GDPR - are we affected?

[movietub]

Going through the regs (trying to remain awake..), really struggling to see how any of it applies to the site I run, but have also seen other comparable sites running pop-ups about privacy...

The site is just a very basic corporate presentation for our services. There is no 'sign-up' option or facility, it's essentially just a set of pages outlining what we do and how to contact us. We don't have members and the only data we keep is the gmail list of our contacts. Our only marketing is adwords.

So... do we need to do anything to comply? Our only contact is by people emailing or calling us. We don't run any database of customers or CRM etc. I don't actually know anything about anyone that makes contact other than how to get back in contact if they explicitly invite a response.

I guess equivalent to running a yellow pages ad with an email address and phone number. Would a window cleaner with a yellow pages ad need to worry about GDPR? That is effectively our position. Advertise>quote if people ask for a quote.

Any input appreciated.

 

[cjd]

Everybody that holds personal data is subject to GDPR.

But for your particular business it's quite a minimal issue. You just need to store data safely and delete it when it is no longer useful. You need to have shown that you've considered the personal data you use and create a short privacy policy saying what you do with it. In your case it seems just storage and deletion.

 

[tony84]

Do you have anything like google analytics?
You hold email addresses.
Presumably you hold names of companies and individuals at the companies? Either directly (through a CRM) or indirectly via emails.
You probably hold names/phone numbers?
Folders on your computer(s)?
Employees also?

You could probably do with having something in place, not just a privacy policy but also some sort of register. If the ICO come in and asked what data you hold on individuals, where is it stored, how do you remove it. how do you know it is secure - you could hand them that.

To be honest, it probably sounds a lot more complex than it is.

 

[movietub]

Everybody that holds personal data is subject to GDPR.

But for your particular business it's quite a minimal issue. You just need to store data safely and delete it when it is no longer useful. You need to have shown that you've considered the personal data you use and create a short privacy policy saying what you do with it. In your case it seems just storage and deletion.

So to go back to my window cleaner analogy... If they have a basic website with a list of services and an email address and telephone number, what would they need to do if anything? I'm using the analogy just to simplify things as much as possible.

And does having someone email address simply because they emailed me to ask a price for something, constitute 'storage'. Of course gmail stores it automatically, but they have their own policy and protection in place. It seems like having received an email from someone is no more 'storage' than my phones memory of who called me and when. Yup, it's stored I guess... But only for future reference should the same person gets back in touch.

GDPR seems to state that anyone who stores information is affected. If we include anyone with an email address on their website, that's everyone surely?

 

[movietub]

Do you have anything like google analytics?
You hold email addresses.
Presumably you hold names of companies and individuals at the companies? Either directly (through a CRM) or indirectly via emails.
You probably hold names/phone numbers?
Folders on your computer(s)?
Employees also?

You could probably do with having something in place, not just a privacy policy but also some sort of register. If the ICO come in and asked what data you hold on individuals, where is it stored, how do you remove it. how do you know it is secure - you could hand them that.

To be honest, it probably sounds a lot more complex than it is.

My worry is that right now we just have emails sent/received, as any business has. If I create a register or start organising it to schedule for deletion in the future... surely I begin to do the sort of thing that would require more policy at my end?

I can see that we should make some effort to review, just to show we have checked that our email provider is compliant and to make a statement that we don't process any data or use for marketing etc. And to let people know how to make contact to request data deletion. I really don't want to delete old emails just because time has lapsed though, or ask for permission to not delete the email. The reality is we have projects that we quote initially and then hear back about 5 years later! So we don't want to be clueless as we deleted an old email for no particular reason.

 

[tony84]

Until GDPR kicked in, I never deleted an email. I had about 12,000 of the things.
GDPR is basically making you think about the data you hold. The reality is some of those emails are 3-4 or 5 years old and were enquiries I received that never went anywhere. Why would I need to keep the data (email address and the contents of the email) from a potential enquiry that never went anywhere? The same goes for storing a phone number.

So you need to have a policy in place that says how you will manage peoples data. I receive that many emails and it could take months from initial enquiry to proceeding to an application, so I took the view that basically anything over a certain age will get deleted once annually. It is not perfect but it ensures I am not keeping hold of peoples details for 3-4 years without reason.

All in I have:
- A privacy policy,
- A process documented for removing data,
- A table with the following headers:
Where is data held - folders on PC/Server/CRM.
Data held - personal information/name/number/ invoices
Source of data - customer?
Location - PC/Servers in the EU/Paper
How is it used - to generate quotes?
Who has access - you? all staff?

I do also have things on file from our CRM company and web hosting to confirm that they have told us data is stored in the EU.

There is no major work involved once you have done the initial assessment. Yes, you need to do some extra work, in my case, I have to actively go and delete emails over a certain age. But I do it once a year and it takes 20 minutes.

I am in a heavily regulated industry and the reality is there is not much work involved. You just need to show you are actively thinking about peoples personal data.

I get the impression you think an email is not a very important piece of personal data, but it can be. Most people will use that to log in to accounts (shopping accounts, back office systems...email accounts), it will probably have their name and in the signature may also have their address if they work from home and phone number. It will also possibly have an IP address and so on in addition to whatever else is in the body of the email.

