GDPR Compliant
GDPR became in effect as of 25th May 2018. It is simply regulations set up to understand how businesses are handling data.
I have produced a GDPR policy, which you can see below and may change as my business develops if I undertake new projects.
As before I never pass any details provided by my clients to anyone unless requested by my clients or for legal reasons such as to keep my clients safe. Your details are kept to help me provide you with the best service I can, and provide you with useful information, tips, articles and advice when I feel they are necessary or useful to you. However most of the information I send out is done via my Facebook page, NickyAnsteyMindBodyWellness, hence it’s then up to the individual if they would like to look at the information themselves.
Again, if you would like any details removed from my files please let me know and if it’s legal for me to do, I am more than happy to remove that information. You may also request to see any notes I have on you if you have had any appointment with me, although my writing is pretty hard to read!
The regulations are very involved and now I am registered with ICO, who are the governing body for Data Protection.
For more detailed information about my suppliers (e.g. google, vodafone, website etc), their compliance, how I handle and hold any details and information and more please read my highly riveting Data Protection Policy below. Happy Reading.
I have produced a GDPR policy, which you can see below and may change as my business develops if I undertake new projects.
As before I never pass any details provided by my clients to anyone unless requested by my clients or for legal reasons such as to keep my clients safe. Your details are kept to help me provide you with the best service I can, and provide you with useful information, tips, articles and advice when I feel they are necessary or useful to you. However most of the information I send out is done via my Facebook page, NickyAnsteyMindBodyWellness, hence it’s then up to the individual if they would like to look at the information themselves.
Again, if you would like any details removed from my files please let me know and if it’s legal for me to do, I am more than happy to remove that information. You may also request to see any notes I have on you if you have had any appointment with me, although my writing is pretty hard to read!
The regulations are very involved and now I am registered with ICO, who are the governing body for Data Protection.
For more detailed information about my suppliers (e.g. google, vodafone, website etc), their compliance, how I handle and hold any details and information and more please read my highly riveting Data Protection Policy below. Happy Reading.
GDPR Document for Nicky Anstey, Mind Body Wellness.
Personal Data That I Hold
CLIENTS & PROSPECTS
Name
Address
Post code
Phone
Mobile
Email Address
Personal Data
Medical and Health Information
Date of Birth
Doctor’s Details
Who’s Personal Data Do I hold?
Clients
Prospects
Clients’ Doctors Information
Which Applications Store This Personal Data?
Accounts – Spreadsheet Excel
Email – Mail chimp and G Mail
Phone – Contact Details on WhatsApp, Text, Vodafone
Facebook – On Business Page and Messenger
Spreadsheets
Paper books
Registration Forms (Paper and Google Forms)
WordPress website editor
Unbounce Landing Pages
Google Docs
LEGAL BASIS
Contract
Hold Info to be able to deliver the service I offer to each individual that have paid me to do so.
Consent
When prospects look for me on the internet through my website or landing page or other directory and ask for information.
When I advertise for an event; I request permission to send them information about the course or service or event or offer.
I state or inform clients and prospects what I will use the information for, why I am holding it and that they know that by filling out any form or asking for information I will keep their details to send said relevant information to them and they are welcome to unsubscribe at any time.
Legal
I have a legal obligation to hold certain information; accident reports (none happened as of yet); registration form for Professional purposes and Insurance; etc – by law.
Vital Interest
As my clients come for often long term health issues both physically and mentally, it is in the interest of the client for me to keep these details incase they ring in an emergency for me to deal with them and I am able to act accordingly to support the client in the best way.
For Example, Some clients have been suicidal and it is important for me to be able to access their information quickly if needed to help them effectively and tentatively.
Legitimate Interest
Similar to Vital Interest reasons above, I hold client’s details as most clients have long standing health problems I help them with and come back even years later and expect me to pick up exactly where we left off, so need that information to make the transition smooth and professional for them.
This is stated when they sign their registration form.
Sources of this information are mainly paper, with additional communication via e-mail, FB, WhatsApp, Messenger, text, Mailchimp, WordPress website and phone calls.
