Laurence Ian Jewellery

Privacy Policy

We take privacy very seriously at Laurence Ian – we would never want to spam our clients or ruin any surprises. We therefore are committed to protecting the private information you supply us with. In cooperation with our Terms & Conditions, this Privacy Policy informs you what happens to your information,
why we collect it, how we use it and how we store it. 

Collection of personal information

In the course of its business, Laurence Ian needs to gather and use certain information about individuals. This will include clients, suppliers and other business contacts, and employees and prospective employees, as well as other people that we have a relationship with, may need to contact, or with whom we
need to deal.

This policy describes how this personal data is collected, processed, transferred, handled and stored in order to meet the requirements of data protection law, in particular the General Data Protection Regulation (GDPR).

We recognise that, not only must we comply with the principles of fair processing of personal data, we must also be able to demonstrate that we have done so. The procedures and principles set out below must be followed at all times by the Firm, its employees and all those within its scope as set out below.

Why this policy exists

  • This Policy provides help and guidance to our staff and managers in:
  • complying with data protection law and following good practice
  • protecting the rights of staff, clients, and business contacts
  • being open about how we use personal data and how we store it
  • protecting QS against the risks of both inadvertent and intentional data breaches

Scope of the policy

The Policy applies to all employees and contractors who are provided with access to any of our files and/or computer systems. Collectively these individuals are hereafter referred to as “users”. All users have responsibility for complying with the terms of this Policy. 

Data protection law – GDPR 

The GDPR regulates how organisations must collect, handle and store personal data. Personal data is any information relating to an identified or identifiable living individual. It is information which enables that person to be identified, directly or indirectly, and may include their name, address, telephone number(s), email address(es), age, location data, or online and biometric identifiers.

What does the law say?  

  • The GDPR contains a number of key principles which apply to the collection and processing of personal data and which underpin everything that follows. 
  • See the key principles below.
  • Lawfulness, fairness and transparency
  • Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

Purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Data minimisation

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed


Personal data shall be accurate and, where necessary, kept up to date

Storage limitation
Personal data shall be kept in a form which permits identification of data
subjects for no longer than is necessary for the purposes for which the personal
data are processed

Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security
of the personal data, including protection against unauthorised or unlawful
processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures

The controller shall be responsible for, and be able to demonstrate compliance
with the GDPR

Key responsibilities

The Directors are ultimately collectively responsible for ensuring that Laurence Ian Jewellers meets its legal obligations and that this Policy is followed

The Data Protection Officer is responsible for:

keeping the Senior Leadership Team updated about data protection responsibilities, risks and issues

reviewing all data protection procedures and related policies, in line with
an agreed schedule

arranging relevant data protection training

handling data protection queries from staff and contractors

dealing with requests from anyone whose data we hold for access to that data

checking and approving any contracts or agreements with third parties that may handle our personal data

checking and approving any contracts or agreements with third parties whose personal data we may handle

ensuring that policies on processing,  retention, storage and deletion of data are adhered to and relevant documentation is maintained to evidence compliance

The IT Manager is responsible for:

  • ensuring that all systems, services and equipment used for storing data
    meet acceptable security standards
  • performing regular checks to ensure that security hardware and software
    is functioning properly
  • evaluating any third-party services QS is considering using to store or
    process data. For example, cloud computing service
  • The Marketing Director is responsible for:
  • approving any data protection statements attached to communications
    such as emails and letters
  • where necessary working with other staff to ensure marketing initiatives
    are compliant with data protection principles
  • ensuring that records of consents and withdrawal of consents to
    marketing are maintained.

Lawful, fair and transparent data processing

We are responsible for ensuring that any personal data we hold is processed in
accordance with the principles laid out above. We are permitted to process data
where one of the following legal bases applies:
 the data subject has given their consent.
 the processing is necessary for the performance of a contract to which
the data subject is a party, or in order to take steps at the request of the
data subject prior to entering a contract with them
 the processing is necessary for compliance with a legal obligation to
which the data controller is subject.
 the processing is necessary to protect the vital interests of the data
subject or another natural person. An example of this might be where we
pass on information to the next of kin of an employee who is gravely ill
Other personal data
QS will adhere to the following principles:
 QS collects and processes the personal data set out in H01-H05 below,
this includes:
o personal data obtained directly from customers
o personal data obtained from staff
o personal data obtained from suppliers 
 QS only collects processes and holds personal data for the specific
purposes set out in H01-H05 below,
 We keep data subjects informed of the purpose for which we process
their personal data
 Where personal data will be disclosed to third parties, we will only do so
where we are legally required to do so, eg to HMRC or to money
laundering authorities.  We do not share data with third party
organisations for marketing purposes
 We will only collect and process personal data for and to the extent
necessary for those specified purpose(s)
 In respect of personal data that we collect and process, we will
o keep it accurate and up to date
o grant the data subject the right to rectify any inaccurate data in
accordance with their right to do so
o regularly check the data and ensure that  all reasonable steps are
taken to promptly rectify or delete any mistakes or inaccuracies as
o not keep personal data any longer than is necessary bearing in
mind the purpose(s) for which it was collected

o take all reasonable steps to delete or dispose any data which is no
longer required promptly
o take measures to ensure the security of the data in line with the
measures set out below

