GDPR Concern

[SHC]

Hi all,

I appreciate that the 'deadline' for GDPR is soon to be here, but I have still yet to find anything straightforward enough to understand on what on earth I actually need to do.

I am a self employed IT consultant and with the exception of writing to and replying to e-mails from customers and making and returning phone calls to them I don't hold any 'data' about them at all.

As their addresses are in my accounts system for invoicing purposes then yes I have to obtain this information.

I'm concerned at how enormous the fines are for breaches of GDPR, and yet seemingly without paying a firm to 'help me become GDPR compliant' I either quit trading in fear of going beyond bankrupt if I'm ever hit with a fine or resort to a massive expense for a company to give me a load of document templates.

How are other self employed 'one-person operation' sole traders coping with this?

 

[Alan]

Lots of people are worrying about this and a whole industry has grown based on that worry.

GDPR is about trying to stop the abuse or mis use of personal data.

In the main this means marketing to people or selling personal data. Businesses that send out email marketing campaigns need to worry, businesses that collect leads and sell them on need to worry.

It is also about suitable protecting the personal data from falling into the wrong hands.

In your situation, as you only use the data for accounting, you need to ensure that it is secure and safe, and if say for instance you use a third party to process that data you must be confident that they will keep that data secure.

That is about it.

 

[cjd]

Encrypting the drive that you hold personal details on gets rid of the majority of you problems. After that it's just about getting letters from any third party that processes your data to say that they are compliant, not emailing people without their consent and not keeping data longer than necessary.

Small businesses are not in the ICO's headlights, don't panic about it, just take reasonable steps to ensure you keep data safe. Start with auditing what data you keep and make a record of what you do with it and why you think that's ok. Having the record of what you do and why is the most important part of the process.

 

[The Resolver]

I agree that GDPR should hold no fears for the average small business. It is however tougher than current but the three things you need to do are:-

1. Understand, from not only your own applications used in your business but third party applications you use, what happens to the data - where stored and how processed with particular reference to profiling.

2. Ensure you can prove you have informed all those whose data you handle where and how such data is processed and stored.

3. That you can clearly prove you have full consent from each person to such processing and storage. Best to achieve this (and 2 at the same time) by a positive click consent with a compliant privacy policy giving that information being readily accessible at the time of the click consent and not stuffed away in the footer. e-termsandconditions.com are about to launch a compliant privacy policy template for their clients and a short 'heads up' information sheet (both of which I drafted).

Of course the 'belt and braces' 4th step is to set out a description of the action you have taken under 1-3 above and write to the ICO to ask if you are now compliant. I suspect a standard response that they cannot give advice but I think if enough people took that step they could be pressured into doing some sort of soft clearance.|After all it is in the public's interest that all businesses comply rather than only a small number with the majority assuming (probably correctly) that a cash strapped government agency could not go after everyone.

But although the ICO will not have small businesses in its sights, beware the fact that the Regs empower individuals to sue for breach and, worse, competitors who 'whistle blow' on you and pressure the ICO to take action once notified.

 

[Keith Budden]

GDPR really does not need to be complex - Graham has set out some sensible points above.

Having said it isn't complex, and please don't lose sleep over the fines, no SME is going to be hit with a huge fine (unless they have been carelessly handling millions of consumer records, but that's not going to apply to many).

However, what you can't do, is do nothing. So check out the basics of what you have to do, start some simple documented procedures, make sure you know how to handle a data request and how to handle a data breach, make sure you have paid the correct fee to the ICO and Bob's your uncle you're all sorted.

If you have any specific questions, please do ask them here (do them in this thread so others can also gaing from the answers) and I will do my best to answer them for you.

 

[20sjp]