I keep clients data on my phone, laptop and in a cupboard in my office at home, which is locked (Keys with me) when I am not there.
My phone and laptop both have passwords/PIN and/or fingerprint identification to get into these devices and also to get into my Gmail, FB account, messenger account, phone book, WhatsApp, WordPress editor (for my website) and Unbounce.
Google Docs is shared with my P.A only and has password access.
Public Interest
Not had any public Interest clients yet, although I did confirm with the police that I did see one client who had gone missing to help them with their enquiry.
Where Is The Data Stored? Where Is The Storage Device Located?
Laptop – password required to get in. Use AVG malware package to keep information safe
Mobile Phone – password or fingerprint to get in
Paper Records stored in filing cupboard
Daily Note Book/Planner with me in the house only. Never leaves my house unless in my bag on very rare occassions.
Hard backed diary. Never leaves my house unless in my bag on very rare occasions.
Online – Google Docs. Google compliant.
Cloud storage from Cloud KnowHow. Password and PIN required to access.
Files – Windows Explorer. Password required.
Filing cupboard in my office (Office locked if go out).
Who Has Access To Your Data?
I have access to all.
Ruth Dietrich, my P.A. has access to google Docs when building up prospect list from their requests for information on courses and only has access to the contact details on my clients’ registration forms when sending thank you cards and presents out to my clients. Her notebook is only used for my work and left at her home in her office.
I am responsible for billing.
Ruth and I do the marketing.
*******The Right To Review & Correct Data Held?
A person has the right to review and correct personal data that I hold on them and welcome to come and read their files at my house, or if request to take it away they know the responsibility lies with them.
The Right To Be Forgotten.
Any client is welcome to ask for their files. However, I would advise that they avoid reading how they felt and what they believed to avoid them inserting negative information back into their mind.
Financial data needs to be kept for 7 years, for legal purposes.
The GDPR does not supersede these obligations.
How And When Do You Destroy Data?
To date I have not destroyed any client information.
If I was to destroy it, I would burn it in our woodburner or shred it finely.
All old IT equipment is kept so far but if we ever needed to get rid of it I would look into a way to wipe all the data from the hard drive.
What External Suppliers Do You Use?
Email suppliers: Mail chimp – Rocket Science Group – Compliant, google mail – Compliant
Website: WordPress – Compliant and Unbounce landing pages – Compliant.
Cloud Knowhow
Google – Compliant
Phone – Vodafone – Compliant
Reporting
In the case of lost laptops or phones although all data is fingerprint or password protected, I would report to the ICO but otherwise I would not be in a position to have a Data Breach.
What Data Do You Hold For Marketing?
I market through FB by posting information onto my business page and also onto groups. It’s up to others to decide whether this is of interest and if they want to find out more. I give the clients my information
Google Ads – When people contact me, I tell them what I will do with the information.
Phone or email contacts – I only keep information of those people requesting me to contact them for more information about my individual sessions or courses, so I can deliver this service. If I leave a few phone messages and no one returns the call I leave it for them to contact me before I would put it on file.
For all my clients who I help, they complete a Registration Form, highlighting the GDPR regulations and my policy about what I will do with this information (i.e. send relevant information and contact them to allow me to provide a service), which they have to sign to agree to.
On website and landing pages there will be a link to my GDPR compliance page, which will highlight this policy and any relevant info I feel will help them.
Audit
Lists I have:
I have added a suggested lawful basis for each – this is not definitive, but suggested – you must decide yourself (Email me if you don’t agree)
Accounts spreadsheets (legal)
Registration forms (legal) including Medical Information in Registration Form (vital interest), Personal Information (Legitimate Interest)
Email Marketing Prospects (consent)
Facebook Marketing (consent)
Google Adwords Marketing (consent)
Email Customer List (contract)
Client Mobile List (contract)
Notes in Daily Notebook and Diary re their details (contract)
List
Registration forms
Reason For Processing
Obtain contact details to help me provide a successful Service and send them relevant info.
