Effective Date: April 16, 2025
Owner: The Big Bun Theory (Operated by One Elysium Ltd)

1. Overview

We are committed to protecting personal and sensitive information handled in the course of business operations.

This policy outlines the protocols around how we manage, store, access, and dispose of all business data — including customer, supplier, employee, and operational data — in compliance with UK GDPRData Protection Act 2018, and industry best practices.

2. Scope

Applies to:

  • All digital and paper-based information
  • All employees, contractors, suppliers
  • Systems and tools including POS, Remy, payment processors, delivery platforms, HR systems

3. Data Classification

Data is categorised as:

  • Public: Menus, marketing content
  • Internal: Policies, non-sensitive employee data
  • Confidential: Customer records, order history, loyalty data
  • Restricted: Payroll, personal ID data, payment details

4. Data Handling & Storage

  • All customer and order data is stored via encrypted cloud platforms (e.g. Remy, Stripe, Square)
  • Employee records are stored in password-protected folders with access control
  • Internal systems are audited regularly for access and data sharing compliance
  • Personal devices used for work must have password or biometric protection

5. Data Access & Control

  • Only authorised personnel may access confidential/restricted data
  • Role-based access policies apply across digital systems
  • Third-party services (e.g. delivery partners) must be under data-sharing agreements

6. Data Retention

  • Customer data: 12 months after last transaction
  • Loyalty data: 365 days (as per loyalty policy)
  • Employee data: 6 years post-employment
  • Financial records: 6 years minimum (HMRC requirement)

7. Data Breach Response

  • Breaches are reported to the Data Controller within 24 hours
  • High-risk breaches are notified to the ICO within 72 hours
  • Affected parties will be contacted promptly with details and remediation steps

8. Employee Responsibilities

All staff must:

  • Undergo basic data protection training
  • Report suspicious behaviour or data access immediately
  • Avoid storing customer data locally or off-system

9. Policy Enforcement

Violations may lead to disciplinary action, including termination. Serious breaches may be reported to regulatory authorities.

10. Questions?

Email: hello@thebigbuntheory.com
Phone: 020 3305 6732