GDPR Policy and Procedures Report
Prepared by Heather Stanley – Production Manager for Trafford Media and Communications Limited and Lewis Mckee – Linten Technologies Limited
What is the GDPR
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable
Definition taken from Wikipedia
About Trafford Media and Communications Limited
Trafford Media and Communications Limited is a tightly-run consultancy, delivering innovative and cost effective design, print, and media solutions to a growing range of businesses and organisations.
Our Services include:
Copywriting, PR, design and artwork,
advertising sales, corporate film and video, project management,
direct mail, event management, calendars,
print and publishing, magazines, corporate brochures,
annual reports, ncr books and pads, leaflets,
booklets, folders and wallets, large format print.
TMC also publishes two in-house magazines – Lift-Off! Magazine and Southside Magazine.
Trafford Media and Communications Limited are members of BW3 (Business Working with Wythenshawe) and organize a networking event for BW3
Wythenshawe Business Gateway Network Events (WBG) – The WBG was setup in 2014 to enable businesses in and around the Wythenshawe area to network with each oter and hear from senior business representatives about their companies and how they could help and work with other companies. The WBG is part of BW3 (Business Working with Wythenshawe) which was originally formed by Manchester Airport as part of their CSR.
Trafford Media and Communications (TMC) have been involved in the administration and event management of the Wythenshawe Business gateway since it started, Advising businesses of the events which are taking place in the coming months, where they are and who are the speakers.
Policies and Procedures
Under the new legislation that is coming into place on May 25, 2018, Trafford Media and Communications Limited have made all their staff aware of the change, the date the change takes place and the implications of not complying with the law over the GDPR. This document should cover the steps that have been taken and the policies and procedures that have been put in place.
Information we hold
Trafford Media and Communications Limited are in contract with their suppliers who provide them with the products to enable them to adhere to the sales contract made with their customers.
Trafford Media and Communications Limited do not share their suppliers or customers details with anyone else, without prior consent from the senior manager of that company. The data we hold on record is company name, address, telephone number, email address, contact name and title.
Lift-Off! Magazine has a database (spreadsheet in xlsx format) of contacts which have been sourced from either direct contact with the company listed, business cards handed to a member of staff of Trafford Media and Communications Limited at a meeting or business event, local telephone directories or other sources of media advertising and in the general domain of the world wide web (internet). This database contains the company, contact, address, telephone number and email address. We do not hold any other data on the company.
Southside Magazine – has a database (spreadsheet in xlsx format) of contacts which have been sourced from either direct contact with the company listed, business cards handed to a member of staff of Trafford Media and Communications Limited at a meeting or business event, local telephone directories or other sources of media advertising and in the general domain of the world wide web (internet). This database contains the company, contact, address, telephone number and email address. We do not hold any other data on the company.
Wythenshawe Business Gateway Networking Event (WBG) – has a database (spreadsheet in xlsx format) of contacts which have been sourced from either direct contact with the company listed, business cards handed to a member of staff of Trafford Media and Communications Limited at a meeting or business event, local telephone directories or other sources of media advertising and in the general domain of the world wide web (internet). This database contains the company, contact, address, telephone number and email address. We do not hold any other data on the company.
The databases for Lift-Off! Magazine, Southside Magazine and the Wythenshawe Business Gateway are the property of Trafford Media and Communications Limited, and are not shared with any other company.
All our databases are regularly updated after each mailing has been completed and all returns, unsubscribed or blocked requests are actioned with 72 hours of being received.
Communication and privacy information
The data that is held under the Trafford Media and Communications Limited umbrella for use by Lift-Off! Magazine, Southside Magazine and the Wythenshawe Business Gateway is for the sole purpose of either requesting information of news and events, job vacancies etc for the two magazines, and then also to send out details of the final publication of the magazine. It is also used to also invite companies to attend our networking events, to enable companies to meet and network with other companies and hear from senior representatives of companies that they might not normally be able to meet.
All our data has been compiled from data that is available in the public domain ie telephone directories, world wide web (internet), business cards, out of office replies etc.
• Do you share or sell my data?
We will not put any information about you on general release nor will we sell such information.
