1. Introduction
1.1 Johnston Motor Services is fully committed to compliance with the requirements of the General Data Protection Regulation 2018 (GDPR), which replaces the Data Protection Act 1998. We look at procedures that aim to ensure that all employees, customers, contractors, and others who work with the company, and have access to any personal, confidential or
financial data held by or on behalf of the company, are fully aware of and abide by their duties and responsibilities under the Regulation.

1.2 In order to operate efficiently, Johnston Motor Services has to collect and use personal and financial information about customers with whom it works. Apart from staff, these may include customers, current, past and prospective employees, contracting organisations and suppliers. In addition, it may be required to collect and use information in order to comply
with the law and to meet governmental requirements. This information must be handled and dealt with effectively and securely to ensure compliance with the legislation, regardless of how the data is collected, recorded and used.

1.3 Johnston Motor Services regards the lawful and correct treatment of personal and financial information to be of paramount importance in relation to the success of its operations. Maintaining the confidence of customers, suppliers and third party contractors is fundamental to the proper day to day running in accordance with the legislative framework,
in particular the principles of General Data Protection Regulation, which comes into force in May 2018.

1.4 Non-compliance with this Data privacy statement is a serious matter likely to damage the reputation of Johnston Motor Services. Loss of personal data can result in adverse publicity and financial implications of fines and loss of contracts. Care needs to be taken to ensure that all information is stored and destroyed appropriately, and that portable IT equipment is kept safe and in the possession of the user/owner at all times.

2. The General Data Protection Regulation 2018

2.1 The GDPR is concerned with the processing of personal data, which can include HR records, customer lists or details, and contact information, including IP addresses. The Regulation applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. It should be noted that personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

3. GDPR Principles
3.1 The principles that apply to all data collected by the company are that it is:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals;
  • Collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes inthe public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures requires by the GDPR in order to safeguard the rights and freedoms of individuals;
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

3.2 Under the Regulation there are clear accountability responsibilities and these rest with a designated data processor and data controller. The data controller is the company director who decides how and why personal data is processed and ensures that the staff member, who acts as the data processor, complies with the Regulation in relation to the processing activity
and, maintaining and safeguarding records of personal data. Certain sensitive information such as financial data receives particularly strong protection.

3.3 The data processor, as part of the maintenance of processing activities, has the duty of documenting the personal data held by Johnston Motor Services together with detailing where it has come form and who it is shared with. The legal basis for collecting personal data needs to be identified and noted. Consent to hold personal data needs to be sought and the
individual or representative must be informed of the intention in an unambiguous way.

Consent must be given freely and the opt in commitment needs to be evident. Withdrawal of consent should be a simple, open process. (A checklist is available on the ICO’s website). Personal data is to be provided in a structured, commonly used and machine-readable form. If any inaccurate information is shared, the organisation which has received the data will need to be told.

3.4 Under the Regulation, individuals have to be informed of any personal data held about them and be able to access it. They also have right to rectification and erasure of data together with the right to restrict processing and portability of personal information. The latter only
applies in circumstances when processing is carried out by automated means and where an individual or representative has consented to the processing and provided the data to a controller. In addition an individual can object to the holding of personal data and request not
to be subject to automated decision making, including profiling.

3.5 There is a legal requirement on Johnston Motor Services to provide individuals with any information held in respect of them and this can be obtained following a written request. In most cases this is provided free of charge and must be suppled within one month. If a request is unfounded or excessive, it may be refused or a charge may be levied. An explanation has to
accompany any refusal together with details of right to complain and be done within one month.

3.6 In some situations personal information can be revealed to other parties. These are situations that relate to the prevention, detection and investigation of crime; national security or the armed forces; assessment or collection of tax; and judicial or Ministerial appointments, and this giving of this information can be withheld from the individual. There is no obligation
to give the reasons for withholding such information.

3.7 Processes need to be in place to detect, report and investigate any breaches of data protection. Certain types of data breaches, such as those likely to result in a risk to the rights and freedom of the individual, are to be reported to the ICO and, in some high risk cases directly to the individual concerned. Failure to report a breach could result in a fine, as well
as a fine for the breach itself.

3.8 In cases where a person considers that personal data has been used inappropriately, there is the right to complain to the organisation concerned. If the response is unsatisfactory, representations can be made to the Information Commissioner’s Office (Telephone: 0303 123 1113 or ).

