GDPR and certification

Talk Electrician Forum

Help Support Talk Electrician Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

Phoenix

Senior Member
Joined
Feb 14, 2010
Messages
1,099
Reaction score
158
Anyone managed to find any kind of guide thats relevant to what we do as electrical contractors with reference to certifcation and how it affects us if we are keeping certficiation on computers?

Thoughts that are rattleing around my head atm:

1) I assume name/address is generally a 'low risk' kind of data, compared to the likes of finanicial or medical info etc?. And I assume that only personal addresses are a problem, i.e. Mrs Smith, 15 High street, Little town. And not company ones such as ABC Widget corp, ABC business park, XYZ Street, Big town?

2) There seems to be something about keeping data up to date, I assume it doesn't apply to certificates in terms of names and addresses, as correcting the address when someone moved would then make the certificate wrong!

3) How can you offer a right to deletion when the NICEIC require certicates to be keep for a set amount of time, fair enough if they are beyond the requried time

4) Following on from above, should one set a cut-off period and start deleting certificates after that to comply with data not kept longer than necessary, that seems a bit silly, because you do sometimes get the rare occasion years later when someone requests a copy of a certificate

Just wondered if anyone got to the bottom of this at all?

 
As Sharpie says .     I presume all the  LBC,s  with their  .... what must be  huge data bases now , full of   Mrs Jones , 5 Everyman St  ....installed two sockets  23 /10/2000 by Sharpend  Electrical   etc .  will be deleted on a daily basis .

The warranty , which is  ,,  I believe , issued by the Scams   ( as most sparks ignored them)   holds the contractor to that job for 6 yrs ,  if he,s dead or gone bust or retired  I presume  the scam undertakes  correcting  say ,  faulty work. 

I've noticed with houses being sold that have our Installation  or EICR  certs attached to the deeds are being pooh-poohed  and buyers are getting their own , new inspections made . 

 
Delete after six years? 
Or you could wait  7 yrs  then dump them with your tax records . 

Its a good question though  ...Data retention by Electrical Contractors .....I have no idea  to be honest !   

Whats on mine ? 

I hold addresses of notified domestic work carried out  .   ( Dating back to the Old Testament )

I hold invoices dating back  7 yrs .

I hold some historical quotes  that could be deleted.

I hold some photos of jobs at various stages .

I hold some data on a printing works we look after .   ( New  300A supply etc) 

And theres the photos of Miss Sweedy  ..but we've all got those !! 

 
Anyone managed to find any kind of guide thats relevant to what we do as electrical contractors with reference to certifcation and how it affects us if we are keeping certficiation on computers?

Thoughts that are rattleing around my head atm:

1) I assume name/address is generally a 'low risk' kind of data, compared to the likes of finanicial or medical info etc?. And I assume that only personal addresses are a problem, i.e. Mrs Smith, 15 High street, Little town. And not company ones such as ABC Widget corp, ABC business park, XYZ Street, Big town?

2) There seems to be something about keeping data up to date, I assume it doesn't apply to certificates in terms of names and addresses, as correcting the address when someone moved would then make the certificate wrong!

3) How can you offer a right to deletion when the NICEIC require certicates to be keep for a set amount of time, fair enough if they are beyond the requried time

4) Following on from above, should one set a cut-off period and start deleting certificates after that to comply with data not kept longer than necessary, that seems a bit silly, because you do sometimes get the rare occasion years later when someone requests a copy of a certificate

Just wondered if anyone got to the bottom of this at all?


I think you could well find you have got this all a bit arse about face, and mixed up, back to front, and stored in the wrong toolbox.....

(or something like that.)

i.e...

Where have you read any law or document that states a business cannot store any form of customer data for the purposes of its normal daily duties?

From what I have read and understand the key points of GDPR relate to "THE PROCESSING" of data...  and how you securely store any relevant data that you do keep..

Keeping a hard copy or electronic copy of an invoice or electrical certificate for the normal everyday functions of your business is an essential requirement to allow your business to continue trading.

