Will GDPR affect my company?

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Essex_Moulder, Feb 26, 2018.

  1. Essex_Moulder

    Essex_Moulder UKBF Newcomer Free Member

    18 0

    I'm aware of the upcoming GDPR legislation but I've always thought it won't affect us too much due to the following:

    1) We are a business to business company and have no dealings with the general public.
    2) I don't send out any marketing emails, flyers or make cold calls. All our business comes word of mouth or repeat orders for customers products we already make. So I don't have any databases of email addresses or phone numbers.
    3) We only have 3 employees, myself, my wife and 1 other guy who has worked for the company since 2004, when I took over the business from the previous owner who retired.

    Our website does have google analytics which may be covered by the law but I don't use it so if it is I'll just take it off.

    Any advice would be appreciated.


    Posted: Feb 26, 2018 By: Essex_Moulder Member since: Oct 14, 2008
  2. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    82 22

    Right, if you hold/process/collect/store etc ANY data relating to a living individual then you are impacted by the GDPR. The fact you mentioned you employ people means you are a data controller. However, the regulation is about proportionality. you mentioned the only data you hold is that of your employees (small number). So although you are 'effected' to a degree the impacts will be minimal. Mostly common sense will apply in this instance - keep your data secure, draft some basic data protection/privacy standard policies and you should be fine (as long as you adhere to them!). Watch out on your data sets, you mention business to business, but don't forget, email addresses for individuals count too! Something else to watch out for (i don't know your business) but you may be required to meet some of the standards by your customers and they may quiz you on your compliance, so my advice would be to read up on the basics (go to the ICO web page) so you are equipped if you do get any queries.

    It will also be worth checking out PECR (Privacy and Electronic Communication Regulation). This is the part around how you contact individuals (although you said you don't market). Cookies and google analytics will be covered under this and GDPR. So i would look this one up too.

    Do you have a 'contact us' page on your website? Boom, personal information, make sure you have a privacy policy and cookies policy on your site too.

    Hope this helps!
    Posted: Feb 26, 2018 By: Simon Plummer Member since: Dec 6, 2017
  3. Essex_Moulder

    Essex_Moulder UKBF Newcomer Free Member

    18 0

    Thanks for the response.

    A few questions:

    1) What is meant by keep your data secure. Does the law require offsite backups for example. The Payroll data is kept on a PC which is connected to the internet and has virus software on it. We print reports required for PAYE which are kept in the same room in a filing cabinet.
    2) I have no clue how to "draft some basic data protection/privacy standard policies" are there any examples online.
    3) What is an example of a "data set"? I don't think I have any. I use Outlook for emails and Sage for accounts are those classed as data sets?
    4) When you say email addresses for individuals count too. Does that mean that a customers employees email address stored along with their name in Outlook address book is personal data.

    In all the time I've been in business I can count on one hand the number of people who have used our contact us page so the simplest thing would be for me to remove it from the site. Same with the google analytics if it's going to be an issue.

    I understand things better given a practical example. What could be a likely scenario which would affect my business.

    I've tried reading the info online regarding GDPR but it goes over my head.


    Posted: Feb 27, 2018 By: Essex_Moulder Member since: Oct 14, 2008
  4. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,380 3,051
    It means taking reasonable measures to ensure that it's not stolen or lost. It's up to you to defend what
    measures that you take are reasonable.

    No. You destroying your data - by a hard disc failure for example - is not of interest to the ICO. You don't need to back your data up, but you'd be a fool not to. You losing the data to a third party is of great interest to them though.

    Probably the easiest way to protect your data is to encrypt it. I don't know how it's done on a PC but on a Mac, it's very simple and free. With a good password and shortish timeout on the PC your data is safe.

    To comply with the regulation, you have to also make a note of what kind of information you have and why you think that the way you store it is secure. You can't comply by default, you have to have some paperwork to show you've thought about it and done something.

    You don't need to know what a data set is, all you need to think about is the information you hold. If any of it - no matter how or where it's stored - can identify an individual, it becomes in scope for GDPR.


