If you are a trading locksmith, we have put together this GDPR guide for locksmiths to help you. We cover what you need to do if you store customers data for security keys, plus if you collect names and addresses from VAT invoices.
What is GDPR and why is it needed?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union, but it can also include organisations outside of the EU if they offer goods or services or monitor the behaviour of EU citizens.
GDPR is an iteration of the existing law: Data Protection Act (DPA 1998). It was necessary to update the DPA as the methods used to process data have considerably changed in the last decades due to the increased usage of internet and computers.
The technology is evolving, more people have access to it, therefore the law must adapt to the new circumstances.
The GDPR is all about personal data:
- How is it collected?
- How is it processed
- How the access to the data is managed (i.e. stored, accessed, by whom etc.)
Personal data= any information relating to an identifiable human being (data subject) for example: names, addresses, phone numbers, bank details etc (EU GDPR ARTICLE 4 (1))
Processing data= any operation or set of operations which is performed on personal data such as collecting, storage, erasure, destruction, use for marketing etc. (any interaction you have with personal data) (EU GDPR ARTICLE 4 (2))
Does GDPR Apply to Locksmiths?
GDPR applies to all the businesses in EU, irrespective of the size of the business or the industry the business is in, and aims to protect people’s private data from being used for any reason other than for the original purpose (i.e. when collected), or from being lost or hacked.
GDPR Applies to Locksmiths
GDPR does apply to locksmith businesses and everyone should have complied to the new regulation by 25th of May 2018 or they could be subject to fines that can be as much as 4% of the total business turnover.
I Collect Names And Addresses on VAT Invoices
As a locksmith business if you collect private data (for example names and addresses on VAT invoices) because the information is necessary to complete the job legally.
As long as your organization only uses this personal data of the customer for the stated purpose (i.e. financial records) then the business is well within the bounds of complying with the GDPR.
Privacy Agreement Must be Accessible
However, a privacy agreement in which the reason why his/her data is collected and how it will be used is explained.
The privacy agreement must be made available to the customer:
- Can be posted online if you have a website or
- If you don’t have a website, have a physical document with you, every time you attended a job
I Collect Personal Data for Security Keys
Written Consent is Required
If you collect any data such as name, address etc. for any other reason (e.g. security key records) with the purpose of accessing it if required by customer to create a copy of the key, always get a written consent from the customer.
A written consent can be a signature on a privacy agreement provided by the locksmith.
The privacy agreement has to be transparent, it should state clearly:
- The reason why data is collected
- How the data will be processed
- Where the data is stored
- For how long it is stored
- Who has access to it
And finally the agreement should state the rights of the customers.
The rights of the customer are as follows:
Rights of the data subject:
- Right to withdraw consent at any given time
- Right to be forgotten
- Right to access the data held on himself/herself free of charge
- Right of requesting the data to be transferred to another party
Consent= any freely given, specific, informed and unambiguous indication of the data subject’s (customer) wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (EU GDPR ARTICLE 4 (11))
Storage and protecting the data against breaches:
The data that your company holds on customers has to be secured and a written procedure must be kept.
If you suffer a data breach, you must report this to ICO (The Information Commissioner’s Office) in less than 72h and you must explain what happened, what was the procedure in place to avoid the issue, what back up on the lost data you have.
How you can protect your data:
- 1. Secure the data by keeping it in a cabinet that can be locked and can be only accessed by staff members (paper records).
- 2. Secure the data by password or encryption if it is kept on digital format.
- 3. Create a back-up for data that must also be protected against breaches.
Data breach= a breach of security leading to accidental or unlawful destruction, loss, alternation, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (EU GDPR, ARTICLE 4 (12))
Important: Run a Data Audit
As a business you must run an audit on your own data, in which you will understand:
- 1. What data you collect?
- 2. Why you collect it?
- 3. How do you store data and for how long?
- 4. Do you have consent from the customers?
- 5. Protect the data against breaches
- 6. Back-up the data you have
- 7. Create a folder for GDPR (the folder should contain a procedure that must explain all the above points, you also must log in any changes to data – e.g.: when data is destroyed if is no longer needed, you must log in the action)
FREE GDPR Template for MLA Members
We have created a free GDPR template for our locksmith members to use on their own websites, if you are not a member of the MLA you can join here.
For those who are already members please just contact us to request the template to use on your websites.