3.9 Under the Regulation, privacy by design is a legal requirement and Data Protection Impact Assessments are mandatory where data processing is likely to result in high risk for the individual.

4. Handling Personal and Sensitive Information
4.1 Johnston Motor Services undertakes to:

  • Observe fully conditions regarding the fair collection and use of personal information;
  • Meet its legal obligations to specify the purpose for which information is used;
  • Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
  • Ensure the quality of information used;
  • Apply strict checks to determine the length of time information is held;
  • Take appropriate technical and organisational security measures to safeguard personal information;
  • Ensure that personal information is not transferred abroad without suitable safeguards; and
  • Ensure that the rights of customers about whom the information is held can be fully exercised under the Regulations.

4.2 The Company Director is responsible for the protection of data held by the company. All staff who process and manage personal and financial information are to familiarise themselves with and abide by this policy. Appropriate training in data protection is provided to all staff members to ensure they are familiar and comply with their responsibilities under
the Act. This takes place at the induction stage following which staff and board members receive communications reminding them of their responsibilities and providing updates.

4.3 The Company Director also has the responsibility of ensuring that all personal data collected is relevant and adequate for the purpose, and not excessive. Information should only be gathered for legitimate business reasons.

4.4 Data must be securely disposed of in line with the statement and policy, and the Company Director should maintain a disposal plan and log details of any destroying of information.

4.4a Johnston Motor Services uses CCTV cameras on the premises. These cameras face outside onto the entrance and within the workshop. Images are collected purely for security purposes to prevent burglaries. The images are kept on hard drive and these images are overwritten every 30 days, so no footage is stored longer than 30 days. The only time footage would be kept for longer is in the event of a crime being committed against the
business and then it would be passed onto the police. There are notices onsite to warn people that CCTV cameras are in use, which alerts people and gives them the opportunity to make a request for a copy of the footage, should they wish it under the Freedom of Information Act.

4.5 It is the Company Director’s responsibility to implement this policy and monitor staff compliance with it. The policy is approved by the Board of Directors, who have responsibility and ensure that the Company Director regularly reviews and updates the policy in the light of experience.

4.6 This Data privacy statement is supplemented with the attached Information Security Policy to provide transparency to staff, suppliers, third party contractors and customers about why and how data is collected and used and how the process complies with the principles of the Regulation.

4.7 If anyone wants to enquire about the handling of personal information, they are asked to either write or email the Company director, who is the designated, lead person on data privacy statement. The contact details are:

David Francis
Johnston Motor Services
Unit 17
Brickhurst Business Park
Haverfordwest SA62 3BP

There is no fee for handling the request, provided it is not vexatious.

4.8 The Company director will respond fully to all enquiries, normally within 28 working days and include the attached Information Security Policy. All requests for personal and financial information will be processed in accordance with the company policy.

4.9 All directors and staff within the organisation are required to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular ensure that:

  • Paper files and other records or documents containing personal/sensitive data are kept in a secure environment;
  • Personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;
  • Individual passwords should be such that they are not easily compromised.

4.10 All contractors, third party contractors or other servants or agents of the company must:

  • Ensure that they and all their staff who have access to personal data held or processed for or on behalf of the organisation, are aware of this policy and are fully trained in their duties and responsibilities under the Act. Any breach of the Regulation’s provisions will be deemed as being a breach of contract between the company and that individual, company, or firm;
  • Allow data protection audits by the organisation of data held on its behalf (if requested);
  • Indemnify the organisation against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.

4.11 All contractors, who are users of personal information supplied by the organisation, will be required to confirm that they will abide by the requirements of the Regulation with regard to information supplied by the organisation.

5. Business Compliance
5.1 To be fully compliant the following needs to be in place:

  • An appropriate information security statement
  • A nominated data protection lead
  • Staff and others provided with data protection awareness training.
  • The company is registered with the ICO
  • Privacy statements are readily available to individuals
  • Processes are in place to recognise and respond to individuals’ requests to access their personal data.
  • Processes have been established to ensure personal data is of sufficient quality to make decisions about the individual’s requirements
  • A process is in place to routinely dispose of personal data that us no longer available within set timescales.
  • An Information Security Policy is in place together with appropriate security measures.
  • There is an adequate level of protection for any personal data processed by others on your behalf or transferred outside the European Economic Area.
  • A process has been set up to ensure new projects or initiatives are privacy proofed at the planning stage.

5.2 Further compliance information is available at