We may share personal information with business partners including:, couriers and magazine distributors, IT service providers who assist with internal IT issues. Marketing analytics companies that give us insight into our products and how to be more effective. Payment providers that process information on our behalf. Companies that help up send target ads when visiting our website. Lawyers representing us in the event of a legal claim Regulators and law enforcement agencies (if there is a legal reason to share data with them). Search engine operators that help us understand how to improve our visibility online.
• Should you wish to contact us regards your privacy:
The Data Protection Officer is: Heather Stanley. Tel 0161 998 9411 / 0161 945 6015.
Email – firstname.lastname@example.org
To ensure that the recipient has the choice to stay on the mailing list, or opt out of the mailing list, for Lift-Off! Magazine, Southside Magazine and Wythenshawe Business Gateway networking event, we make sure that there is an ‘unsubscribe’ phrase on the base of all emails that are sent out. We also now put that the privacy report is available on request – see below.
• Our Privacy Report is available on request, please email: info@Lift-Offmagazine.co.uk
• If you wish to unsubscribe from these emails, please mark ‘Unsubscribe’ in the subject line and return the email. Under the latest GDPR rules, your data will be removed from our the Lift-Off!! mailing list.
Once we have received you email requesting that you are removed from our mailing list for either the magazines or the networking event, we will mark your email on our mailing list with ‘Unsubscribe’ , but will keep you on the list to ensure that if we receive a business card or some other form of communication, that we do not add this address again without prior contact with that person.
This is how it would be marked on our list
Unsubscribe – email@example.com
As part of your rights, we would also remove you from our physical distribution of the magazine. If someone returns the magazine and asks us to remove their details, we would run the same procedure as above, but would also remove them completely front the distribution list to ensure that they are not delivered by our drivers.
Subject Access Requests
If you request access to your data, we would action this within 48 hours of receiving the request, unless there are circumstances where the DPO (Data Protection Officer) is unavailable ie holidays, sickness etc, in which case the person monitoring the emails would inform the person or company accordingly, that the request would be actioned as soon as they return.
If you request to see what data we hold on file, on your company, we would access our mailing list, and send the full line from the spreadsheet for the company. If you then request the information is removed, we would follow the procedure listed in the ‘Individual Rights’ section of the booklet.
We would not query why this request had taken place.
Lawful basis for processing personal data
In order to promote both our magazines, and also the networking event, we email information out to our mailing lists. All the data has been acquired over a number of years from business connections, networking events, worldwide web (internet), out of office information and the public domain.
We have not knowingly gathered information unlawfully.
Our privacy notice has been updated to comply with the new regulations as specified in the GDPR.
As stated above in Lawful Basis, all our data has been acquired from business connections, networking events, world wide web (internet), out of office replies or the public domain. If company details are listed on the worldwide web (internet), then they are listed to enable other potential clients/customers to contact them.
A new column has been added from 2018 to our mailing list to state where the details came from, ie if the company or person has given consent from to use their details from the networking event, we would mark this down as WBG. If they have come from a business card then we would put business card etc. This would then comply with the regulations as to how we acquired their data.
In line with the start of the GDPR, we will be letting people know that we have updated our privacy notice, and this is available on request.
Any changes will be actioned within 48 hours of the request being received, unless the DPO is not available as listed above.
Neither Trafford Media and Communications Limited, Lift-Off! Magazine, Southside Magazine or the Wythenshawe Business Gateway Networking event, holds any data for children under the age of 18.
Any information in either magazine that is published that contains information or images of children has been sent direct to us and prior consent has been granted from the company or school concerned.
Trafford Media and Communications Limited have taken great care to ensure that we do not breach any aspect of data protection.
If we receive a notification of a breach of data (ie that the company or person did not request to be on our mailing list), we would request that the DPO (Data Protection Officer) contact them as soon as possible, give the company an explanation as to how we received their data, and the procedures in place to ensure that it is unsubscribed from our mailing list.
We would follow the procedures as listed in the previous section of the booklet.
Data protection by design and data protection impact assessment
The data that is held in our mailing lists is the property of Trafford Media and Communications Limited, and is not high risk.
The data contains the following information, company, contact, company address, email and telephone number.
