Introduction

As sole trader, I am personally responsible for all of my business activities. Essentially, I limit the information I hold to that which is strictly necessary to respond, plan, install, receive payment, support and maintain tax records. Everything else is deleted on an ongoing basis

The General Data Protection Regulation (GDPR) requires that I protect personal data, that I only hold any data that I need, that I tell people of what data I hold, and finally why I require to hold it. The following is intended to do that without any legalese to obscure that understanding

Click on each of the following sections for further information as required

Website & Cookies

The sole intention of my website is to present my services, with an option for a user to respond via a contact form or other means. I do not track, nor can I identify anyone who merely wishes to browse. It requires someone to actively seek further information before I am involved in my first interaction, and never before

I do not use any cookies on my website other than those that are strictly necessary for it to function correctly. I do not use any form of web based advertising, nor am I affiliated with any other business or website. I am a recommended fitter on several manufacturers' websites, but that's as far as it goes. The links that I provide are for convenience only, providing access to related external content

Like many other websites on the internet I use Google Fonts, which defines the look of the text you are reading. They are used purely for aesthetic reasons. To allow these fonts to load correctly, the following domain is used:

fonts.gstatic.com

I also use Google Maps to show the area that I cover. The domains involved are:

csi.gstatic.com
maps.google.com
maps.googleapis.com
maps.gstatic.com

I am currently testing the use of OpenStreetMap instead of Google Maps. As a consequence the Google Map cookies above are no longer applied. OpenStreetMap does not seem to use cookies.

It is my understanding that Google provides these services to increase the performance of the web in general, reducing the need for tailored fonts for each and every website (although some do provide their own font families, which have to be downloaded with their web pages, or pre-rendered as images). I am not aware of any tracking being involved with these Google services, which I imagine wouldn't be of much use in any case

The fonts are already extensively cached (for speed) across the internet and within most personal browsers, so removing the need to reference a source, which is the essential pre-requisite for tracking. These domains can be blocked in your browser if required, the result being browser default fonts being used (less attractive), and a failure of the map to load. Blocking my domain will prevent it working completely

Information Handling

I do not canvass for work, relying on potential clients approaching me via my search listing or having been recommended by previous customers. The only personally identifiable information I receive is that which is provided by using my contact form, or if phoned or emailed directly. I do not tout or solicit for work, nor am I involved with any organisations that may provide those services

I may from time to time receive or forward contact information with Phil Foulger of Four Paws Doors, with whom I share a close working relationship. This is due to received requests relating to our respective working areas. I am confident that Phil operates similar information handling procedures as myself

I do not otherwise share and will never misuse any information that I receive. In the longer term I only retain that necessary for user support and taxation purposes. Everything else is deleted

Email Communications

I work via email, regardless of the initial means of contact. All of those emails remain private, and are maintained purely for the operation of the business. I do not pester potential customers to obtain work, nor do I harvest or use any information for any other purpose. The contacts fall into two categories of those who move forward to use my services, and those who do not

Non Customers

The emails of those contacts who do not indicate that they wish to continue are held for a period of time, just in case I am re-contacted after some delay. After several weeks those emails are moved to an inactive area. Only if I am subsequently re-contacted will I retrieve earlier related emails as necessary. From time to time I delete those inactive emails in bulk, generally any older than 6 - 12 months. I do not retain any of that information at all. I am happy to delete all of a contact's emails at any time upon request

Customers

Customer emails are held in a working area, and then a work completed area. The working emails are used to complete the work as requested, and then to invoice that work. The purpose of the work completed area is to provide support to my customers over a period of 12 months. From time to time I delete those historical emails in bulk, generally any older than 18 - 24 months. I do not retain any of that information at all. I am happy to delete all of a customer's emails at any time (post payment) upon request. Any subsequent requests for support will then have to reference the invoice number

General

All email is received by, or is generated from my contact form on, a secure server that is part of the service provided by my internet web hosting company. I use POP3 email, which means that I pull down any email and delete the server copy at the same time. The regulations (GDPR) do not require encrypted emails from my website (we would have to exchange public encryption keys beforehand to encrypt email if this weren't the case). This means that email crosses the internet in an openly readable form (which is the standard way in which email works)

The application providing the form on my website also maintains a copy of the information entered. It is set to delete periodically, once I have confirmed that I have received that information via email. In essence, I do not retain any personal information upon my website at all, other than that being processed or in transit

There is the remote possibility that if my web services were compromised, then any new emails awaiting download could be accessed in a readily readable format. In reality, email is far more at risk in transit across the web, which in itself is a very difficult thing to do outside that of the security services (the internet service providers themselves are tightly bound by law, and also operate very much by reputation). Any (extremely rare) compromise in security is generally within the device actually sending or receiving information, normally as a result of prior actions by the user of that device

I have implemented certain security measures which are intended to stop email spoofing (a third party pretending to be me), but email is not inherently secure in its design. I also use techniques that attempt to stop my web form from being misused to send unsolicited email to a third party. However, if you do receive an email purporting to be from me, but obviously not relating to me conducting business with you, then call me to discuss this. Never open any link in any email supposedly from me, nor open any attached file, unless you are fully expecting to receive that information link or attachment. I have never experienced this in practice, but in theory it's a possibility

Customer Records

The section above describes the methods by which I handle email communications. Other than that, the only (customer) record that I retain in the longer term is the invoice. This has to be held by law for tax purposes for 6 years after the tax year in which it was raised, so potentially for up to 7 years

Data Handling

The day to day management of my business is handled on a single computer, with backups being maintained on a separate device. My main computer is kept up to date with all relevent software patches, and is protected by anti-virus software. I do not download or run untrusted software on that machine. The computer uses a firewalled network, which is separated from any other less secure device

My internet use on that machine is via web browsers running various security related software, plus being monitored by my anti-virus software. I only access and use widely trusted websites, with sensitive access being managed within secure browser containers

Access to the internals of my website is encrypted and uses a long and complex password, along with a time sensitive, randomly generated code. All three elements have to be correct within any 30 second period. Repeated attempts will lock down the server from further attempts to access it. The web server software itself is updated regularly, and sits within a highly secure and managed framework as provided by my web hosting company

I have moved from paper to digital records, and so no longer produce paper copies. Historical paper records will be maintained securely and then irretrievably destroyed once their purpose is no longer necessary. Digital records for historical tax years will be encrypted to make them completely unreadable without the necessary keys. Copies may be held in several geographical places to secure them, either on a physical device or in an encrypted area online. Any copies will be held without the appropriate encryption keys, thus the files cannot be decrypted and read

Being self-employed, I do not have the resources of a major corporation to manage my security. However, I do believe that I manage and protect personal data to the best of my ability. I have on several occasions received a common response to me revealing that I solely install cat flaps and dog doors for a living. That woefully unimaginative response is:

Is that all you do!