GDPR and Sole Traders – No 2

Data Collectors and Data Processors – Which am I?

This blog post is the second in a series of posts on the lovely subject of GDPR.  If you are a sole trader, like me, living in Ireland, you will be interested in finding out how to become compliant before the deadline on the 25th May 2018. I will be sharing the information I have gathered over the past few months in a series of posts. These views are my own.  I won’t be using legal jargon or providing information that really only affects bigger companies, as they have their own HR and IT staff to handle their compliance.  I hope you will find the posts helpful and feel free to add comments or additional tips below.

This second post covers the roles of the Data Collector and Data Processor and suggests how you can start to become GDPR compliant.

Who or what is a Data Controller?

In the case of a sole trader, you are a Data Controller because you are collecting personal data for your business activities including sales and marketing and/or any other activities that involve recording personal data. To draw comparisons, FACEBOOK is a company and it’s also a Data Controller.  But because it’s such a big company it will have several Data Officers taking care of its GDPR compliance. They are probably quite busy at the moment!

GDPR and sole trader 2

Who or What is a Data Processor?

If you are a sole trader or small business owner and you are recording and storing your customers’ personal data for business, either on hard or soft copy files, on your laptop, computer, external hard drive or in your filing cabinets, then you are also a Data Processor.  If you are using online software systems such as MailChimp, ActiveCampaign or Sage to process that personal data then you are using 3rd party Data processors. To draw comparisons again, FACEBOOK is a Data Processor when its algorithm selects your Customised Audiences for advertising campaigns and MailChimp is a Data Processor when it stores data and delivers your newsletter campaigns to your customers or prospects.

How do I become compliant?

Right, you are going to have to put in some work to become compliant, however, once you have a system in place, it should be plain sailing from then on.  Becoming compliant involves reviewing how you have been collecting and storing data up until now, and then putting systems in place to ensure that you start collecting and processing data with GDPR in mind.  This applies to both offline and online data collection.

Where do I start?

You start with a Data Audit.  If like me, you aren’t long in business (I’m a year in business, my first milestone…hurray!) then you won’t have to check back too far.  Ideally, you should review all of the personal data which you have collected in the past, including current clients or customers.  Then you have to start answering some questions.  (I created my Data Audit on an excel file).  The easiest way to start is to think of one regular client and perhaps one once-off client, and then ask these questions.  Here is an example relating to a sales customer:

Question Answer
What is this data? Sales customer information
When was the data collected/recorded? 18 March 2017
How was it collected? Online sales transaction by a customer on {your website}
Legal basis for collecting data? Business sales transaction contract *
What information is included? Name and Address Details
Is the data accurate? Reasonably **
Is the data sensitive? No
Where is the data held? Laptop / Filing cabinet
Is the data secured? Password-Encrypted Laptop / Locked Cabinet
Why is the data held? Regular customer/Accounts records
Is the data shared with 3rd parties? Nightline couriers (deliver product)
Is the data shared outside EEA? No
How long will the data be kept? At least six years
How will the data be destroyed? Online and offline shredder

*because the data was collected for a business transaction it is the legal basis for collecting the data.

**the data should be accurate but if it is old data, it could be out of date i.e. person changed address and in that case, you should probably answer ‘not sure’.

As you can see there is a lot to think about and in some cases, you may not have all of the details on your files to answer these questions about your past or existing customers, but you can make a stab at it.  Once you are happy with the data audit you can use the template and update it with new customer information going forward.

The example I gave above was focussed on a sales client but if you are trying to grow your business you are probably engaged in marketing activities to attract leads. So let’s see how different that might look:

Question Answer
What is this data? Lead details of a potential client
When was the data collected/recorded? 18 March 2018
How was it collected/originated? Newsletter sign-up by a person on {your website}
Legal basis for collecting data? Consent on signing up *
What information is included? Name and email details
Is the data accurate? Yes
Is the data sensitive? No
Where is the data held? MailChimp mailing list/external hard drive
Is the data secured? Privacy Shield **/hard drive locked in a cabinet
Why is the data held? To send a monthly newsletter
Is the data shared with 3rd parties? MailChimp
Is the data shared outside EEA? Yes
How long will the data be kept? Until person unsubscribes from the mailing list
How will the data be destroyed? Delete from MailChimp list/external hard drive copy

*this is important because you are stating that you have this data because the person consented when he/she signed up for your newsletter.

**lots of cloud-based software companies are based outside the EEA and you need to ensure they are secure.  As for Privacy Shield….its another conundrum, google it.

How can I manage it all and why do I have to do all of this?

GDPR and Sole trader 3

For sole traders and small business owners, who don’t have a dedicated person to handle this, it is really a question of dedicating time to getting your house in order.

If Revenue called on you tomorrow to audit some of your accounts, would you be ready? Hopefully yes!  So being GDPR compliant is similar however it’s really about security.

Do you have a customer’s credit card details?  Do you have sensitive information about an individual (coaching or counselling notes for example?) Do you have personal data that if leaked, lost or stolen could ‘upset’ the individual concerned and cause them to look for compensation?  Or, consider this, what if a person asked you to delete all of their personal records, would you know where to find the data? Could you guarantee that you have complied?

If you are holding information on your systems (laptop, computer, phone, hard copy files, external hard drive, etc.) that you no longer need for business (except for your financial accounts  which are held for a period of six years), then its probably best to delete it, shred it or burn it!

As of 25th May 2018, you will need to have a legal basis or individual consent to control and process personal data.  More about getting Consent in my next post, coming soon! Promise! 🙂

2 thoughts on “GDPR and Sole Traders – No 2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s