top of page

Data Protection, Privacy & GDPR Policy


Policy became operational on:01/07/2020 Planned review date: 01/07/2023. Complies with data protection law and follow good practice. Protects the rights of staff, customers and partnersIs open about how it stores and processes individuals and businesses data. Protects itself from the risks of a data breach


Data Protection, Privacy & GDPR Policy


The Data Protection Act 1998 describes how organisations including Lotties Loft & Boutique must collect, handle and store personal and business information.

These rules apply regardless whether data is stored electronically, on paper or other formats or materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by seven important principles. They say that personal and business data must:

1. Be processed fairly and lawfully

2. Be obtained only for specific, lawful purposes

3. Be adequate, relevant and not excessive

4. Be accurate and kept up to dateNot to be held for any longer than necessary

5. Processed in accordance with the rights of data subjects

6. Be protected in appropriate ways

7. Not to be transferred outside the European Economic area (EEA) unless that country or territory also ensure adequate levels of protection

People, risks and responsibilities

Policy scope

This policy applies to;  


Lotties Loft & Boutique . All staff, volunteers and customers. All contractors, suppliers and others working on behalf of the company. Copies of these polices are available

Data Protection Policy

on request.



Data Protection, Privacy & GDPR Policy

Policy scope cont’d

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include;


Names of individuals

Postal addresses

Email addresses

Telephone numbers

Banking data

Documents such as drivers’ licenses/passportsImages taken whilst on premises

Breaches of confidentiality. For instance, information being given out inappropriately

Failing to offer choice.  For instance, all individuals will be free to choose how the company uses data relating to them.

Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.



Data Protection, Privacy & GDPR Policy


The Company Owner is ultimately responsible for ensuring that Lotties Loft & Boutique meets its legal obligationsThe Data Protection Officer, Collette Lee is responsible for;


Keeping the team updated about data protection responsibilities, risks and issues.

Reviewing all data protection procedures and related policies, in line with an agreed schedule.

Arranging data protection training and advice for the people covered by this policy.

Handling data protection questions from staff and anyone else covered by this policy

Dealing with requests from individuals to see the data that Lotties Loft & Boutique holds about them.

This is also called ‘subject access requests’) Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.Ensuring all systems, services and equipment used for storing data meets acceptable security standards.

Performing regular checks and scans to ensure security hardware and software is functioning properly.

Evaluating any third-party services, the company is considering using to store or process data, For instance, cloud computing servicesApproving any data protection statements attached to communications such as emails and letters.

Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles


General staff guidlines

The only people able to access data covered by this policy will be those who assist in fulfilling contracts.

Data will not be shared informally. When access to confidential information is required, employees can request it from the business owner.Lotties Loft & Boutique will provide training to all employees, as necessary, to help them understand their responsibilities when handling data. Employees will keep all data secure, by taking sensible precautions and following the guidelines belowIn particular, and they will never be shared. Personal to unauthorised people, either within the company or externally unless it is a lawful request for data. Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.

Data storage

These rules describe how and where data will be safely stored. Questions about storing data safely can be directed to the business owner.

When data is stored on paper, it will  be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

When not required, the paper or files will be kept in a secure cabinet off site. Data printouts should be shredded and disposed of securely when no longer required


When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts;


Data should be protected that are changed regularly and never shared between employees.If data is stored on removable media such as a CD or memory stick, these should be kept when not being used. Data should only be stored on, and should only be uploaded to secure area. Those backups should be tested regularly, in line with the company’s standard back up procedures. All clouds and computers containing data should be protected by Data use

Personal data is only used by Lotties Loft & Boutique to fulfill the customer contract. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

Personal data will not be shared informally.

Data must be encrypted before being transferred electronically. Personal data should area.


Data accuracy

The law requires Lotties Loft & Boutique to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data accurate, the greater the effort Lotties Loft & Boutique should put into ensuring its accuracy.

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.


Data will be held:-


Staff should not create any unnecessary additional data sets. Staff should take every opportunity to  for instance, by confirming a customer’s details when they call. Lotties Loft & Boutique will for data subjects to update the information Lotties Loft & Boutique holds about them. Data should be, For instance, if a customer can no longer be reached on their stored telephone number, it will be removed from the database.It is the business owners’ every 6 months

Subject access requests

All individuals who are the subject of personal data held by Lotties Loft & Boutique are entitled to ask what information the company holds about them and why.


If any individual contacts the company requesting this information, this is called a subject access request. Subject access requests from individuals should be made by email, addressed to the business owner. The business owner can supply a standard request form, although individuals do not have to do this. The business owner will always verify the identity of anyone making a subject access request before handing over any information

Disclosing data for other reasons:-

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Lotties Loft & Boutique will disclose requested data. However, the business owner will ensure the request is legitimate, seeking assistance from the police as and where necessary.

Providing information

Lotties Loft & Boutique aims to ensure that individuals are aware that their data is being processed, and that they understand;

  • How the data is being used

  • How to exercise their rights

  • What do we store and how

  • What information do we collect, how do we use it and store it?

  • Customer contact details including mobile numbers, addresses and email.

We collate customer details as follows.

Personal information (such as name, date of birth, email, mobile number, address and postcode) Useage information (such as how often you use the services and which services) We collect and use personal information to keeping contact with our clients, suppliers and staff. The collected data is stored electronically on our secure cloud invoicing system, website and mailchimp for information forwarding and to fulfill our contract to our clients. The electronic data is secure and offsite. Any paper data is secured in locked filling cabinet to which only the business owner or data trained staff has access. The information is only used in order to complete the service of lotties Loft & Boutique and its’ collection and important information sharing. We only use this information to send internal marketing and business specific emails, which can be opted out of at any time. This information is not imparted to any other companies for marketing purposes.

This information may be used without consent with relevant authorities such as police, where a criminal act is believed to have been undertaken this includes stored CCTV IMAGES for example shop lifting or criminal damage.

Your Rights

Under the GDPR you have rights which you can exercise free of charge which allow you to:


  • Know what we are doing with your information and why we are doing it

  • Ask to see what information we hold about you (Subject Access Request)

  • Ask us to correct any mistakes in the information we hold about youObject to direct marketingMake a complaint to the Information Commissioners Office

  • Withdraw consent (if applicable) 


Depending on our reason for using your information you may also be entitled to:


  • Ask us to delete information we hold about you

  • Have your information transferred electronically to yourself or to another organisation

  • Object to decisions being made that significantly affect you

  • Object to how we are using your information

  • Stop us using your information in certain ways 

  • We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note: your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioners Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise a right, please contact Collette Lee


Staff Information

Information held on staff may include drivers’ licenses, bank details, contact details, conviction information, disciplinary information and contact details for their emergency contacts. This is stored both electronically and on paper securely

We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis for each activity.


Personal data being held on staff for HR and Payroll – as in order to fulfill our staff contracts including bank details for payroll. This is held on paper securely as detailed within this policy.

Client information held - the data we hold in order to fulfill our contract to supply our services, keep staff and clients safe and supply account information for payment. Without this information we could not provide a service.Newsletter – the data we hold in order to inform our clients of important product and business information.

Consent has been requested with an opt out selection.

Suppliers of goods - information is held in order to mange goods processing and payments to fulfill our contract. This may include accountant.CCTV - the processing and storage of CCTV images is necessary in order to protect both staff and customers of Lotties Loft & Boutique

Emergency Staff Contacts - We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other way to achieve that purpose.


We have documented our decision on which lawful basis applies to help us demonstrate compliance. We have included information about both the purposes of the processes and the lawful basis for the processing in our GDPR and Privacy Policy.

bottom of page