Small Business GDPR Compliance

[CelticStarlight]

We run a computer/tablet/phone repair and networking business. It is a very locally-based business and virtually all our work comes from word-of-mouth although we have a very simple website with a contact form which also brings us quite a few customers. We don't send marketing emails but we do contact customers via the business phones and by email with regard to the work we do for them. We also have a Facebook page.

I understand we have to write a privacy policy for our website but if we get rid of the contact form and just leave our contact details on the website instead, then am I right in thinking this will reduce the risk of a data breach from there? If we leave the contact form then we have the worry of making sure no-one gets access to client data when they enter it on there. Our laptops are as secure as we can get them, our phones are encrypted and have the highest security and we will no longer keep customers' data from their computers etc after jobs - we used to keep them for a while until people were sure they had everything they needed. We keep the names and addresses of customers in the business mobile and in contacts in our email provider just so we know who they are when they contact us and also to preserve texts and emails related to jobs as it is important to know what work has been done before.

Can anyone just advise me if this sounds ok please? I've been wading through the mounds of information for ages now but a lot of it relates to larger businesses or businesses who sell things or send marketing emails. I know we have to register with the ICO and vet what data we hold and what we do with it etc but I wonder if I'm missing anything or, alternatively, worrying too much.

Thanks in advance for any help given.

 

[twaen]

Removing contact form - don't see the reason for it, or how it does improve security, if at all.

If the website is ssl/secure (https) and form data is then emailed to you, this is about the same as providing your customers with your email address on the website. Or maybe even the contrary: If you make sure that form data is then emailed SECURELY to you, it might be even more secure than user's email client and SMTP, that might be insecure and leaking in transit.

If you're thinking about the website being hacked, well you're focusing on the wrong thing with the form.

If an attacker can get their hands on your server they can get your user data regardless of you having a form or not there (they can add their own form for example). When they breach the site, in security this is called "game over". And you have to already issue a data breach notification as per GDPR.

 

[CelticStarlight]

Removing contact form - don't see the reason for it, or how it does improve security, if at all.

If the website is ssl/secure (https) and form data is then emailed to you, this is about the same as providing your customers with your email address on the website. Or maybe even the contrary: If you make sure that form data is then emailed SECURELY to you, it might be even more secure than user's email client and SMTP, that might be insecure and leaking in transit.

If you're thinking about the website being hacked, well you're focusing on the wrong thing with the form.

If an attacker can get their hands on your server they can get your user data regardless of you having a form or not there (they can add their own form for example). When they breach the site, in security this is called "game over". And you have to already issue a data breach notification as per GDPR.

Thank you for your reply, I appreciate it. The reason I want to remove the contact form is that I noticed that it does not have an https come up in the browser bar when data is entered there, which I gather means that it is not secure. Until that is rectified then it seems safer to remove it. I did not notice this when our developer set up the website and have had to contact him about it now that I have become aware - he is actually away until tomorrow though. I would have thought it would have been set up securely as a matter of course but seemingly not.

 

[Lee Oakley]

We run a computer/tablet/phone repair and networking business. It is a very locally-based business and virtually all our work comes from word-of-mouth although we have a very simple website with a contact form which also brings us quite a few customers. We don't send marketing emails but we do contact customers via the business phones and by email with regard to the work we do for them. We also have a Facebook page.

I understand we have to write a privacy policy for our website but if we get rid of the contact form and just leave our contact details on the website instead, then am I right in thinking this will reduce the risk of a data breach from there? If we leave the contact form then we have the worry of making sure no-one gets access to client data when they enter it on there. Our laptops are as secure as we can get them, our phones are encrypted and have the highest security and we will no longer keep customers' data from their computers etc after jobs - we used to keep them for a while until people were sure they had everything they needed. We keep the names and addresses of customers in the business mobile and in contacts in our email provider just so we know who they are when they contact us and also to preserve texts and emails related to jobs as it is important to know what work has been done before.

Can anyone just advise me if this sounds ok please? I've been wading through the mounds of information for ages now but a lot of it relates to larger businesses or businesses who sell things or send marketing emails. I know we have to register with the ICO and vet what data we hold and what we do with it etc but I wonder if I'm missing anything or, alternatively, worrying too much.

Thanks in advance for any help given.

Hi, I think you are focusing too much on the web site and online form to be fair. The web form is a means to leave marketing information but where it is held should be the main focus and preventing it being breached as much as you reasonably can.

If you havent already I would read the "Preparing for the General Data Protection Regulation - ICO - 12 steps you can take now" particularly if you say that you are accessing and storing customer data (such as that held on hard drives) as this is right up there at the highest levels of 'personal data' and this is what would probably be the most likely area of weakness that could be exploited, or attentions focused on if you did have a breach of any sort.