I have a few specific questions. We are a small business. 3 field staff, 2 part time office staff.
We do not have a contract but we do return to each of our customers the following year to complete a service on some safety equipment they have,( annual service is required by law, although not necessarily by ourselves.) At the visit the engineer completes paperwork, with details of the customer and what they have had done, ( if they do not want our services they can tell us at the visit.) The only info we collect and store is on quickbooks, (accounts invoicing system) is what they gave us on paper, the name of customer, business name, address, telephone, email in order to invoice the customers and to collect payment from them 30 days later and to store the information about who is due their service in what month the following year so their premises remain under certification. The collection of some payments where the customer forgets or does all possible to avoid paying may be by telephoning the customer to get paid. I understand now we have to call from a telephone number which clearly identifies who we are. This could be a problem for us, because there are a number of our customers who would avoid our call to pay if they can, therefore sometimes we do call from a with-held number which increases the chance of getting answered. 1) Is this a complete no no now? 2) sometimes we make notes if they have been poor payers to ask our Engineer to collect payment on the day, ie took until June to pay or took 4 months to pay) are such internal notes allowed?. 3) If a customer decides not to be our customer any longer, we archive their record, but should we really be deleting the record (we usually hold tax information for 7 years). 4) I'v put together a documents saying what info we collect and why we collect it, do I just keep that in case of an enquiry, or do I have to register it somewhere with the ICO etc? 5) Can I just put a privacy policy on our website informing customers that we don't and won't share their information with other companies or organisations and won't contact them in regard to any other products other than those we currently offer ie safety services? Its a minefield and I have been reading and reading and trying to copy what other organisations have/are doing, but I still don't know if I'm doing it right and we just don't have the funds to keep paying other external consultants.

 

[cjd]

If you stick to basic principles you can sort it out.

The first one is to only keep personal data if there is a real business use for it and only keep it for as long as that business use is there.

So it's fine to keep invoices for 7 years because the VAT man may need them. But not other stuff that the VAT man has no interest in. If you need information for annual contracts, of course you can keep that information.

But for each type of data, you need to say why you've taken the decision you did and keep it on file. You don't need to tell the ICO about it, but it needs to be available if asked.

The second bit is you need to keep the information safe. For small businesses the best idea is to encrypt the hard drive of your computer - this is easy to do and free and by doing it you effectively take the data outside the GDPR because it's not readable.

Paperwork needs to be locked away somehow and you need to be careful about what you throw away - shredders are best.

The third bit is marketing. If you're going to market to your customers you need their deliberate, positive consent. This doesn't mean you can't contact people as a part of fullfilling the work you're doing for them.

It's pretty much common sense once you get into it.

 

[20sjp]

Another question
Staff records: I assume I am the data controller as I collect information on staff, ie the recruitment process. The only other person who has access to basic staff information is our accountant. Would the accountant be a joint data controller? So for example new starters complete an HMRC starter checklist form with name address, date of birth, NI number etc. This form is scanned and emailed to our accountant and then she does what ever she does to process the payroll and the necessary PAYE, tax,ni and pensions.

 

[cjd]

Your accountant needs to provide you with a new contract that confirms that he is also GDPR compliant. Anyone you pass someone else's personal information to must provide you with this guarantee for you to be compliant.

 

[Alan]

Would the accountant be a joint data controller

No your accountant is a processor. You are meant to have a written contract with your processor(s) that meet GDPR requirements - https://ico.org.uk/for-organisation...gdpr/accountability-and-governance/contracts/ - your existing letter of engagement MAY already cover these, you need to check it, and if it doesn't you can ask your accountant to send you an addendum that does.

Interestingly the existing laws ( Data Processing Directive 95 Articles 17 ) actually already require such a contract between controllers and processors and the overall requirements are pretty similar.

 

[20sjp]

Good news so I contacted the helpline today and established that I don't have to register for our main business I read the selfhelp question 7 incorrectly,
7. Are you processing information for any of the following purposes?
apparently the answers to this are if it is your core business and for us it is not. We only do any of those things on that list for staff admin and general admin and so the lady said to tick none of these as non of them are our core business and then it said we didn't need to register but obviously we need to still comply to various things for good practice. I have to say the helpline advisors are very good at explaining things. She said lots of people were making the same mistake on question 7. Also for info if you use GPS tracking devises in vehicle then that is considered staff admin too, but if you use Dash Cams facing forward or in then you have to register. Hope this helps others.


However I did then go onto the couple of rental properties I have as a sideline (not the main business) and for those I definetly do need to register. So you win some you lose some. Thanks for you help in regard to our accountant, she is already register with DPA and seems to think that our engagement letter would suffice as a contract anyways so even though I'm not registering our main business I still plan to hold an updated copy of that engagement letter for the future. Good luck everyone

 

[smallclaimsassistance]

Hi all,

I appreciate that the 'deadline' for GDPR is soon to be here, but I have still yet to find anything straightforward enough to understand on what on earth I actually need to do.

I am a self employed IT consultant and with the exception of writing to and replying to e-mails from customers and making and returning phone calls to them I don't hold any 'data' about them at all.

As their addresses are in my accounts system for invoicing purposes then yes I have to obtain this information.

I'm concerned at how enormous the fines are for breaches of GDPR, and yet seemingly without paying a firm to 'help me become GDPR compliant' I either quit trading in fear of going beyond bankrupt if I'm ever hit with a fine or resort to a massive expense for a company to give me a load of document templates.