BUT...  Processing that data for marketing purposes... or selling that data to third parties…. or leaving it open to unauthorised access.... 

Are NOT essential business requirements and without consent allowing you to process someone else's data you are in breach of their rights and GDPR..

e.g.  Any data you do hold must be securely stored to prevent any unauthorised persons access to that data..

But there are NO fixed time limits, as an individual business may have different requirements around how they use their customer data..

Consider the following:-

1/ Last week I fitted an LED floodlamp with a quoted manufactures warranty of 5years..

so need to keep records of installation date/purchase date invoice ref etc.. for at least 5 years in-case Mr customer rings up saying it has gone faulty..

2/ What happens if we get another manufactures recall due to exploding MCB's or the such like..

But you've binned all records of what jobs you've done or what was fitted where ????????

3/ I am in progress doing the wiring for an extension at one of my old customers...   Originally did work for them in June 2000... 

Over the 17+ years I have done 15 various jobs for them...

But that fact that I have records of previous jobs and the circuit arrangements makes it all easier for me and the customer...

etc...   etc....  etc....    etc.....

There are loads of similar such scenarios that make storage and retrieval of data essential to the smooth running of businesses large  & small..

BUT all companies MUST ensure data they hold is only accessible to relevant authorised staff and not the general pubic..

AND you must ensure data is not stored on easily accessible or hackable devices …

Or just left lying around where anyone can pick it up!!!

Also there must be a named person who is ultimately responsible for storage, security and use of any customer data..

So there is a traceable responsibility path in the event of a data breach!!

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Lawful_basis_for_processing  

I have a printed document and a page on my Website stating the data usage and protection procedures adopted by my business......  

It's worded as follows...

Data Protection 

Customer data is used throughout the business world, whilst some use is essential for a business to operate, others are non-essential. [COMPANY] will only retain essential data for the purpose of normal business activities. The areas where [COMPANY] requires access to customer data is as follows: –

1/ Quotes & Invoices.

During normal business activities customer contact details will need to be obtained for inclusion on quotations and invoices etc.  and the name of whoever is authorised to request the work and verify the satisfactory completion, are key requirements.

2/ Warranties & HMRC.

A record of every job undertaken by [COMPANY] is required for the purpose of verifying earnings to HMRC and as a cross reference in the event of any products or materials supplied by [COMPANY] failing whilst still within manufactures warranty period. The location address, schedule of work, materials supplied / installed etc. are all essential items of data for this purpose.

3/ Product recalls.

Occasionally manufactures have product recalls due to hazards or defects being identified after an item has been installed. (Quality ,control may identify a batch of product that require remedial work. This has been seen in the past with some fuse box protective devices failing prematurely). In these instance’s product recall letters, emails or webpages are typically issued to potential contractors to check work they have undertaken during a certain time period. As such, [COMPANY] keeps records as accurate as possible to eliminate any potential dangers to any customers as rapidly as possible.

4/ [TRADE BODY] Assessments.

As a member of the [TRADE BODY] an annual assessment of [COMPANY] has to be carried out. As well as checking; paperwork, certificates, insurance and other admin related issues, site visit(s) are required to assess general standard of workmanship and compliance with BS7671. Records of work undertaken and the person to contact for access are needed in order to arrange these appointments as and when required.

[COMPANY] makes no other use of any personal data held.

[COMPANY] never passes on or sells any contact details to any third-party organisation(s).

[COMPANY] never distributes any unsolicited marketing material, by post or electronically.

[COMPANY] does not store any customer data on any internet or cloud-based storage applications.

[COMPANY] does not use any social medial or mobile phone applications for storing customer contact details.

All data used and held by [COMPANY] is managed and controlled by [PERSONS NAME] Data may be on hard-copy printed sheets or an electronic format (word processor/e-mail/spreadsheet). Any electronic data is stored on private devices that in normal use are not accessible to the general public via the internet.


Guinness

 
Last edited by a moderator:
Top