GDPR and Sole Traders – No 1

The Bare Basics

This blog post is the first in a series of posts on the lovely subject of GDPR.  If you are a sole trader, like me, living in Ireland, you will be keen to find out how to become compliant before the deadline on  25^th May 2018. I will be sharing the information I have gathered over the past few months in a series of posts.  These are my own views. I won’t be using legal jargon or providing information that relates to bigger companies, as they have their own HR and IT staff to handle their compliance.  I hope you will find the posts helpful and feel free to add comments or tips below.

This first post covers the bare basics, which you may now be familiar with.

What is GDPR?

It stands for the General Data Protection Regulation (I still struggle remembering what it stands for!) which is being brought into force in May 2018 because the current Data Protection legislation is considered outdated.

Who does it affect?

It affects us, that’s all you need to know.  It’s being put in place to protect an individual’s personal data.  And so, it affects sole traders handling the personal data of individuals for business reasons, here in Ireland, or elsewhere in Europe. It also affects any 3^rd parties outside of Europe who handle the data of Europeans! I’ll explain more about that in my next post.

Who is enforcing GDPR?

In Ireland, it’s the Data Protection Commissioner.  In each member country, they are called the Supervising Authority.  In our case, they have provided a website called www.gdprandyou.ie so that you can make yourself familiar with the regulation. It’s worthwhile spending time going through it. It’s easy enough to follow.

Why do we need a Supervising Authority?

This is the bit that people are worried about.  It all sounds a bit strict! The GDPR will give the Supervising Authority power to impose fines on companies or organisations that are not compliant. I am not going to discuss non-compliance as it is quite detailed but basically if companies don’t follow the rules of the regulation they can be fined.  When it comes to fines, it is likely to apply to larger companies and organisations in Ireland, that are holding large amounts of personal data.  We have all heard about the Facebook data breach crisis by now!

But the GDPR also means that we as individuals can claim compensation if we can show that our personal data has been misused, lost, destroyed, stolen, or altered, or any of those kinds of things.

As sole traders, collecting and handling personal data, we can be called Data Controllers and Data Processors and therefore we have a responsibility to ensure that the personal data we have on our clients or customers is collected and stored with the regulation in mind.

What is meant by the collection of Personal Data?

This bit can confuse people. The GDPR suggests we have to get Consent to collect personal data however as a sole trader you know you need to record customer or client details just to do business.

“But I need their data for my accounts to send my invoices or to deliver the goods they purchased! Do I have to ask for their consent in writing now?

From what I understand, the GDPR is being put in place to ensure that we secure the information that we are holding.  So in the case of sales, it’s not really about asking for consent each time you take a customer’s details for a sale.  It’s really about ensuring that the information is kept safe.  As a sole trader, you need to keep your financial records in a safe accessible place for six years so that if Revenue gets in touch, your accounts are in order. We already know we have to do that.

The GDPR will especially apply to marketing activities. If you collect any personal data for marketing purposes, then, as a Data Controller you are accountable and must ensure that it is collected and stored with the regulation in mind. If you are also processing that Data, then you are also a Data Processor and must ensure that it is collected and stored with the GDPR in mind. I will discuss those two roles further in the next post.

The typical data collected or processed are names, addresses, emails, dates of birth, telephones, photos, and ID numbers for example, but the less obvious things are browsing history, online shopping behaviours, sensitive information and so on.  In simple terms, anything that can directly or indirectly identify a person is Personal Data and as a sole trader, you are accountable to collect and store that data appropriately.

How do I become compliant?

There are steps to put in place in order to become compliant and that’s what I will talk about in the next post, coming very soon! Promise 🙂