queries from WHG staff, consultants/suppliers or customers should be directed to the Managing Director.

I consent to you holding my data in accordance with the above policy and GDPR.

Responsive website designed & developed by