GDPR 25th May 2018 What are you doing about it?

[logobear]

This new GDPR legislation coming in soon has me confused.....

It requires anyone who has any data on anyone to do stuff.

We have an archive of all our past customers artworks.
Some of it cannot be linked directly to an individual
eg PR window cleaning
and some can
eg Phil Rigby Window cleaning

In most cases we have no contact info, - but the client may have paid for artwork etc... so it is important for us to look after it for them. For how long? - for ever !

Then what about all your contacts from emails in you address book?
We use gmail, - so it it gmail's job to be complaint, or ours?
Am i suupose to go though the address book and delete everyone?
Often, someone will ask for the same again, - and I will search through old emails to find out what they are talking about, how much we charged etc.

How are you dealing with this?
Phil Rigby (not a window cleaner, - but I have been known to clean windows!)

[Quinsfan]

Is it not just a case of telling people what you do with there details. Just a note on any enquiry saying that their details are only for invoice/enquiry purposes and will not be passed onto 3rd parties.
That said if I done a van for a plumber and then someone asks if I know a plumber and I pass on his details is that then passing on to a 3rd party?


Sent from my iPhone using Tapatalk

[Earl Smith]

Certainly food for thought.
The tax man requires us to keep our paperwork for seven years. What should we do with it? Lock it up in a secure, fireproof, water tight room for the duration? What if somebody breaks in and steals it? Whos fault is it??
I will look into it over here (for my sake) as the Germans are paranoid about Data Security.
Thanks for the heads up.

[pw66]

It is one of those vague, jargon driven things where there is no clear guidance. Lots of abstract information about 'personnal data' and 'compliance' and 'data controllers' but nothing concrete in terms of what we have to do.

I have no information on any customers that hasn't been given to me by them - email address, phone numbers, address. In general nothing that isn't printed on their business card or side of their van. I hold no financial information - that is handled by paypal. But if I can't demonstrate that I have considered the GDPR regs and taken steps to implement them then I can be fined.
Just nobody is telling me what I have to do.

[logobear]

I have been to 3 different presentations on it, and exposed to some 'specialists' who are all full of BS/waffle, but no actual practical advice.

We are advised to keep biz accounts for 6 years.
Insurance certificates for life - in case of any long term industrial desease or incident.

Regarding staff info, - if we must keep employer liability certs for ever, then i suppose we must keep staff data for ever, in case of any future claim....
BUT this GDPR says only keep data as long as relevant or required.

just because data is in the public domain (like on a business card) doesn't mean that you are not managing it.
Article 30 exempts business under 250 employees ... except in ABC XYZ circumstances ....

say its for a birthday tshirt, photo,name, date of birth data ...... enough to identify an individual ...

Your "right to be forgotten" eh?

Its a good job i have nothing better to do !

[pw66]

This is the best article I have found - best meaning least jargon driven.
https://theitservice.co.uk/gdpr-article-30/

Seems like it is similar to those other areas where it is essential to have a written policy document to point out the bleeding obvious - like Health and Safety, First Aid, Fire etc. Probably the existence of the document is more important than the contents....

From the link, the document should contain
1-your company details and name of data protection officer
2-general decription of security measures taken to protect data -including any encrytion and restricting access to data
3-why do you have data (ie contact details for proofing, invoicing and delivery)
4-what type of peoples data you have, ie - customers ( companies and individuals ), suppliers ( individual details not needed)
5-type of data held, ie client details including contact details, order history,payment history
6-who will the data be disclosed to ( if any)
7- how long will data be held for ( for most of us this will be largely dictated by book keeping requirements)

Probably be able to get it onto 1 A4 sheet.

[Drew]

Probably the existence of the document is more important than the contents....

Agree 100%.

Do you remember when they bought in the rules on cookie consent? Or Privacy Policies? At that time there was alot of head scratching, and alot of 'what do I do???'. Then someone bought out a plugin for wordpress, and all the other sites. So no one really did anything, other than install a plugin.

This is the same. There are already Wordpress plugins (like https://en-gb.wordpress.org/plugins/wp-gdpr-compliance/ ) that will help a long way, and I've seen others for Prestashop (not free).

Whilst its still early days, they won't be perfect, but give it a few months and handling GDPR will be as simple as installing a plugin. At least it will show, should anyone question, that an attempt has been made to comply.

On a side note, has anyone else been getting emails from larger companies who's mailing list you signed up for at some point in the distant past, asking if you want to keep receiving their newsletters please click the link or login to your account? I presume this is all GDPR related.

[ginap]

I've just started looking into the GDPR thing and what I've got so far is (in no particular order):

If you use services like: Shopify, PayPal, Mailchimp etc you have to check they are GDPR compliant. For example, I know Shopify is US/Canada based but they have recently set up in Ireland to transfer data and ensure they are compliant for all EU processing and storage of data. So if you use an commerce platform similar to Shopify it's worth checking they're compliant because they are ultimately the initial keepers of the data.

Auto opt-in of anything is no longer allowed. So if you have a newsletter sign-up system on your website you must have the customer tick the box to consent or fill out their details to sign up. You can't have say for example an already ticked box in your cart which automatically opts them in.

Storage of personal data: you must have a policy document which sets out how/why you store data. Similar to a privacy policy on a website. You must have a secure system of filing any personal data whether in paper form or digitally. Personal data includes but is not limited to: name, email address, address, telephone numbers, ip address etc You may have this data if you store website orders for example so this data is collected for the purpose of fulfilling orders and bookkeeping etc. You have to be able to provide the information you store about someone if they request it. And you have to be able to delete it if they request it. This will involve you physically destroying any paperwork or digital files AND if you've used your shopify store for example to obtain the order in the first place you have to contact Shopify with the request to remove the customers data permanently.

If you receive orders/customer emails on your phone you also have to protect/encrypt/store this data under the same rules.

If you trade on marketplaces like Ebay, Etsy, Not On The Highstreet etc you have to check their compliancy. It is their responsibility to keep the customer’s data safe and secure but if you download it or print it out (i.e. orders, copies of emails etc) then you are responsible for GDPR compliance.

So that's as far as I've got!

I can't find anything with Royal Mail just yet. For example, I use their Click and Drop service to generate labels. So my Shopify store is auto-connected and Shopify provides that data to generate the label with Royal Mail, but I also input manual customer address details when I've had orders by email/phone so what's the situation there? No idea!

There's still a lot of info not yet finalised from the powers that be so it's worth keeping an eye on but definitely worth making a start on looking into it and putting certain things in place.

Here's a few links which I'm working my way through which might be helpful:

https://www.simplybusiness.co.uk/kno...mall-business/

https://help.shopify.com/manual/your-account/GDPR

https://www.shopify.co.uk/blog/gdpr-and-ecommerce

https://kb.mailchimp.com/accounts/ma...ion-regulation

https://tamebay.com/2017/07/will-gen...ion-apply.html

Phew! It's a lot to take in and definitely a pain in the A but if I manage to find anything which sets out a clear step-by-step 'you must do this' guide in simple non-jargon format I'll post a link.

[Quinsfan]

Is all this even for a one man band. I don’t have a website that I sell stuff through and only have peoples data on my quote/Invoice system which is held on my own cloud at home. How do you encrypt everything? Seems a PITA for the one man sole trader who just works from home getting word of mouth business. No newsletter, no ordering website, I don’t accept PayPal or cards only bank transfers and cash.


Sent from my iPhone using Tapatalk

[pisquee]

Yes for a one man band too - you have less data to manage, but it's still data