Whilst you need to access and store that personal data to perform your duties of repair the part of the act is about informing your customers prior to their data being accessed (so they give you informed consent) and having both greater care and transparency and in doing so putting effective plans in place to limit the possibility of data breach.

Your privacy plan should state what data you access, why you access it, how you store it, what plans/procedures you have to protect it and for how long you retain it for, any why.

A name, email address, phone and physical address retained for marketing and customer records is personal data but what people have on their computers is highly likely to include downloaded bank statements, passport details, credit reference reports, personal and family photos, emails between loved ones etc etc and this highly personal and sensitive data is on your premises and likely has to be accessed (en masse and albeit briefly) to effect many repairs I am sure, (even though it would never ever be read or leave the premises) so in my opinion I would think this is were you would be more advised to concentrate your focus.

The key here is reasonableness as you wouldn't be expected to have NSA level security but you would be expected to have your employees be aware of and adhere to a detailed and robust plan including what is 'authorised data access' in respect of customer data and ensuring it is handled properly.

For example, if you are to now delete retained customer data after 7 days and this was your policy and your customers were aware of it and gave informed consent on this basis, but that all your customer data was still there in 7 months time it would be more cause for concern by the ICO than generic marketing data hacked from your web form because of a lack of SSL certificate, which is not a requirement btw, only advisory.

 

[CelticStarlight]

Hi, I think you are focusing too much on the web site and online form to be fair. The web form is a means to leave marketing information but where it is held should be the main focus and preventing it being breached as much as you reasonably can.

If you havent already I would read the "Preparing for the General Data Protection Regulation - ICO - 12 steps you can take now" particularly if you say that you are accessing and storing customer data (such as that held on hard drives) as this is right up there at the highest levels of 'personal data' and this is what would probably be the most likely area of weakness that could be exploited, or attentions focused on if you did have a breach of any sort.

Whilst you need to access and store that personal data to perform your duties of repair the part of the act is about informing your customers prior to their data being accessed (so they give you informed consent) and having both greater care and transparency and in doing so putting effective plans in place to limit the possibility of data breach.

Your privacy plan should state what data you access, why you access it, how you store it, what plans/procedures you have to protect it and for how long you retain it for, any why.

A name, email address, phone and physical address retained for marketing and customer records is personal data but what people have on their computers is highly likely to include downloaded bank statements, passport details, credit reference reports, personal and family photos, emails between loved ones etc etc and this highly personal and sensitive data is on your premises and likely has to be accessed (en masse and albeit briefly) to effect many repairs I am sure, (even though it would never ever be read or leave the premises) so in my opinion I would think this is were you would be more advised to concentrate your focus.

The key here is reasonableness as you wouldn't be expected to have NSA level security but you would be expected to have your employees be aware of and adhere to a detailed and robust plan including what is 'authorised data access' in respect of customer data and ensuring it is handled properly.

For example, if you are to now delete retained customer data after 7 days and this was your policy and your customers were aware of it and gave informed consent on this basis, but that all your customer data was still there in 7 months time it would be more cause for concern by the ICO than generic marketing data hacked from your web form because of a lack of SSL certificate, which is not a requirement btw, only advisory.

Hi Lee, thanks for taking the time to write your reply which was very helpful. It underlined a lot of what we have been doing and looking at with regard to GDPR. Holding customers' data has been the thing we have been most concerned about and this is the area in which we have made massive changes and instituted stricter policies and safeguards. However, I know very little about websites so this is the area I feel less sure about which is why I was asking for advice about that in particular. Thanks again.

 

[cjd]

Holding customers' data has been the thing we have been most concerned about and this is the area in which we have made massive changes and instituted stricter policies and safeguards. However, I know very little about websites so this is the area I feel less sure about which is why I was asking for advice about that in particular. Thanks again.

Just on this point, if you encrypt the hard drive you hold the data on, you effectively put the data outside the scope of GDPR (providing you don't leave the key lying around or give dozens of people access to it). You still have to have policies about deletion etc but the data is secure and can't be tracked to an individual.

 

[Andrew Sharp]

Hi Celticstarlight, I am in exactly the same boat as you. Small PC repair business, word of mouth advertising. Absolutely do not know where to start with this GDPR! Would be nice to swap information if you could - maybe we could help each other out. Regards, Andrew

 

[philbaxter]

Andrew - the ICO website is the place to start. They have just started rolling out some guides that are specific to different sectors - not quite one that fits your business yet, but the 'small retailer' and general 'small organisation' ones might help. I just blogged on this yesterday - here's a link via our website:
https://www.pyxi.co.uk/news/140/The-ICO-Rolls-Out-More-Resources-for-Small-Businesses