SGN Retail - GDPR Manager's Training Templates

Title Page

Prepared by
Conducted on
Location

INSTRUCTIONS

1. Answer "✔", "✖", "N/A" on the questions below.
2. Add photos and notes by clicking on the paperclip icon
3. To add a Corrective Measure click on the paperclip icon then "Add Action", provide a description, assign to a member, set priority and due date
4. Complete audit by providing digital signature
5. Share your report by exporting as PDF, Word, Excel or Web Link

EU GENERAL DATA PROTECTION REGULATIONS

1. There is a new Risk Assessment that the Central Operations Manager has completed which all staff must read. All staff must sign the acknowledgement confirming their understanding.
2. A new Privacy Notice is displayed on the notice board. Please take the time to read and understand it. It informs you of your rights, why we ask for specific information, why we need it, where it is stored and how long we will keep it for. If you need to complain or have any questions, the contact details are also on there for the Central Operations Manager who is responsible for Data Protection Compliance.
3. CCTV Management: a. Access to recorded CCTV footage is to be restricted to Manager and Assistant Manager only. b. Still photo printing and disc burning from recorded CCTV footage is prohibited unless requested by the police and must only be performed by the Manager or Assistant Manager. c. Burned discs & photos are to be kept locked away pending collection by the police. d. Receipts for discs and photos must be obtained from the police and filed.
4. No details of a personal nature regarding anybody (Staff, visitors, customers), including personal telephone numbers must be left on desks, behind the tills or stuck on walls.
5. All personnel files and details are to be kept locked away with access restricted to the Manager and Assistant Manager.
6. Personal data and/or opinions must not be emailed to anybody without a valid reason. a. EG: Photos of RTW documentation must not be sent by email/SMS/Whatsapp etc to anybody whatsoever. A copy should be kept in the personnel file at the store only. Copies must not be taken by phone or camera. If you have any copies such as these held on your phone or camera, please delete them immediately. b. EG: New starter forms can only be sent to Ikara for the purpose of payroll, nobody else.
7. No information or opinions about staff, customers, visitors or the Company is to be broadcast on social media, such as Facebook, Whatsapp, Twitter, Linked In etc. a. EG: If you are part of a Whatsapp group or use social media, please ensure that the above instructions are complied with. b. EG: Do not engage in any conversations on social media regarding your colleagues, customers, visitors or the Company as this may be regarded as a breach of Data Protection. You must report any such conversations, even if you have not taken part in them, to the Central Operations Manager immediately.
8. Memory sticks, USBs, mobile phones or any other recording device must not be connected to Company IT equipment at any time. You, as Manager, must check all your IT equipment on a weekly, random basis, to ensure that no such devices are connected. Downloading and/or uploading any information, including filming on mobile phones, to and/or from Company IT equipment is strictly prohibited, without the express, prior permission from the Commercial Manager. If the police need a copy of CCTV footage urgently and have requested it to be put onto a memory stick, prior permission from the Commercial Manager should still be sought.
9. A Data Subject Access Request is where a member of staff, customer or visitor has formally requested that we provide them with all the details we hold on them, including CCTV images, personnel files etc. As there are strict guidelines and timescales for complying with these requests and we would be legally accountable for not adhering to the law governing them, any such requests must be notified to the Central Operations Manager immediately. These requests may be received by telephone, face to face, letter, email or social media. Please ensure you understand the meaning and possible repercussions of Data Subject Access Requests. Repercussions are: Fine of 20m Euros.
10. A breach is when the EU General Data Protection Regulation law has been broken and can result in any material and/or non-material loss to an individual, whether they are staff, customers or visitors. a. EG: The details of the address of a member of staff is left on the desk. A visitor may check these details, look at the rota, which is on the wall and know when that member of staff is away from home. This could result in their house being burgled with material (financial loss) and non-material loss (mental strain, anxiety, peace of mind) to the individual concerned. b. EG: A member of staff records details of CCTV footage on their mobile phone and broadcasts it on Facebook. In the CCTV footage the image of a child is captured, which could then be distributed on the dark web. This would result in non-material loss to the child, it’s parents and family. c. EG: A photograph, which has been captured from CCTV footage, is pinned up on the wall in the office, with the caption ‘This is a shoplifter’. A visitor sees the photo and knows that person as a neighbour. The visitor then tells all his other neighbours that this particular person is a shoplifter, but we were mistaken, and this is a photo of the wrong person. This would result in non-material loss to the individual. d. EG: Personnel files are left in an unlocked cabinet. The store is broken into overnight and the robbers now have access to New Starter forms, Bank Account details, copies of RTW and Address verification. They now have everything they need to empty all the staff Bank Accounts. This will result in material and non-material loss. A breach or even the possibility of a breach must be reported to the Central Operations Manager immediately, even if you are not sure whether it is a breach or not. The Company needs to report this to the governing body for Data Protection within very strict timescales. Repercussions of a breach and/or lateness in reporting, are: 20m Euros and/or the individual concerned can sue for material and non-material loss.
11. CVs for unsuccessful potential employees, hard copy and soft copy, must not be kept without the express, written permission from the owner and when kept, for any reason, must be securely locked away
12. Interview notes for prospective employees who have been unsuccessful, must be kept for a minimum 6 months, maximum 12 months, in case of court action. They must be kept securely locked away.
13. Debit and credit cards left behind by members of the public must be kept securely locked away until collection, and, if not collected, must be destroyed after 3 days. Secondary identification must be shown when collecting them.
14. Managers are to cascade this information, personally, to all staff and check their understanding, within 1 week. A sign off document is provided to be sent, fully completed and signed by all staff, to the Central Operations Manager.

COMPLETION

I confirm that I have received a copy of this document and fully understand what is required of me.
Manager's Name and Signature
Date for completion of cascade to all staff and confirmation to Central Operations Manager