GDPR statement2018-11-07T09:18:13+00:00

Essex DJs GDPR (General Data Protection Regulation) Policy

This policy was written by James Cresswell who is the business owner of Essex DJs and is the person responsible for data protection.

This policy covers topics related to how Essex DJs stores and processes information obtained by its clients for use in its daily operations. This policy demonstrates how Essex DJs will comply with the General Data Protection Regulation which comes into effect from 25/5/18. This document will be regularly reviewed and updated where necessary.

Company Details

Name: Essex DJs
Address: 41 Chestnut Way, Tiptree, Essex, CO5 0NX
Telephone: 07734 652879
Email: [email protected]
Web: www.essexdjs.co.uk

Description: Mobile DJ hire, photo booth hire, dance floor hire, venue lighting hire, giant illuminated letter and number hire.

The lead supervisory authority for the United Kingdom is:

The Information Commissioner’s Office 
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1625 545 700
email: [email protected]
Website: https://ico.org.uk

Member: Ms Elizabeth DENHAM, Information Commissioner

The GDPR states that we must have a lawful basis for storing our clients’ personal information. Our lawful basis is Legitimate Interests; the definition of which is shown in the following statement taken from the regulation:

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

The GDPR gives clients rights regarding the personal data they disclose to Essex DJs as part of its business activities. Those rights are as follows:

  • The Right to be Informed
  • The Right to Access
  • The Right to Rectification
  • The Right to Be Forgotten
  • The Right to Restriction or Suppression
  • The Right to Object to Processing
  • The Right to Complain to the ICO or another supervisory authority

In the following sections of this document we will demonstrate how we will comply with our clients’ rights. We will explain how we will record client requests and the procedures we will use to assist us.

The Right to be Informed

During daily operations Essex DJs collects personal information from any member of the public who potentially would like to use our services. This may be given to us verbally or in writing. The information is given to Essex DJs voluntarily and the client is not contractually obliged to disclose this information. Clients may give the information of someone else providing Essex DJs informs the person within 1 month that we are processing their personal data.

We process some personal information at the point of enquiry, and we process more personal information if the client decides to book our services. We use this information to deal with initial enquiries effectively and deliver the best customer experience possible. We share this information with any employee directly related to the enquiry or booking. This could be: the person who deals with the initial enquiry; the DJ booked for the event; and the assistant booked for the event. We store this information electronically on company computers, personal smartphones, and a web-based booking system called DJ Event Planner. We have a DJ Event Planner account where we manually enter a client’s details to create an online booking form for their event. We use this booking form to view the services the client has booked, to add services where applicable, and send emails to the client regarding their event. Each client has access to their DJ Event Planner online booking form so that they can view the details about their event and the personal information we are processing. They can request amendments to their booking and personal details via the DJ Event Planner email system.

We will not use a client’s data for any other purpose other than the purposes stated above. If we decide to use the client’s data for a new purpose, we will inform the client in writing before we process their information. We will inform any person whose personal data is being stored and processed and the source of the data where the data was not obtained from the individual directly within 28 days.

The information we process at the point of enquiry:

First Name
Last Name
Email Address
Mobile Phone number

We will discard this information after 3 months if the client has not booked our services and we have had no further contact with the client. We will discard this information at any time after the initial enquiry if the client requests us to verbally or in writing unless we are required by law to continue processing that information.

The information we process after the client has booked our services:

First Name
Last Name
Organization / Workplace
Email Address
Postal Address

Home Phone
Mobile Phone
Work Phone

We will discard this information after 6 years. We will discard this information at any time if the client requests us to verbally or in writing unless we are required by law to continue processing that information.

The Right to Access

We will show any client either at the point of enquiry or after the point of booking which information we store about them within 28 days if they request us to verbally or in writing. The method in which we show this information will by email or electronic word processing document. Each client also has access to the personal information we process via DJ Event Planner which is our online booking system. Each client’s DJ Event Planner account is password protected.

The Right to Rectification

We will amend any inaccurate or incomplete data if requested to by the client unless the request is unfounded or excessive. A client can request rectification to any member of staff verbally or in writing. The request will be recorded either on a notepad or electronically and the data will be rectified within 28 days. We can extend this time limit by a further 2 months if the request is complex or if there are several requests. If a request for rectification is refused we will inform the client of: the reason we are not acting, their right to make a complaint to the ICO or another supervisory authority, and their ability to seek to enforce this right through a judicial remedy.