How are other self employed 'one-person operation' sole traders coping with this?

I am a one person operation, therefore to answer the question directly, there is no better alternative to reading the regs themselves. Before I committed to doing so, like you, I searched online for guidance, and quickly reached the same conclusion as you, which is that the guidance is only that, and won't fully prepare you.

Having spent an entire day reading and re-reading the regs, all did become clear, and thereafter, the changes I needed to make, as opposed to the changes businesses generally need to make (which is why the guidance issued is less helpful, because by nature it's general) were also clear.

If you haven't already done so, I would read the regs from start to finish. Things should be clearer once you have done so.

Good luck.

Dean

 

[Cliff Faires]

I am finding this all confusing. I have a small website that at this time offers online shopping , access to Trip advisor to rate us & a contact form. All of which would use cookies.
If I deleted the shop, deleted Trip advisor & deleted the contact form. Offering information only.Then just added a email address & telephone number, so potential customers can get in touch. Do I need to be EU GDPR compliant?

 

[20sjp]

If you have read everything, I would call the helpline. They were very useful to me:

This dedicated advice line offers help to small organisations preparing for the new data protection law, including the gdpr

The phone service is aimed at people running small businesses or charities. To access the new service dial them on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.

 

[Guinness]

GDPR really does not need to be complex - Graham has set out some sensible points above.

Having said it isn't complex, and please don't lose sleep over the fines, no SME is going to be hit with a huge fine (unless they have been carelessly handling millions of consumer records, but that's not going to apply to many).

However, what you can't do, is do nothing. So check out the basics of what you have to do, start some simple documented procedures, make sure you know how to handle a data request and how to handle a data breach, make sure you have paid the correct fee to the ICO and Bob's your uncle you're all sorted.

If you have any specific questions, please do ask them here (do them in this thread so others can also gaing from the answers) and I will do my best to answer them for you.

That is the first I have heard about a fee to the ICO ? How do I find out about that ? We started off by using the ICO assessment form as there seems to be a lot of information out there that is confusing .

 

[James Reckons]

To clarify, we need to establish (and tell our customers in a privacy policy) a ‘lawful basis’ to process their details.

‘Process’ means dealing with website/telephone/email/etc enquiries or bookings. However, it can also mean things that aren’t so obvious like doing our annual tax return or chatting to someone on an app. In other words - anything we do that relates to customer details.

The definition of customer details is anything from names and phone numbers to email addresses and photographs. Even the cookies third parties drop on our customer’s devices can count.

GDPR sets out 6 ‘lawful bases’ for processing our customer data.

As business owners we need to look at how we process customer’s data and decide which basis fits each thing best.

There’s been a lot of talk about getting customer’s consent but consent is only one legal basis and it could be that another fits our business better. Indeed, for most people dealing with customer enquiries about their products and services - consent will not be the best basis. For example, when a customer makes an enquiry or books our services, they will have supplied their personal information willingly along with a request for us to do something (book us in, send me info, etc) so that gives us a lawful basis to process and store it. The legal basis will be ‘contractual’.

 

[Helen Williams]

I am finding these posts extremely useful, thank you all. We operate a roofing business, we have a website with a contact form on it and we use Sage One for processing our books i.e. invoicing and wages. We also hold paper copies of guarantees for the period of the guarantee (up to 25 years), they are then shredded. The paper copies are held in a locked archive store and are never used for any other purpose. We log the weather conditions and batch numbers on the guarantee but on occasion we have received a call and the client has lost their guarantee, so it is very useful for us to keep the copies. The only people who have access to any data is our accountant for the purpose of preparing our accounts. Any prospective clients who have requested a survey and quotation have a written quotation, which we retain a paper copy for 3 months then shred. Is it just computer held data or old fashioned paper copies too? We use email regularly to clients, but these are deleted upon completion of the contract. I think it is excellent that data misuse is going to be cracked down on, as it is a worry for all of use, but as a small business it does seem an added pressure.

 

[cjd]

It's fine keeping your guarantees - there's obviously a legitimate reason for doing so - you just need to say that you do in your privacy policy.

Yes, it includes paper..

 

[Lucan Unlordly]

If you have read everything, I would call the helpline. They were very useful to me:

This dedicated advice line offers help to small organisations preparing for the new data protection law, including the gdpr

The phone service is aimed at people running small businesses or charities. To access the new service dial them on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.

I've spent about 3 hours over several days waiting for somebody to pick up the helpline phone!