I am not saying what I have is perfect, but I feel confident if the ICO came down and having read their site, that I have covered a lot of it off and for a small business I can show I have made an active effort to comply.

 

[movietub]

Until GDPR kicked in, I never deleted an email. I had about 12,000 of the things.
GDPR is basically making you think about the data you hold. The reality is some of those emails are 3-4 or 5 years old and were enquiries I received that never went anywhere. Why would I need to keep the data (email address and the contents of the email) from a potential enquiry that never went anywhere? The same goes for storing a phone number.

So you need to have a policy in place that says how you will manage peoples data. I receive that many emails and it could take months from initial enquiry to proceeding to an application, so I took the view that basically anything over a certain age will get deleted once annually. It is not perfect but it ensures I am not keeping hold of peoples details for 3-4 years without reason.

All in I have:
- A privacy policy,
- A process documented for removing data,
- A table with the following headers:
Where is data held - folders on PC/Server/CRM.
Data held - personal information/name/number/ invoices
Source of data - customer?
Location - PC/Servers in the EU/Paper
How is it used - to generate quotes?
Who has access - you? all staff?

I do also have things on file from our CRM company and web hosting to confirm that they have told us data is stored in the EU.

There is no major work involved once you have done the initial assessment. Yes, you need to do some extra work, in my case, I have to actively go and delete emails over a certain age. But I do it once a year and it takes 20 minutes.

I am in a heavily regulated industry and the reality is there is not much work involved. You just need to show you are actively thinking about peoples personal data.

I get the impression you think an email is not a very important piece of personal data, but it can be. Most people will use that to log in to accounts (shopping accounts, back office systems...email accounts), it will probably have their name and in the signature may also have their address if they work from home and phone number. It will also possibly have an IP address and so on in addition to whatever else is in the body of the email.

I am not saying what I have is perfect, but I feel confident if the ICO came down and having read their site, that I have covered a lot of it off and for a small business I can show I have made an active effort to comply.

All makes sense (although in our case we do sometimes refer to ten year old emails - for example, if we wanted to recall how we approached a technical problem back then). But I can see that if the information is stored securely and not used for any purpose than a record of work done/discussions had, then the risk/impact to our clients is zero. I see also that we simply need to demonstrate that we have reviewed our practices and can demonstrate the above. Essentially risk and method statement for data then...

Do you have those annoying pop-ups about it on your site? I'd really like to avoid that if possible. They really frustrate me when I'm looking for info on websites via my phone!!

 

[paulears]

I have all my emails. I won't be deleting any of them. I'm going to archive them with a password, which like the others I will immediately forget after about a week. If I can't get to them, then they're secure.

 

[tony84]

I do not have an annoying pop up, I probably should but there is a link to our privacy policy on every page. With my technical skills, that is the best I could do.

I think the 10 year old emails should probably be deleted - I understand you want to keep the technical information which is fine, but could that information not be copied in to say a word document or spreadsheet with the customers details stripped out?

You might need the information within the email, but you probably have no use for the customers details to be in there. Think about it from the customers perspective - why are you holding my personal details from 10 years ago when you have no need for them.

There is no requirement to delete emails, but if questioned, you need to be able to justify why you hold personal information.

 

[movietub]

I have all my emails. I won't be deleting any of them. I'm going to archive them with a password, which like the others I will immediately forget after about a week. If I can't get to them, then they're secure.

That's a good plan. I'm left feeling that really general enquiry/business emails should have been exempt from such considerations though (beyond basic good practices). Obviously all businesses have emails discussing water rates, tax strategy, customer enquiries etc. I can see if I was using data to send marketing emails, or making the data available to others, it would be very different. That's surely the real driving force behind the new regulations. Yet once again, the red tape follows the letter of the law, not the spirit of it

 

[cjd]

So to go back to my window cleaner analogy... If they have a basic website with a list of services and an email address and telephone number, what would they need to do if anything? I'm using the analogy just to simplify things as much as possible.

They don't need to do anything if they're not collecting or processing data.

And does having someone email address simply because they emailed me to ask a price for something, constitute 'storage'. Of course gmail stores it automatically, but they have their own policy and protection in place. It seems like having received an email from someone is no more 'storage' than my phones memory of who called me and when. Yup, it's stored I guess... But only for future reference should the same person gets back in touch.

If you store or process ANY personal data, you're in scope for GDPR. But obviously just having some emails on your phone is not that big a deal.

GDPR seems to state that anyone who stores information is affected. If we include anyone with an email address on their website, that's everyone surely?

Yup.

 

[movietub]

I do not have an annoying pop up, I probably should but there is a link to our privacy policy on every page. With my technical skills, that is the best I could do.

I think the 10 year old emails should probably be deleted - I understand you want to keep the technical information which is fine, but could that information not be copied in to say a word document or spreadsheet with the customers details stripped out?

You might need the information within the email, but you probably have no use for the customers details to be in there. Think about it from the customers perspective - why are you holding my personal details from 10 years ago when you have no need for them.