We use the data we hold to mail out to potential advertisers of our magazines to promote the magazines, and also to invite potential attendees to our networking events.
Data Protection Officer
Trafford Media and Communications Limited has requested that the above position be allocated to the Production Manager, who will be responsible for managing the data that we use, and will be solely responsible for the file.
The data is stored on a cloud based system and used on one pc only. This data is used from the cloud whilst the mailing is taking place.
As a small company, this structure has been agreed between the Managing Directors and the Production Manager. We do not have a designated DPO (Data Protection Officer), but comply with the GDPR.
Trafford Media and Communication Limited has two three full time employees, and one part time trainee employee. All staff are aware of the policies and procedures in place, and are informed of any updates.
Trafford Media and Communcations Limited does not operate outside of the United Kingdom.
As part of our policy and procedures, Trafford Media and Communications Limited has taken the following steps to ensure that the data we hold is secure.
Assessing the threats and risks to business
As listed above, in order to promote our magazines and networking events, we hold a very small amount of business data. None of the data we hold has any financial implications to the Company listed on the mailing list.
This data is not sensitive or confidential.
To ensure the minimum possible breach of security we only use one PC for any mailings that take place.
System configuration/firewalls and gateways
All the computer systems that we use have business anti-virus software installed which is controlled by an external IT company who monitors the risk of virus’s and trojan attacks, and update the software on a regular basis.
On the system that uses the mailing lists, we have restricted access to this system to one person. The system requires a password to access the system, which is changed on a regular basis. Our broadband system is password controlled by the IT company and is a 15 multi character password.
Should a member of staff resign from Trafford Media and Communications Limited or be absent for a long period of time, all access rights and password would be cancelled.
On the system that uses the mailing list, it has business anti-virus software installed which is monitored by an external IT Company.
Malware protection is installed separately to the anti-virus software and is monitored on a regular basis for updates which are done automatically.
Patch management and system software updates
The system that uses the mailing lists, is a pc running a Windows 10 system which all software updates on automatic.
Securing data on the move and in the office
We have taken all steps possible to ensure that the data we store is secure. Trafford Media and Communications Limited have agreed that the data will only be stored in the cloud for general use and not on the system using the data. No portable hard drive or usb device will be used to transport the data away from the place of work.
As the broadband system used in the office environment is password encrypted, we do not allow any external untrusted device to connect to the network. In the case of a colleague bringing in a computer to use on our network, they must have anti-virus software installed to ensure that we lessen the risk of a potential threat or trojan attack.
Securing your data in the cloud
All the data we hold is stored on a spreadsheet in an xlxs format, and is password protected. The file is then zipped and stored in the cloud.
The cloud based system we use is a well know national company which has a base in the United Kingdom.
Backup your Data
Trafford Media and Communications Limited take every care to ensure that the data we hold is backed up after every use and restored in the cloud. All antivirus software and malware software is running on a weekly basis to ensure the safety of the data.
An external backup of the data will be done on a monthly basis by using the cloud and not transferred data ‘on the move’. This will be done by backing up the data at an external place and storing the data in a secure locked safe at the premises where the backup took place ie the Directors home.
All members of staff at Trafford Media and Communications Limited have had training from our IT company on the potential risks of a cyber attack on their systems.
All staff regularly do ‘housekeeping’ on the systems by emptying the mail bins on the email providers and cleaning up their computers.
We are regularly informed of any potential risk or threat by our IT company and what steps to take should the threat happen.
Checking for problems
As part of the ‘housekeeping’ Trafford Media and Communications Limited regularly check to ensure that all the software installed on the systems is up-to-date and running correctly. Any potential risk or threat that is shown on either the anti-virus or malware software is actioned immediately and either quarantined or destroyed thought the various software. The software is then run again to ensure that the risk or threat has been removed.
Know what your are doing
Trafford Media and Communications Limited regularly check the data that we hold to ensure that it is safe and virus free. All security software installed on the pc which uses the data is bought from a reputable certified supplier and is legitimate.
Software is continuously checked to ensure that it is upto date. As a small company our Production Manager regularly checks the computers to ensure that they are working correctly and the system software is upto date.
Minimise your data
The data we store is used regularly throughout the year.