The Right to be Forgotten

We will erase any personal data unless we are required by law to continue processing that information. A client can request that their personal details are erased either verbally or in writing and if the request is accepted we will complete the request within 28 days. We can extend this time limit by a further 2 months if the request is complex or we have received several requests from the individual. We will let the individual know within 28 days of receiving their request if we require an extension and why it is necessary. If a request for erasure is refused we will inform the client of: the reason we are not acting, their right to make a complaint to the ICO or another supervisory authority, and their ability to seek to enforce this right through a judicial remedy. We will comply with a request for erasure if: the personal data is no longer necessary for the purpose which we originally collected or processed it for; the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing; we are processing the personal data for direct marketing purposes and the individual objects to that processing; we have processed the personal data unlawfully; we have to do it to comply with a legal obligation; or we have processed the personal data to offer information society services to a child.

We will not comply with a request for erasure if: we want to exercise the right of freedom of expression and information; we are required to comply with a legal obligation; and for the establishment, exercise or defence of legal claims.

We will erase any data by manually deleting the information from every place it is stored. We will inform every member of staff assigned to the event who may have stored the client’s information to check and manually delete any personal information regarding the data subject.

The Right to Restriction or Suppression

We will store the personal data, but not use it if requested to by the client unless we are required by law to continue processing that information. A client can request that their personal details are restricted either verbally or in writing. The request will be recorded either on a notepad or electronically and if the request is accepted we will complete the request within 28 days. We can extend this time limit by a further 2 months if the request is complex or we have received several requests from the individual. We will let the individual know within 28 days of receiving their request if we require an extension and why it is necessary. We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, considering whether the request is repetitive in nature. If a request for restriction is refused we will inform the client of: the reason we are not acting, their right to make a complaint to the ICO or another supervisory authority, and their ability to seek to enforce this right through a judicial remedy.

Individuals have the right to request you restrict the processing of their personal data in the following circumstances: the individual contests the accuracy of their personal data and you are verifying the accuracy of the data; the data has been unlawfully processed and the individual opposes erasure and requests restriction instead; you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; the individual has objected to you processing their data, and you are considering whether your legitimate grounds override those of the individual; if an individual has challenged the accuracy of their data and asked for you to rectify it, they also have a right to request you restrict processing while you consider their rectification request; or if an individual exercises their right to object, they also have a right to request you restrict processing while you consider their objection request.

The method by which we restrict the data will be by placing a note on the online booking form in the internal notes section which can be seen by all staff assigned to that booking. We will also notify staff assigned to the booking verbally and in writing that there has been a restriction placed on processing the client’s data. We can also place a note in the contract section of the online booking form which can be seen by the client. We will remove the note when the restriction has been lifted. We will inform the client in writing before we lift a restriction on processing.

We will not process restricted data in any way except to store it unless: we have the individual’s consent; it is for the establishment, exercise or defence of legal claims; it is for the protection of the rights of another person (natural or legal); or it is for reasons of important public interest.

The Right to Object to Data Processing

We will stop processing our client’s personal information if requested to do so verbally or in writing, unless we are required by law to continue processing that information. A client can request the right to object either verbally or in writing. An individual must give specific reasons why they are objecting to the processing of their data, these reasons should be based upon their situation. The request will be recorded either on a notepad or electronically and if the request is accepted we will complete the request within 28 days. We can extend this time limit by a further 2 months if the request is complex or we have received several requests from the individual. We will let the individual know within 28 days of receiving their request if we require an extension and why it is necessary. We can refuse to comply with a request for the right to object if the request is manifestly unfounded or excessive, considering whether the request is repetitive in nature. If a request for the right to object is refused we will inform the client of: the reason we are not acting, their right to make a complaint to the ICO or another supervisory authority, and their ability to seek to enforce this right through a judicial remedy. We will stop processing our client’s personal information within 28 days if requested to do so under any circumstances if the information is being used for direct marketing. In certain circumstances we can continue processing a client’s data if: we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims. We will inform clients of their right to object in addition to including it in our privacy policy. We will erase any data by manually deleting the information from every place it is stored. We will inform every member of staff assigned to the event who may have stored the client’s information to check and manually delete any personal information regarding the data subject. If the client has objected to the processing of their data for direct marketing only we will place an internal note on the client’s online booking form stating the purposes which the data can be used.