There is no requirement to delete emails, but if questioned, you need to be able to justify why you hold personal information.

The reason we can't copy the useful info, is that we have no idea what could become useful in the future. Right now I'm working on a project in Germany, and in 2007 I worked in the same venue in Germany. It's very out of date now of course, but the old haulage quotes we got then were enough to be able to guesstimate approx cost, not to mention the time to make the trip for the trucks and reading back it reminded me that in Germany, all items on an open sided truck must be placed on rubber pads to avoid slippage. I can honestly say that until yesterday, I would not have ever expected to read that email again. But why should I not refer back to a service I used 11 years ago, in order to be best informed going into the same situation today? It seems reasonable, sensible.

So I suppose, that is my justification right there..

 

[tony84]

There are emails I will be keeping forever and a day. Especially in this industry where we can receive a complaint 30 years down the line, we need to hold information to defend that complaint.

If we did not go with the cheapest lender for example, but the customer said in an email they wanted the quickest rather than cheapest - we hold that on file. But I take it out of my email server and save it to their folder.

 

[movietub]

They don't need to do anything if they're not collecting or processing data.

Thanks. Surely a window cleaner does collect data though, whether I call or email they have *something*. And if they are to be truly effective, they will probably want my address too!

I don't think my window cleaner would have much to say if I asked him for his privacy policy though... He would probably just assure me that anything he sees, he keeps to himself

 

[tony84]

The reason we can't copy the useful info, is that we have no idea what could become useful in the future. Right now I'm working on a project in Germany, and in 2007 I worked in the same venue in Germany. It's very out of date now of course, but the old haulage quotes we got then were enough to be able to guesstimate approx cost, not to mention the time to make the trip for the trucks and reading back it reminded me that in Germany, all items on an open sided truck must be placed on rubber pads to avoid slippage. I can honestly say that until yesterday, I would not have ever expected to read that email again. But why should I not refer back to a service I used 11 years ago, in order to be best informed going into the same situation today? It seems reasonable, sensible.

So I suppose, that is my justification right there..

If you are happy that is fine, go with it. Or maybe call the ICO for clarification?
I have spoken to them once or twice (not about GDPR) and unlike most government agencies, they are actually quite helpful.

 

[JanetPF]

We have found it easier to comply with GDPR by not holding onto anything that isn't digital and using companies such as E-Sign to send all of our documents. That way there's a trail, data is safe and we know we're compliant!

 

[tony84]

GDPR does not stipulate "digital" data. It is ALL data, whether digital or scribbles on the back of a fag packet.

 

[RRahul]

Yes You have to.

 

[PJOrion]

GDPR isn't just about how you contact someone, but more importantly, what you are doing with their data and contact details, and how you handle either a loss of their data or how you handle their request to be forgotten. Initially, having a privacy policy in place that informs potential clients how you will store their data and contact them in the future in regards to the services you provide, and their rights in this regards. It doesn't just cover digital data, but also physical information as someone else pointed out. If you do end up using a CRM system or storing their data on a cloud, then you have to inform them of this in the privacy policy.

 

[AdamSCC]

Everyone's affected by GDPR! I'm not aware of one sector that isn't.

 

[cjd]

Thanks. Surely a window cleaner does collect data though, whether I call or email they have *something*. And if they are to be truly effective, they will probably want my address too!

I don't think my window cleaner would have much to say if I asked him for his privacy policy though... He would probably just assure me that anything he sees, he keeps to himself

All businesses fall under GDPR If they hold someone else's personal data.

Now whether it's a big deal or virtually no deal at all is another issue. If I was a one-man window cleaner it's not something I'd worry at all about.

If I was the owner of a telephone company, it's something I'd worry about a great deal. So I do

 

[tony84]

Everyone's affected by GDPR! I'm not aware of one sector that isn't.

I would love to see someone going to see a prostitute and being handed a privacy policy.
oooh if anything will get you in the mood, its GDPR!

 

[Alan]

I would love to see someone going to see a prostitute and being handed a privacy policy.
oooh if anything will get you in the mood, its GDPR!

I've never visited a prostitute, but I don't expect they ask for any personal data - hi I'm Cyndy, what is your name .. and surname .. and address .. and next of kin in case you have a heart attack .. and who do you bank with .. and who is your GP .. and your date of birth please ... thanks once I have all these details registered on my computer we can get down to business ... oh and btw please can you sign this terms and conditions ...

But if they did .. they would legally need to let you know your rights regarding the use of that data ..

 

[tony84]

I've never visited a prostitute, but I don't expect they ask for any personal data - hi I'm Cyndy, what is your name .. and surname .. and address .. and next of kin in case you have a heart attack .. and who do you bank with .. and who is your GP .. and your date of birth please ... thanks once I have all these details registered on my computer we can get down to business ... oh and btw please can you sign this terms and conditions ...

But if they did .. they would legally need to let you know your rights regarding the use of that data ..

Good shout.
I have never visited one either for the record. I was trying to be clever, how that came back to bite me

 

[Alan]

I was trying to be clever,

I was trying to be cleverererer lol