Tetbury Advertiser GDPR compliance, policies and methodologies
- We have a data protection compliance folder on the Tetbury Advertiser file system containing GDPR documentation - and we keep a record of consents to hold data via email. Our acquired customer data consists of customer names and business identities (where appropriate,) and email and postal address detail.
- We note meetings on GDPR, and decisions made on GDPR, through our usual meeting and minutes process via Tetbury Lions.
- The Advertiser data protection officer is the Tetbury Advertiser Editor.
- Our data is Mapped into two categories:
- A) customers with running advertisements – “Accounts”
B) archived non-personal advertising material,"Libraried."
The purpose of these categories is firstly ("A") to bill, track and occasionally incentivise customers to re-advertise, (issue by issue, or yearly for "repeat" events,) and secondly ("B",) to retain advertising material for potential re-use by customers who are no longer running “active” advertisement material. - We assert the lawful basis for both these categories, chiefly through (although not restricted to,) items a, b and c of article 6 of the GDPR. The specific terms from the act state:
(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject.
- We practice a policy of refreshed consent where necessary.
- We have a policy to handle any data subject access requests.
- We have a policy to handle any data erasure or corrections requests.
- We are prepared to document non-compliance issues and risk mitigation.
- We have a password policy for users of the Accounts system, web site and collection and preparation equipment used for the Advertiser.
- We have contacted our database of current and previous customers to ask them to opt in to our data retention.
- We have a retention schedule for data, in respect of both active customer data and archive advertisement information. We minimise the data we hold. Accounts data is held for six years, in keeping with prudent practice.
“Front End” contact information is retained for two years, to preserve contract details and allow contact with customers with their permission. Library information (which is non-personal advertising material) is retained for seven years. - Our staff and volunteers all understand what constitutes personal data.
- Our staff and volunteers can identify a breach and how to avoid email scams, phishing processes and so on.
- We have a breach response policy.
- We hold a data breach log to record events.
- Our website does not require HTTPS security, since it is for information only, currently. If it develops into a vehicle for payment processing and pass-through in the future, we will re-visit requirements.
- Our office computers are encrypted using “security by design.”
- We review the physical security of our data regularly; disks, paper filing systems and all other retention is “behind lock and key.”
- We hold an asset register of the serial numbers of our computers.
- We have a register of individuals with access to the data on each device.
- We securely lock away any data.
- We have a privacy policy – this document - which includes identity of the data protection officer, the purpose of the processing and the legal basis, the legitimate interest, any recipient or categories of recipients of the personal data, the right to withdraw consent at any time, and the data retention period.
- We have an ongoing consultation procedure to re-visit our processes, both technical and legal, in case of a new requirement, to take simple further steps before we are fully compliant, or to retain compliance.
- The Tetbury Advertiser employs a proprietary Accounts system called “Xero” - a modern cloud-based system with built-in scheduled backup and restoration processes. Security and data protection is inherent in the design. We employ Google’s “My Drive” functionality for front-end transactions, giving excellent restore facilities, and a mapped transfer protocol for emails between a site alias [email protected] and Yahoo’s mail service. Both enjoy an excellent reputation for password-protected data integrity.
- “Xero” enjoys its own virus protection; operations conducted via laptop and desk-based connectivity for front-end communications all employ freeware solutions from AVG at the minimum to ensure transfer integrity and antivirus capability. No unprotected devices are permitted to access data.
- The Tetbury Advertiser employs an online payment (gateway) system from "EVO Payments International." This client-based software is fully HTTPS protected and proprietary. Please see the website https://www.evopayments.co.uk/ for more information about their pass-through features and data protection. They are fully 25 and GDPR compliant. We go through a process, yearly, of attestation with EVO to confirm our compliance with PCI DSS the Payment Card Industry Data Security Standard.
- Please contact the Advertiser Data Protection Officer - the editor - if you would like more specific details about any of the procedures or policies set out in this document, via email address [email protected]