GDPR for florists and flower shop owners
Philipa Jane Farley spoke at our Shouting Above The Crowd – A Business Conference for Florists on June 10th 2018
These are just some of the points Philipa Covered on the day:
All Flower businesses must have an Internal Data Protection Policy
This is a formal document
It includes your processes for collecting and processing data
All Flower Business Must Have A Privacy Policy or A Privacy Notice
Plain Simple English
Details what Data your collect
What are you doing with the Data
How Long are you holding the Data for?
Who else has access to this Data
If you take any details of any person online/ by email / in writing – they must tick to accept your privacy policy
If you have no Online presence you must have a hard copy privacy policy available for those that wish to see it. Make them aware you have it available
Subject Access Request
When a customer / staff or any person requests what personal data if any you have about them
Paper – Digital – Film (cctv) – photo – email conversations concerning them (if they are identified)
You have 30 days to collect any data about present it to them.
Beware of internal or external emails about any person – if a staff member leaves and tells a person you were talking about them internally, they can do a subject data request, if you don’t include those conversations that they are aware are there, it is a €50000 fine or 5 years in jail - (don’t talk about people in a recordable way.)
Your supply chain – When you need to pass on a person’s data to a third party, this information also needs to be included
Your delivery person will have the personal data of the recipient of a bouquet of flowers
Your website person / company have access to any data collected on your website
If you have recordable CCTV in your shop you may have visual data of your customers
Exercise:
Go through with your staff the process of a bouquet of flowers being processed
Phone Order – Write Down Details in Book – Pass details of flowers to staff member- process credit card payment – Write the address of the recipient on the card – pass the order to the delivery driver, who will deliver the flowers
At least 3 people have handled the data of the recipient of the bouquet of flowers
Now what happens to this data??
The Note book?
Credit Card Information must be shredded immediately the order has been processed
Senders Information may be entered into the computer until the Flowers Have been delivered – part of your policy should state senders of flowers details will be kept on file for 7 days, just in case there is and issue with the order – after 7 days it must be deleted
Recipients Information – this information may be entered on the delivery docket, the delivery card – the delivery driver must sign a privacy agreement not to share the information in the docket or cards. The driver should confirm that they return the docket to you for shredding or that they will shred it themselves.
Recipients information on the computer and kept on file for 14 days in case there is an issue then thrashed.
How long you decide to hold onto the Data is entirely up to you, only you can decide what works best for your business, but the length of time must be stated in your privacy policy
You must be able to justify why you are holding the information for a length of time.
Best Practice for Flower Shop Delivieries
Delivery Driver has a Numbered List, each number correlates to the recipients address and phone number, this number is on the delivery envelope
The is no data on show, in the shop as the bouquets are lined up or in the delivery Van
There is now only 1 page with customers data – easier for destroying
Keeping Data For Revenue Purpose
Only keep what revenue need to know
They don’t need to know the name and phone number of the wedding couple
They don’t need to know who sent a bouquet of flowers
They don’t need to know who received flowers from your shop
What Revenue do need to know is
The amount of flowers bouquet in for a wedding, how much they cost and how much they sold at and if there was any waste
How much flowers were bought in?
How many bouquets were sold
Best Practice for Record Keeping for Weddings
In your wedding Orders keep two job cards
One with all the personal information needed for the wedding, Couples Names, Contact Details
One with the flower order, the date of the wedding the location of the wedding
If you policy is that that your delete personal wedding data after 12 months, you just delete the job card with the personal details, if you wish to keep the other for revenue / for reference, this job card has no personal information on it.
It is advised that GDPR is initially going to add 20-30% extra time to processing orders etc until staff become more familiar with it, this will reflect in your profits
Data Breach
What is a data breach?
Losing a file with a customer’s personal data on it
Leaving a bouquet of flowers on display in the shop with a customer’s delivery details on it
Having an order book in the shop that can be seen by a member of the public
Having a list of deliveries on the seat in a van for people to see
Repeating a person’s personal details back to them over the phone while someone else can hear
Hacking of an email account / website
Losing your phone/ tablet / laptop
Taking a customer order while there is someone else in the shop -
Talking about a customer order to non-staff members
Data Breech Form Can Be Found Here
Best Practice for a Flower Shop or Florist to protect customers data.
Keep all data that you are carrying with you in a lock box in your van, or a locked brief case
Use Delivery Numbers on Bouquets on display in your shop – no names or addresses on cards
Have a consultation area to take bookings or ask the customer if they are happy to discuss and give their details in a public area
Print up a form that the customer can fill in her details herself in private if she wishes
Ensure your delivery van / driver has a locked place to store delivery addresses
Emails conversations you need to keep on file – (wedding bookings) save as pdf and delete the emails. Do this regularly, each customer as a file and it is dated, you will then know when you need to thrash it
Get into the habit of NOT repeating back credit card numbers / phone numbers and addresses. Ask the customer to repeat instead.
Have the facility on your phone / tablet / laptop to be able to wipe it remotely
Do not say anything about anyone that you don’t want them to see if they request their data from you.
Check out the dataprotection.ie
Some questions that were asked by florists attending the day
A customer orders a bouquet to be sent to someone anonymously, if the recipient want details of who sent it do we have to tell them?
Yes we absolutely do, they need to know where you got their data to send them flowers
Iv lost my phone, but I could wipe it immediately, do I need to notify my customers ??
No, you have removed the breech by deleting it immediately
My staff member has opened her own business and has taken a copy of the some of my client’s data.
If she has signed a contract which included agreeing to your privacy policy, you can take legal action against her, but you will still have to notify all of your customers of the data breech and the action you are taking.
How should myself and my staff take credit card numbers over the phone.
Do not repeat back any of the customers data or card numbers, ask the customer to repeat the information to you to confirm details.
Someone has emailed me about a wedding booking, I email her back the details and quotations. Can I follow up in a few weeks’ time on this enquiry.
Yes, but don’t save the information in the emails, save it to a pdf in a folder for follow up in one months’ time. Delete the client’s details from your email – (in case of data breech) One month later go to your pdf folder and send her a follow up email, If she does not reply, good practice would be to delete this contact and any personal data.
I have a mailing list for my customers that I have had for years, can I still email them with offers?
Yes, you can, but use a mailing package like Mailchimp which gives the customer to Optout and no longer receive emails from you. It is hard to keep a record of this on an excel sheet so using Mailchimp is great, it is free for up to 2000 emails
Philipa gave a great tip to us all – if you send an email to someone would they be surprised to get that email? Would they wonder where that email came from? Would they wonder how you got their email address? If they answer yes to any of these, you a breaking GDPR laws.
Only email or text those who want to hear from you, but always give the option to Opt Out.