The Right to Complain to a Supervisory Authority

If a client thinks that the processing of their personal data infringes data protection laws, a complaint can be registered with a supervisory authority such as the Information Commissioner’s Office or any other authority responsible for data protection.

Information Security Policy

In this section we will explain how we store our clients’ data and how we will keep our clients’ data secure. We will define our procedures for keeping our clients’ data secure and in the event of a data breach. We will explain our current procedures and ascertain procedures we need to put in place in the future.

The data processing which Essex DJs performs is low risk to our clients. If there was a data breach, we believe the impact on our clients would be small and simple to rectify.

During daily operations Essex DJs collects personal information from any member of the public who potentially wants to use our services. This may be given to us verbally or in writing. This data is stored and processed electronically and physically.

Electronic Data Processing Current Procedures

Data is stored and processed on devices such as: desktop computers, laptops and mobile phones. Data is stored locally and in cloud storage on these devices and on a web-based booking system called DJ Event Planner via these devices.

We have up to date antivirus and anti-malware software on the desktop computer at our business address. We have up to date antivirus and anti-malware software on all laptops. We have strong passwords on all computers. We also use a password manager called LastPass to store passwords and create unique strong passwords where required.

Electronic Data Processing Future Procedures

  • Encrypt all computers.
  • Encrypt all forms of communication used to send personal data where possible.
  • Contact all staff to explain the importance of data security. Make sure staff delete all personal data immediately when it is no longer needed.
  • Check staff have appropriate security on their personal devices used to store personal data.
  • Read and understand Cyber Essentials and implement procedures where required.
  • Make sure DJ Event Planner’s procedures are robust and comply with GDPR.
  • Make sure DJ Event Planner has robust procedures to protect the confidentiality, integrity, and availability of personal data. Or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
  • Make sure our DJ Event Planner domain is secure.
  • Store all personal data in the cloud to ensure easier retrieval should an incident occur.
  • Review and test procedures annually; identify improvements and implement them as soon as possible.

Physical Data Processing Current Procedures

Data is processed on notepads and printed documents. Data is stored in ring binders and archive boxes. Most data processing and storage takes place at the business address of Essex DJs which is also the residential address of the business owner James Cresswell. The building is a block of 4 flats with an outer communal door which has controlled access. Essex DJs is situated in a first floor flat within the building with a lockable front door. Some data processing and storage takes place at client meetings or during holiday leave.

Physical Data Processing Future Procedures

  • Purchase lockable metal cupboard to store all archive boxes and ring binders at the business premises
  • Lock the cupboard when not working and not at the premises and keep the key with me. whilst away from the premises
  • Review and test procedures annually; identify improvements and implement them as soon as possible

Personal Data Breaches

In this section we will explain what a data breach is and define our procedures in the event of a data breach.

The person responsible for managing data breaches is James Cresswell (business owner).

The data processing which Essex DJs performs is low risk to our clients. If there was a data breach, we believe the impact on our clients would be small and simple to rectify.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Personal data breaches can include:

  • access by an unauthorised third party
  • deliberate or accidental action (or inaction) by a controller or processor
  • sending personal data to an incorrect recipient
  • computing devices containing personal data being lost or stolen
  • alteration of personal data without permission
  • loss of availability of personal data

How We Will Identify a Data Breach

There are numerous ways in which the data Essex DJs holds could be compromised. Personal data could be breached electronically by persons attempting to steal information for fraudulent purposes or accidentally via our own procedures such as: accidentally sending data to the wrong client, accidentally deleting data, incorrectly altering data, or company devices being lost or stolen.

Current Procedures

In the event of a data breach we will inform the Information Commissioner’s Office without undue delay and within 72 hours verbally and in writing. We will inform the client that their personal data has been breached without undue delay and within 72 hours. We will tell the client which personal data has been compromised and provide advice to help them protect themselves from its effects. We will keep an electronic record of all data breaches by recording them on a word processing document.

The Information We Will Provide to the ICO

  • a description of the nature of the personal data breach
  • the approximate number of individuals concerned
  • the approximate number of personal data records concerned
  • the name and contact details of the data protection officer; James Cresswell
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects

The Information We Will Provide to the Individual

  • we will describe, in clear and plain language, the nature of the personal data breach
  • the name and contact details of our data protection officer; James Cresswell
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects