GDPR Executive Summary

As a responsible business, Metropolitan Insulation Services, a trading style of Richmond Refurbishments Ltd (RRL) has taken a robust approach to the new General Data Protection Regulations (GDPR).

The RRL GDPR Executive Summary provides the backbone to its approach and is a ‘live’ document with effect from 25th May 2018.

As a live document it is iterative and allows for changes at any time as the regulatory framework evolves and where, as a consequence of this, RRL recognises a need for amendments.

Routinely, the RRL GDPR Executive Summary will be formally reviewed every 12 months by the RRL GDPR Project Group. This group is headed up by a RRL Directo, and takes feedback from all members of staff.

The RRL GDPR Executive Summary is a document that is shared with all staff members.

In establishing the RRL approach to GDPR the following has been considered:

Legitimate interest:

RRL has:

  • Established that legitimate interest is the most appropriate lawful basis for processing the data it holds:
    • i. In the case of new clients, data is kept on a transactional basis; ie legitimate interest exists as the data subject is considered to be a customer. Express consent is sought where marketing communications beyond the initial work is thought to be necessary – otherwise, all data is removed.
  • Explained already or will explain how an individual’s personal data will be used when collected.
  • Created and deployed a privacy policy.
    • This is published on the RRL website.
  • Ensured that only the minimum amount of data is collected from any individual for the purpose.
  • Provided an option to refuse marketing communications.

Asking for consent:

RRL has:

  • Checked that consent is the most lawful basis for processing any data held.
  • Asked for consent separately to the standard terms and conditions.
  • Asked for positive opt-ins.
  • Created a double opt-in function for website subscribers.
  • Not used pre-ticked boxes.
  • Used plain simple language.
  • Explained why it needs the data and what it will be used for.
  • Where appropriate, named 3rd parties with whom data may be shared.
  • Has explained that consent may be withdrawn at any time and is easy to withdraw.
  • Maintained a record of how consent was gained.