As part of the workings of Trafford Media and Communications Limited, we receive orders for direct mail. All our customers are advised to password encrypt the data they send us, and NOT to send the password via email, or mobile device, but to ring us with the password. Once the data has been used for the mailing in question, the data is destroyed from the email using a ‘data shredder’ on the anti-virus system.
Is your IT contractor doing what they should
The IT for Trafford Media and Communications Limited is outsourced to an external IT contractor.
The contractor is based in the same building that Trafford Media and Communications Limited are based, and we can have regular meeting with the contractor.
As we run a stand alone system and are not running through a server, we do not have access to security assessments.
There is a system in place called ‘Managed Workplace’ which allows our IT contractor to access our systems remotely and securely to access the anti virus/malware software we have. This does not allow them access to the main frame of the system so the files are still secure.
Mailing List – are the sole property of Trafford Media and Communications Limited, but are used for Lift-Off! Magazine – 5 years plus, Southside Magazine – 2 years plus, and Wythenshawe Business Gateway (networking event which is part of the BW3 programme) – 4 years plus.
Wythenshawe Business Gateway Networking Event – attendees at the event are requested to approve the use of their details with our Production Manager who sends out the invites. The request is that their details will be forwarded onto the BW3 Co-ordinator and Trafford Media and Communications Limited mailing list. The BW3 Co-ordinator will then add the details to the BW3 list and will only forward onto any other attendee of the event if they are requested in writing.
Any personal information provided to us or gathered by us is controlled by:
Trafford Media & Communications Limited
South Court, Sharston Road, Sharston, Manchester M22 4SN
Should you wish to contact us regards your privacy:
The Data Protection Officer is: Heather Stanley. Tel 0161 998 9411 / 0161 945 6015.
Why do we need your personal information?
For the purposes of marketing products or services which you have consented to be contacted about.
We do not market to or profile personal data in relation to children. However should a child under 13 engage with us parental consent will be required.
What information do we collect?
We collect the following information, name, title, company, address, telephone number and email address.
How did you get my personal information?
Data is collected from business cards, networking events, out of office replies, and the internet.
Do you share or sell my data?
We will not put any information about you on general release nor will we sell such information;
We may share personal information with business partners including:
• Couriers and magazine Distributors.
• IT service providers who assist with internal IT issues.
• Marketing Analytics companies that give us insight into our products and how to be more effective.
• Payment providers that process information on our behalf.
• Companies that help up send target ads when visiting our website.
• Lawyers representing us in the event of a legal claim
• Regulators and law enforcement agencies (if there is a legal reason to share your data with them).
• Search engine operators that help us understand how to improve our visibility online.
Does any of my personal data leave the UK?
We will not transfer personal data outside of the European Economic Area.
We do not share personal data with partners in the Netherlands.
When we do share you data with partners we use these controls to protect your data
How long do we keep your data?
When your personal data has fulfilled the consented purpose, we will remove your personal data.
We do not hold your personal data for longer than is necessary.
We may hold your personal data for a maximum duration of time, before being removed.
We will retain your personal data, in the event of pending legal action.
The data protection law in the UK grants you these rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
More information can be found here: ico.org.uk
The information you provide is at your free will, you are not legally or contractually obliged to do so. Should you not provide all the personal data requested, we may not be able to facilitate all services.
Details about profiling that may be carried out
We may use your personal data to:
• Track the demographic of our magazine readership.
• Track the interests of our readership.
• Track the success of a marketing campaign.
We will only ever use your data with your specific consent
We will need your specific consent to collect, store, make decisions based on and provide services.
This will be requested at the point of information being collected.
You have the right to withdraw consent at any time by notifying our Data Protection Officer.
Not happy with how we handle your personal data? Tell us!
You may contact our Data Protection Officer on firstname.lastname@example.org
Who will reply in writing no later than 40 days from receipt of your query.
Should you feel that we have not been able to fulfil your request:
You have the right to log a complaint about any aspect of how we are handling your data with the Information Commissioner’s Office in the UK who can be contacted here: https://ico.org.uk/concerns/
Trafford Media and Communications Limited
South Court, Sharston Road, Sharston Manchester M22 4SN
0161 998 9411 / 0161 945 6015