    Your contact us page is fine - the information you put there is yours to publicise as you wish. As far as I'm aware Google analytics is also safe ( so long as they can't identify individuals.)
    Posted: Feb 27, 2018 By: cjd Member since: Nov 23, 2005
  5. Essex_Moulder

    Essex_Moulder UKBF Newcomer Free Member

    18 0
    Thanks for the further info.

    So to comply I just need to create a document stating the info I have and say I believe it's safe because it's stored on a PC with a password in a locked office, correct?
    Posted: Feb 27, 2018 By: Essex_Moulder Member since: Oct 14, 2008
  6. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,380 3,051
    That's nearly right. You have to create a document where you've listed all the types of personal data you hold and the actions you've taken to make it safe. Then it's a risk analysys thing.

    If you lost your data would the ICO agree that you've taken adequate care of it? The test is whether what you've done is reasonable and proportionate for your business and the sort of data you hold. Having done the work to identify the data, think about its security and take some action to guard it you've gone a very long way towards protecting yourself if the ICO came knocking following a complaint.

    But is just keeping your PC in a locked office enough? I somehow doubt it, if he data itself is sat there insecure on the PC. I'd encrypt the drive, then if the PC is stolen the data is safe. So safe that you don't even have to tell the ICO because personal data can't be lost. It's a really easy thing to do.

    Posted: Feb 27, 2018 By: cjd Member since: Nov 23, 2005
  7. ffox

    ffox UKBF Regular Free Member

    1,145 200
    As already suggested you need to start by reading the GDPR and PECR guides at -

    Don't panic, just read them and then do google searches, or ask the ICO, on the parts you don't understand.

    Any data which relates to an identifiable living individual falls under the scope of the regulations, so not only those addresses in an Outlook address book, but also any that exist in a mobile phone address book as well.

    The first thing to do is to find out what you have that is stored electronically.

    The second thing is to document what you are going to do with it.
    As @Simon Plummer said, you only need to demonstrate reasonable measures. By doing that you will be way ahead of most UK small businesses. Don't forget that the enforcement rules and penalties are applicable to all, the only variable will be how stringently they are applied. Those who have made the effort will undoubtedly be considered more favourably than those who have made none. Both those who made effort and those who are blissfully ignorant of the requirements will probably fare better than those who blatantly seek out loop-holes to exploit.

    So far as policy documents are concerned. Create a spreadsheet which lists each type of personal data content and write up your reasons for holding the data, the lawful basis for processing, where you obtained the data, what you intend to do with the data and how long you intend to keep it.
    For an employee this may well state that the data is kept for payroll and HR purposes, that it is used to process pay and record personnel matters, that it is lawfully processed under Legitimate Interests, that you obtained the data from the employee, that you hold it for employment purposes and that you will delete the data after the employee has left your company.
    For payroll you may need to retain the data for one or possibly two years after the employee has gone for HMRC purposes.

    The important thing is to record your intent and that the intent is reasonable.
    The Lawful basis for processing is very important - these are laid down in Guide to the GDPR Regulation (address above).
    Posted: Feb 27, 2018 By: ffox Member since: Mar 11, 2004
  8. Essex_Moulder

    Essex_Moulder UKBF Newcomer Free Member

    18 0
    Thanks for the further info. I'll get all the above done so we comply but...

    I'm just wondering how will the ICO know that a business complies or not, will they be doing spot checks on every business or will it only be if a problem arises and someone complains to them?

    I spoke to a colleague the other day from another micro business (Just him, his wife and brother as employees) and he had no clue what I was talking about. He'd never heard of GDPR.
    Posted: Feb 28, 2018 By: Essex_Moulder Member since: Oct 14, 2008
  9. ffox

    ffox UKBF Regular Free Member

    1,145 200
    Initially, I would think, ICO checks and audits will be reactive, usually in response to an individual or corporate complaint.
    Posted: Feb 28, 2018 By: ffox Member since: Mar 11, 2004
  10. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,380 3,051
    They'll mostly act on complaints and data losses. You biggest risk is emailing a customer that you haven't got consent from. Some belligerent egit that knows their rights...

    They do spot checks on larger companies thta have been in trouble before.

    Almost nobody in small business-land has heard of it and even larger businesses are not up to speed. It's going to take years.
    Posted: Feb 28, 2018 By: cjd Member since: Nov 23, 2005