At Baillie & Baillie Estate Agents & Letting Agents, we conform with the European General Data Protection Regulation (GDPR) which came into effect from 25th of May 2018.
Below is an explanation of what GDPR is all about and our companies steps taken to comply with all that GDPR encompasses.What does GDPR gives Citizens and Residents more control over their personal data.
GDPR Simplifies regulations for international businesses with a unifying regulation that stands across the European Union (EU)
The Government has confirmed that Brexit will not affect the GDPR start date, or its immediate running. It’s also confirmed that post-Brexit, the UK’s own law (or a newly-proposed Data Protection Act) will directly mirror the GDPR.
Baillie & Baillie's DPO (Data Protection Officer) is Company Director Mr Stephen Baillie, please forward any data protection questions or queries to Stephen should you have any.
His Email Address is: [email protected]
Any and all concerns on breaches of GDPR should be reported immediately, if not then preferably within 72 hours of the incident taking place. Individuals will have more rights on how businesses use their data. In some instances, they have the ‘right to be forgotten’ if they no longer want you to process their personal data and you have no other legal grounds (for example the individual is no longer a customer so your contract with them no longer gives you a legal right) to keep the data.
Baillie and Baillie 'hard delete' all computerised customer or contact information at the end of our use for it. All paper records are also cross shredded before being discarded to rubbish.
Baillie & Baillie's GDPR checklist for UK small business compliance
Baillie & Baillie know our data. We are well versed and demonstrate an understanding of the different types of personal data (for example name, address, email, bank details, photos, IP addresses) and sensitive (or special category) data (for example health details or religious views) that we hold, where it has come from, where it's going and how we use that data.
We seek consent when taking and holding clients data. Our consent is clear, specific and explicit.
We use and maintain the highest standards of security measures and policies when handling personal data. All data held is encrypted and password protected to be GDPR-compliant.
Official access requests from official and authorised channels will be provided within a one-month timeframe. Subject Access Rights are changing, and under the GDPR, citizens have the right to access all of their personal data, rectify anything that’s inaccurate and object to processing in certain circumstances, or completely erase all of their personal data that we may hold. Each request carries a timeframe and deadline of one month (which can only be extended in mitigating circumstances), from the original date of request.
All Employees at Baillie and Baillie are trained to ensure all staff are knowledgeable and GDPR aware in order to comply with all aspects of data handling within our business. Any and all data breach mistakes will be reported to our DPO.
At Baillie & Baillie we also conduct due-diligence GDPR checks on our data supply chains. We strive to make sure that all our suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties. Our contract terms also ensure that important obligations are placed on suppliers and contractors to minimise the chance of any Data Breaches.
Baillie & Baillie in all business transactions, describe to individuals exactly what we do with their personal data and how it is stored.
Hanging on to old data?
One of the key principles of GDPR requires companies not to hold on to personal data for longer than necessary, or process it for purposes that the individual isn’t aware of.
Baillie & Baillie "strip down" and delete our redundant data held twice per year. This ensures that we hold nothing more than is needed to conduct our business.
Customers or individuals ‘consent’ has been redefined and become much tighter. No requests or information can now be hidden.
Baillie & Baillie refrain from 'small print' and all information from us is clearly presented. Nothing we require is requested in "pre-ticked boxes" that clients then need to untick.
For some pre-existing personal data previously held by us, then current consent may not be required on this data if we have a legal basis that’s compliant with the current legislation (the DPA).
Fair processing notices
Baillie & Baillie's fair processing notices giving people clear information about what we do with their personal data. We inform people of the purpose for processing their personal data (the purpose), including the legal basis we have, such as consent.
We also clearly define the recipients we may be sending the personal data to (customer, employee, supplier, etc.)
Along with details on how long we will be holding onto the data (the ‘retention’ period’), or the criteria used to determine the time period.
It is also made clear to individuals of the existence of their personal data rights.
All clients and customers of Baillie & Baillie can trust in us to adhere to the new GDPR regulations, sound in the knowledge that all business conducted with us, is conducted according to all Data Guidelines and Regulations currently operating.
Baillie & Baillie GDPR Framework for gaining consent, dealing with and holding client Data:
- We regularly check our consent practices and existing records, and refresh where necessary
- We offer individuals genuine choice and control over their personal data.
- We use positive opt-in options, we never use pre-ticked boxes or pre-set default options.
- We practice explicit consent, which means a very clear, specific statement of consent.
- Our consent requests are separate from other terms and conditions.
- We are specific, granular, clear and concise on all notices and correspondence.
- We also name any third parties who will rely on the consent.
- We make it easy for people to withdraw consent, and we tell them how to!
- We keep evidence and records of the consent (who, when, how and what we have told people).
- We avoid making consent a precondition of our business services.
- Consent puts individuals in control, builds trust, engagement and enhances our business reputation.