Accountability and record keeping
QS will keep electronic internal records of all personal data collection, holding
and processing, and this will incorporate the following:

  • name and details of employees, customers and suppliers
  • the purposes for which QS collects, holds and processes personal data
  • details of the categories of personal data collected, held by QS and the categories of data subject to which the data relates
  • details of the retention policy
  • detailed descriptions of all technical and organisational measures taken
    by QS to ensure the security of personal data.

Privacy by design – data impact assessments
Part of our duty is to ensure that in the planning of new processes or
procedures which involve the use of personal data, we consider the impact of
the changes and ensure that we have fully considered and complied with our
obligations under the GDPR. We will always ensure that all such changes are
designed and implemented in accordance with the Regulation, and that the
DPO is consulted and their recommendations are taken into account in the
planning and introduction of such changes.
In any situation where new technologies are being deployed and the processing
of the personal data is likely to result in a high risk to the data subjects’ rights
and freedoms under the Regulation, we will carry out a Data Impact
Assessment, overseen by the DPO. This will deal with:

  •  the type(s) of personal data that will be collected, held and processed
  • the purpose for which it is to be used
  • the Firm’s objectives in processing this data and making this innovation
  • how the personal data is to be used
  • internal and external parties to be consulted
  • why we need the data and how the collection of the data is proportionate to our need for it
  • what risks there are for data subjects
  • what risks the Firm runs, and
  • what measures we are proposing to minimise and protect against the

Providing information to data subjects
We are required to ensure that, when we collect and process personal data, the
data subject is aware of the purposes for which this is being done, and what is
happening to the data. We therefore will ensure that the following principles are

  • Where we collect personal data directly from the data subject, we will
    inform them of the purpose for which it is being collected if requested
  • All data subjects will be provided with the following information:
  • details of QS including the name of the DPO
  • why the data is being collected and processed, and the legal basis
    for this
  • details of data retention if requested
  • details of the data subject’s rights under GDPR
  • to withdraw consent to processing at any time
  • to complain to the Information Commissioner’s Office (ICO)
  • details of any legal or contractual requirement which means that
  • QS needs to collect this information and process it
  • details of any automated decision making or profiling that will take place using personal data, how the decisions will be made and their consequences
  • Data subject access
    ‘Subject Access Requests’ (SARs), can be made by data subjects where an organisation holds personal data about them. This can be done at any time, and the requests are made in order for the data subject to find out what data is being held, and what is being done with it
  • such requests need to be made by the data subject in writing
  • they should be addressed to the DPO, who will deal with the request
  • QS will usually respond to them within one month, but we may need to
    extend it for a period of up to a further two months if it is a complex
    request or there are multiple requests. In that situation, the data
    subject(s) will be informed.
  • QS will not charge the data subject any fee for responding to the SAR,
    unless the subject is asking for multiple copies of data already supplied
    or unless the request is manifestly unfounded or excessive.

Rectification of personal data
Where a data subject informs us that data we are holding about them is
inaccurate or incomplete and requests that it is corrected, we will rectify the
information and inform the data subject that we have done so, within one month
of the request. Again, in complex cases, we may extend that period by up to
two months.
Where the incorrect data is held by third parties to whom it has been disclosed,
we will ensure that they are informed and that the data that they hold is
Erasure of personal data
Data subjects have a right to require the Firm to erase personal data held about
them when:

  • the Firm no longer needs the data it is holding for the purposes for which
    it was originally collected
  • the data subject wishes to withdraw their consent to the Firm holding and
    processing the data
  • the data subject objects to the Firm holding and processing the data, and there is no overriding legitimate interest which allows us to continue to do so
  • the personal data has been processed unlawfully
  • the personal data needs to be erased in order for the Firm to comply with
    a particular legal obligation.

Where we are obliged to do so, we will erase the information and inform the
data subject that we have done so, within one month of the request. Again, in
complex cases, we may extend that period by up to two months, and again
where the data is held by third parties to whom it has been disclosed, we will
ensure that they are informed and that the data that they hold is erased.
Restriction of personal data processing Data Subjects have a right to request that the Firm ceases to process any personal data that we are holding about them. If that takes place, we will only retain whatever personal data we need to ensure that no further processing takes place