Lawful basis
Contract, Vital Interest and Legitimate Interest
System
Paper
Processor
Me
Location
Office filing cupboard
Security
Locked office
Access
Me (and husband occasionally to use the printer) only
Delete after
10 years unless of vital interest of client.
Notes
Clients can come to house and read or change notes if client wishes.
Clients can ask for their notes back after the sessions are over if they choose or understand that if they allow me to keep them then it will aid us in future if they need further help.
They can request if they would like to information destroyed, so long as it isn’t of vital interest in order to keep the client safe in future, such as suicide etc
List
Client Mobile numbers
Reason For Processing
Contact clients to support them and to arrange sessions
Lawful Basis
Contract
System
Mobile phone / Vidafone/ Excel Spreadsheet / Mailchimp / Weebly / Unbounce pages
Processor
Me
Location
Phone with me at all times. Speadsheet on my laptop, Google Docs, Weebly, Unbounce and Mailchimp, only shared with Alison Stickland, as an administrator.
Security
Phone fingerprint protected and phone directory, apps, suppliers products and laptop all Password protected.
Access
Me and Ruth Dietrich (my PA)
Delete after
2 years if not heard from them, unless client asks to keep in touch.
Notes
Mailchimp, Weebly, Unbounce, GMail, Vodafone are all GDPR compliant.
List
Accounts Spreadsheet
Reason For Processing
To keep records for tax return and bank transactions
Lawful Basis
Legal
System
Xero, Excel and Google Docs
Processor
Ruth Dietrich and I
Location
Google docs and Excel on 2 laptops
Security
Laptops password protected
Access
Ruth Dietrich and I. Plus my husband, Steve Anstey, who helps me with my tax return.
Delete after
Deleted after 7 years
Notes
List
Email Marketing and Prospect List
Reason For Processing
To provide relevant information including that of course dates and contacting them regarding offering and providing my service
Lawful Basis
Contract and Consent
System
GMail, Mailchimp, Unbounce Pages, Excel, Google Docs, Google Adwords
Processor
Me
Location
Laptop, Google Docs
Security
Password on laptop and Google Docs and all applications.
Access
Ruth Dietrich and I
Delete after
When they state they are no longer interested or if I have not heard from them for 3 years.
Notes
List
Facebook Marketing List
Reason For Processing
To provide information of interest to individuals and advise of any relevant services that may be of interest
Lawful Basis
Consent
System
Facebook
Processor
Me
Location
Laptop and phone
Security
Password protected
Access
Me
Delete after
Details only deleted when the following happens in notes below, as otherwise nothing is stored independently my end.
Notes
If they request more information of a service the information they give me individually then gets stored in relevant areas to allow me to provide a service
List
Daily Notebook and diary
Reason For Processing
To provide the service or details requested when clients phone or email so I am able to get back to them.
Lawful Basis
Consent (notebook) Legal (diary)
System
Paper
Processor
Me
Location
Home/Office
Security
Left in locked room if away or in house where there is limited chance of being seen or taken as I am with clients at all times when book and diary near to them.
Access
Me only
Delete after
2 years the notebooks get burnt. Diary 7 years to meet legal requirements for my Accounts.
Notes
Personal Data That I Hold
CLIENTS & PROSPECTS
Name
Address
Post code
Phone
Mobile
Email Address
Personal Data
Medical and Health Information
Date of Birth
Doctor’s Details
Who’s Personal Data Do I hold?
Clients
Prospects
Clients’ Doctors Information
Which Applications Store This Personal Data?
Accounts – Spreadsheet Excel
Email – Mail chimp and G Mail
Phone – Contact Details on WhatsApp, Text, Vodafone
Facebook – On Business Page and Messenger
Spreadsheets
Paper books
Registration Forms (Paper and Google Forms)
WordPress website editor
Unbounce Landing Pages
Google Docs
LEGAL BASIS
Contract
Hold Info to be able to deliver the service I offer to each individual that have paid me to do so.
Consent
When prospects look for me on the internet through my website or landing page or other directory and ask for information.
When I advertise for an event; I request permission to send them information about the course or service or event or offer.
