**The EU General Data Protection Regulation (GDPR)**
The General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes the UK Data Protection Act 1998 (DPA).
The new law brings a 21st century approach to data protection. It expands the rights of individuals to control how their personal data is collected and processed, and places a range of new obligations on organisations and business’ to be more accountable for data protection.
**********************
The business benefits of the GDPR;
•Build customer trust
•Improve brand image and reputation
•Improve data governance
•Improve information security
•Improve competitive advantage
**********************
UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. The GDPR will come into force before the UK leaves the EU, and the government has confirmed that the Regulation will apply.
**********************
Personal data;
•Name
•Address
•Email address
•Photo
•IP address
•Location data
•Online behaviour (cookies)
•Profiling and analytics data
•Any information that can identify your identity
**********************
Data protection principles;
Personal data must be processed according to the six data protection principles:
1. Processed lawfully, fairly and transparently.
2. Collected only for specific legitimate purposes.
3. Adequate, relevant and limited to what is necessary.
4. Must be accurate and kept up to date.
5. Stored only as long as is necessary.
6. Ensure appropriate security, integrity and confidentiality.
**********************
We only store customer data for as long as it’s needed for HMRC and Accounting purposes. Once we are allowed by law to delete our account paperwork we will do so. Whilst they are stored, we store them securely online. Any print outs do not have any personal / identifying data.
We do not share or screenshot any messages. We do however share screenshots of order and postage details to our sellers so they may fulfill your order. Every day photos are deleted that aren’t needed, which includes all the screenshots of customer address’.
You can request to be informed of the information we hold on you and how this has been shared by emailing us at theoctopusgardengroup@gmail.com
**********************
Accountability and governance;
We demonstrate our compliance by only processing data necessary to fulfil your order or other request or to keep you up to date on news via our mailing list that you will have opted in to join. We store all data securely and delete data as soon as we no longer need them for accounting purposes.
Customers pay using Paypal, Paypal have assured all business users they too are GDPR compliant and storage of customer data is kept to a minimum and not shared with any other third party.
Customers can also pay via stripe or direct bank trasnsfer, both of these payment methods are through GPDR compliant organisations.
We NEVER store any payment card details.
**********************
Lawful processing;
By contacting us you are giving direct consent that we can store and process your personal data in accordance with the above.
When you order via our website you will be required to accept the above during the check out process.
**********************
**PCI compliance**
What is PCI DSS and who needs to comply? (Payment Card Industry Data Security Standard)
Consumers are becoming increasingly aware of the dangers of identity theft and PCI compliance shows that a business has secure procedures in place that keeps customer payment information safe and secure.
•Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements that all businesses who handle credit or debit card payments must comply with. It provides a “minimum security standard”.
As a merchant (business) accepting card payments, the business are required to comply with PCI DSS. As a service provider, PayPal is also required to comply with PCI DSS.
We do not take payments direct from customers, We use a service provider. (PayPal, Stripe, Bank Direct whom are all PCI DSS compliant).