Objections to personal data processing

Data subjects have a right to object to us processing their personal data based
on our legitimate interests or for direct marketing purposes. Where the data
subject notifies us of their objection, we will cease such processing immediately
unless our legitimate interests override those of the data subject, or unless we
need to continue to process the data in conducting a legal claim. Where the
data subject is objecting to direct marketing, we will cease to use the data for
this purpose immediately. 
Personal data, collected, held and processed
Type of Data: Personal details of employees, such as names, addresses,
contact details, age, sex etc
Purpose: The administration of employment contracts
Type of Data: Personal details of clients, such as names addresses, contact
Purpose: To communicate in relation to their purchase of our goods i.e.
specific product queries and collection dates. To market our services to clients,
in accordance with the GDPR
Type of Data: Education and Training details of our prospective employees,
employees and contractors
Purpose: Collected in the course of recruitment with a view to selection, and
maintained to track their career progression
Type of Data: Financial Details of employees and contractors ie matters related
to income and payroll, tax details, expenses claimed, pensions
Purpose: Collected and maintained in order to ensure timely and accurate
payment of staff, and proper accounting for tax purposes
Type of Data: Personal details of suppliers such as names addresses, contact
Purpose: To communicate in relation to our purchase of their goods or services

Data Storage and General Security

  • all electronic copies of personal data are stored securely using privilege
    levels and passwords
  • regular password changes will be enforced and the number of logins will
    be restricted
  • passwords are never be written down or shared between any employees,
    agents, contractors or other persons working on behalf of QS, no matter
    what their level of seniority.
  • computer equipment belonging to QS will be sited in a secure location
    within the office and in a position where they cannot be viewed by
    members of the public
  • computer terminals must not be left unattended, and should be logged off
    at the end of the session
  • personal data is backed up daily and is stored offsite and where
    appropriate is encrypted
  • all software is kept up to date and it shall be iSOS who are responsible
    for ensuring that all security-related updates are installed promptly,
    unless there are valid technical reasons for not doing so
  • no software is installed on the QS system without the prior approval of
    the Managing Director
  • personal data should not be stored on any mobile device such as
    laptops, tablets and smartphones without the approval of the DPO and,
    where it is held, only in accordance with his or her instructions and
  • personal data must never be transferred on to an employee’s personal
    device and we will never transfer such data onto a device owned by a
    contractor or agent unless they have agreed to comply fully with the letter
    and spirit of this Policy and with the GDPR
  • computer print outs containing personal information should be destroyed
    without delay
  • where personal data is to be erased, or otherwise disposed of, this will
    be done in accordance with the  Data Retention Policy.

Access to personal data
In relation to accessing personal data:

  • employees must never access data either on a computer or in paper form, without having authority to do so
  • personal data must not be shared informally and if an employee, agent, contractor, or any other third party wants access to the data, it must be formally requested from the DPO
  • personal data must be handled with care, and should not be left unattended or in view of unauthorised employees, contractors or agents whether on paper or on a screen
  • where personal data held by QS is being used for internal marketing
    purposes, it is the responsibility of the sales staff to ensure that
    appropriate consents are obtained.

Organisational measures
The Firm will take the following steps in relation to the collection, holding and
processing of personal data:

  • all employees, contractors or other parties working on our behalf will be
    made fully aware of their individual responsibilities, and the
    responsibilities of the Firm, in relation to data privacy and the GDPR and
    they will be provided with a copy of this Policy in respect of these individuals and of personal data held by QS
  • only those persons who need access to particular personal data in
    order to complete their assigned duties will be granted such
  • all persons will be appropriately trained and supervised in handling
    personal data
  • all persons will be encouraged to exercise caution in discussing 
    work related matters within the workplace
  • our methods of collecting, holding and processing data will be regularly
    evaluated and reviewed and the personal data held by QS will be
    reviewed periodically, as set out in our Data Retention Policy
  • we will keep the performance of our contractors under review and, not
    only will we ensure that they are required to handle personal data in
    accordance with the GDPR and our Policy, but we will also ensure that
    they are held to the same standards as our own employees both
    contractually and in practice
  • where any contractor fails in their obligations under this Policy, we will
    ensure that they are required to indemnify us for costs, losses, damages
    or claims which may arise as a result.

Data breach notification
All personal data breaches must be reported immediately to the DPO.
If such a breach occurs, and it is likely to result in a risk to the rights and
freedoms of data subjects eg financial loss, breach of confidentiality,
reputational damage, the DPO is required to ensure that the ICO is informed
without delay and, in any event, within 72 hours of the breach.
Where the breach is likely to result in a high risk to the rights and freedoms of
data subjects, the DPO also needs to ensure that the data subjects affected by

the breach are informed directly and without undue delay. The following
information must be provided:

  • the categories and approximate numbers of data subjects affected
  • the categories and approximate numbers of personal data records concerned
  • the name and contact details of the Firm’s DPO
  • the likely consequences of the breach
  • details of the measures taken, or proposed, to deal with the
    consequences of the breach.

Implementation of the policy
This Policy is effective as of 30 May 2018. No part of the Policy is retrospective
in effect and applies to matters occurring on or after 25th May 2018