I state or inform clients and prospects what I will use the information for, why I am holding it and that they know that by filling out any form or asking for information I will keep their details to send said relevant information to them and they are welcome to unsubscribe at any time.
Legal
I have a legal obligation to hold certain information; accident reports (none happened as of yet); registration form for Professional purposes and Insurance; etc – by law.
Vital Interest
As my clients come for often long term health issues both physically and mentally, it is in the interest of the client for me to keep these details incase they ring in an emergency for me to deal with them and I am able to act accordingly to support the client in the best way.
For Example, Some clients have been suicidal and it is important for me to be able to access their information quickly if needed to help them effectively and tentatively.
Legitimate Interest
Similar to Vital Interest reasons above, I hold client’s details as most clients have long standing health problems I help them with and come back even years later and expect me to pick up exactly where we left off, so need that information to make the transition smooth and professional for them.
This is stated when they sign their registration form.
Sources of this information are mainly paper, with additional communication via e-mail, FB, WhatsApp, Messenger, text, Mailchimp, WordPress website and phone calls.
I keep clients data on my phone, laptop and in a cupboard in my office at home, which is locked (Keys with me) when I am not there.
My phone and laptop both have passwords/PIN and/or fingerprint identification to get into these devices and also to get into my Gmail, FB account, messenger account, phone book, WhatsApp, WordPress editor (for my website) and Unbounce.
Google Docs is shared with my P.A only and has password access.
Public Interest
Not had any public Interest clients yet, although I did confirm with the police that I did see one client who had gone missing to help them with their enquiry.
Where Is The Data Stored? Where Is The Storage Device Located?
Laptop – password required to get in. Use AVG malware package to keep information safe
Mobile Phone – password or fingerprint to get in
Paper Records stored in filing cupboard
Daily Note Book/Planner with me in the house only. Never leaves my house unless in my bag on very rare occassions.
Hard backed diary. Never leaves my house unless in my bag on very rare occasions.
Online – Google Docs. Google compliant.
Cloud storage from Cloud KnowHow. Password and PIN required to access.
Files – Windows Explorer. Password required.
Filing cupboard in my office (Office locked if go out).
Who Has Access To Your Data?
I have access to all.
Ruth Dietrich, my P.A. has access to google Docs when building up prospect list from their requests for information on courses and only has access to the contact details on my clients’ registration forms when sending thank you cards and presents out to my clients. Her notebook is only used for my work and left at her home in her office.
I am responsible for billing.
Ruth and I do the marketing.
*******The Right To Review & Correct Data Held?
A person has the right to review and correct personal data that I hold on them and welcome to come and read their files at my house, or if request to take it away they know the responsibility lies with them.
The Right To Be Forgotten.
Any client is welcome to ask for their files. However, I would advise that they avoid reading how they felt and what they believed to avoid them inserting negative information back into their mind.
Financial data needs to be kept for 7 years, for legal purposes.
The GDPR does not supersede these obligations.
How And When Do You Destroy Data?
To date I have not destroyed any client information.
If I was to destroy it, I would burn it in our woodburner or shred it finely.
All old IT equipment is kept so far but if we ever needed to get rid of it I would look into a way to wipe all the data from the hard drive.
What External Suppliers Do You Use?
Email suppliers: Mail chimp – Rocket Science Group – Compliant, google mail – Compliant
Website: WordPress – Compliant and Unbounce landing pages – Compliant.
Cloud Knowhow
Google – Compliant
Phone – Vodafone – Compliant
Reporting
In the case of lost laptops or phones although all data is fingerprint or password protected, I would report to the ICO but otherwise I would not be in a position to have a Data Breach.
What Data Do You Hold For Marketing?
I market through FB by posting information onto my business page and also onto groups. It’s up to others to decide whether this is of interest and if they want to find out more. I give the clients my information
Google Ads – When people contact me, I tell them what I will do with the information.
Phone or email contacts – I only keep information of those people requesting me to contact them for more information about my individual sessions or courses, so I can deliver this service. If I leave a few phone messages and no one returns the call I leave it for them to contact me before I would put it on file.
For all my clients who I help, they complete a Registration Form, highlighting the GDPR regulations and my policy about what I will do with this information (i.e. send relevant information and contact them to allow me to provide a service), which they have to sign to agree to.
On website and landing pages there will be a link to my GDPR compliance page, which will highlight this policy and any relevant info I feel will help them.
Audit
Lists I have:
I have added a suggested lawful basis for each – this is not definitive, but suggested – you must decide yourself (Email me if you don’t agree)
Accounts spreadsheets (legal)
Registration forms (legal) including Medical Information in Registration Form (vital interest), Personal Information (Legitimate Interest)
Email Marketing Prospects (consent)
Facebook Marketing (consent)
Google Adwords Marketing (consent)
Email Customer List (contract)
Client Mobile List (contract)
Notes in Daily Notebook and Diary re their details (contract)
List
Registration forms
Reason For Processing
Obtain contact details to help me provide a successful Service and send them relevant info.
Lawful basis
Contract, Vital Interest and Legitimate Interest
System
Paper
Processor
Me
Location
Office filing cupboard
Security
Locked office
Access
Me (and husband occasionally to use the printer) only
Delete after
10 years unless of vital interest of client.
Notes
Clients can come to house and read or change notes if client wishes.
Clients can ask for their notes back after the sessions are over if they choose or understand that if they allow me to keep them then it will aid us in future if they need further help.
They can request if they would like to information destroyed, so long as it isn’t of vital interest in order to keep the client safe in future, such as suicide etc
List
Client Mobile numbers
Reason For Processing
Contact clients to support them and to arrange sessions
Lawful Basis
Contract
System
Mobile phone / Vidafone/ Excel Spreadsheet / Mailchimp / Weebly / Unbounce pages
Processor
Me
Location
Phone with me at all times. Speadsheet on my laptop, Google Docs, Weebly, Unbounce and Mailchimp, only shared with Alison Stickland, as an administrator.
Security
Phone fingerprint protected and phone directory, apps, suppliers products and laptop all Password protected.
Access
Me and Ruth Dietrich (my PA)
Delete after
2 years if not heard from them, unless client asks to keep in touch.
Notes
Mailchimp, Weebly, Unbounce, GMail, Vodafone are all GDPR compliant.
List
Accounts Spreadsheet
Reason For Processing
To keep records for tax return and bank transactions
Lawful Basis
Legal
System
Xero, Excel and Google Docs
Processor
Ruth Dietrich and I
Location
Google docs and Excel on 2 laptops
Security
Laptops password protected
Access
Ruth Dietrich and I. Plus my husband, Steve Anstey, who helps me with my tax return.
Delete after
Deleted after 7 years
Notes
List
Email Marketing and Prospect List
Reason For Processing
To provide relevant information including that of course dates and contacting them regarding offering and providing my service
Lawful Basis
Contract and Consent
System
GMail, Mailchimp, Unbounce Pages, Excel, Google Docs, Google Adwords
Processor
Me
Location
Laptop, Google Docs
Security
Password on laptop and Google Docs and all applications.
Access
Ruth Dietrich and I
Delete after
When they state they are no longer interested or if I have not heard from them for 3 years.
Notes
List
Facebook Marketing List
Reason For Processing
To provide information of interest to individuals and advise of any relevant services that may be of interest
Lawful Basis
Consent
System
Processor
Me
Location
Laptop and phone
Security
Password protected
Access
Me
Delete after
Details only deleted when the following happens in notes below, as otherwise nothing is stored independently my end.
Notes
If they request more information of a service the information they give me individually then gets stored in relevant areas to allow me to provide a service
List
Daily Notebook and diary
Reason For Processing
To provide the service or details requested when clients phone or email so I am able to get back to them.
Lawful Basis
Consent (notebook) Legal (diary)
System
Paper
Processor
Me
Location
Home/Office
Security
Left in locked room if away or in house where there is limited chance of being seen or taken as I am with clients at all times when book and diary near to them.
Access
Me only
Delete after
2 years the notebooks get burnt. Diary 7 years to meet legal requirements for my Accounts.
Notes