GDPR and Sole Traders – No 5

To keep it or not to keep – that is the Question!

This blog post is the last in a series of posts on the lovely subject of GDPR.  If you are a sole trader, like me, living in Ireland, you will be keen to find out how to become compliant before the deadline on 25th May 2018. I will be sharing the information I have gathered over the past few months in a series of posts. These views are my own. I won’t be using legal jargon or providing information that really only affects bigger companies, as they have their own HR and IT staff to handle their compliance.  I hope you will find the posts helpful and feel free to add comments or tips below.

This post covers Retention, Withdrawing Consent and Deleting files.

How long should I keep personal data?

GDPR and sole trader 2We already know that accounts information has to be kept for several years in case of Revenue audit checks, but what about other information?

There are no exact rules on this subject, however, under GDPR, you should be able to justify why you have kept personal data for a long time.

It is recommended that you have a retention system in place so that you regularly clear out or update your files.  Imagine for example that you have personal details on an old survey or questionnaire relating to a workshop or event you held 3 years ago.  Do you need to keep that data?  If it is no longer relevant than you should delete it (see below).  If you do need to keep records for business reasons than you must ensure that the data is kept securely, so password protected, encrypted, locked in a file.  If you keep copies of files on an external hard drive, make sure it’s password protected.

Under GDPR a collection notice should indicate how long the data will be kept. For example, on a newsletter subscription, it could state “This data will be kept until you unsubscribe from this newsletter”.  You are not indicating a date but you are indicating that an unsubscriber will be removed.

You could also include a section on retention periods within your Data Privacy Policy detailing what gets kept and for how long.

What do I need to know about Withdrawing Consent?

Withdraw Consent

In blog post No 3 we looked at Consent and the importance of ensuring that any personal data that you use for marketing purposes has been freely given by the individual in question.  It is equally important that we make it clear to the individual that they can withdraw their consent at any time.  A simple way of doing this, is, of course, to have an unsubscribe option on any marketing pieces that you send to individuals both offline and online.  There is nothing really new in that.  However, under GDPR an individual not only has the right to withdraw consent but they also have the right to request that their personal data be deleted from your records (except where required legally). Obviously, the more sensitive the information the more important it is to ensure you have protected it, and know how to access it.  An individual could also ask you for a copy of the information you are holding especially if it is a record of employment or medical care or therapy.

If we just look at the marketing side of things, imagine this scenario.  Joe Bloggs signed up for your newsletter back in 2015 giving you his Name, Email and Phone number. Joe unsubscribes from your latest newsletter and requests that you delete any personal data that you are holding. As Joe is currently listed on your newsletter mailing list in MailChimp, you can easily delete that.  Now think, are his details anywhere else?  Is there a copy of his details on your laptop/computer, on an external hard drive, or on a paper file?  How can you ensure that you know where those details are?

Have a guess?  Yes, it’s back to the Data Audit discussed in blog post No 2, where you recorded the data you are holding and where it is stored.

Again it’s a good idea to check in with subscribers every two years to get their consent again and to delete any un-subscribers or undeliverable emails.

How can I safely delete data?

Delete Button

When it comes to paper files, using a shredder is a great solution. But if you don’t have a shredder than perhaps you can safely burn the paperwork.  Throwing the paper into a Green Bin is not a good idea unless it’s shredded paper!  Remember, you do have to keep financial account information for revenue.

Deleting data from computer hardware requires some attention.  If you are familiar with computers and laptops you will know that when you delete files, they go to a Trash folder and when you empty the Trash folder the data is still recoverable even though you can’t see it.  So you need to look at online shredding software. The same applies to emails.

You may consider having someone with an I.T. background to assist.  Meanwhile here is an article I found on the subject of deleting files on your hardware on LifeWire.com and here is another article on shredding digital files

So that covers this last and final blog post.  By now, you have probably received lots of email updates from your software suppliers and partners advising you about their new Data Privacy policies as the deadline draws closer.  You still have 24 days to get your business in line with GDPR! Get going and Good luck!

GDPR and Sole Traders – No 4

Time to update your Data Privacy and Data Collection Notices!

This blog post is the fourth in a series of posts on the lovely subject of GDPR.  If you are a sole trader, like me, living in Ireland, you will be keen to find out how to become compliant before the deadline on 25th May 2018. I will be sharing the information I have gathered over the past few months in a series of posts. These views are my own.  I won’t be using legal jargon or providing information that really only affects bigger companies, as they have their own HR and IT staff to handle their compliance.  I hope you will find the posts helpful and feel free to add comments or tips below.

This fourth post covers the next steps to become compliant including updating your Data Privacy policy and or Statement and Collection Notices! I know, it’s a pain really.  If you don’t want to handle it yourself, outsource it!  Once you have completed the data audit, (see blog post No 1) you should have a good idea of the various ways you have been collecting personal data for your business activities (that is, where the data you collected originated from).  Doing the data audit is also a good opportunity to delete data that is no longer required for any business purposes.

Data Privacy Policy and or Data Privacy Statement.

I am currently revising and drafting mine so don’t bother looking at it! If you have a business website, the data privacy bit is usually referred to as a data privacy statement, however, for offline documents, its usually called the data privacy policy, which is not the same as your terms and conditions.

How do I write or amend a Data Privacy Policy and or Statement?

Hard filesThe best way to do that is by referring to the information in your data audit to make sure you include details that cover all of your data collection points.  With regards to the layout for the data privacy statement, the content really depends on your own online business activities.  In my case, I just showcase my services on my website but if you sell products or services through your website then you are collecting more personal data and your data privacy statement should clearly explain why the data is being collected, how it’s being secured etc.

I know I promised not to use legal jargon and I won’t, but to get a legal understanding of a data privacy policy and to find out how best to write the content for a policy, check out the Data Commissioner site here, it does clearly explain how it should be done and indicates the headings to use for each section.

Once you are happy with the content of your data privacy policy and or statement, publish it on your website, link it to collection notices and add it to your service contracts or to your terms and conditions.

Collection Notice Points

I gave an example of an online collection notice in blog post No 3.  But just to confirm, a collection notice should be available at the point in which you ask for personal data to be shared with you.  So using the data audit you can quickly see where you have been collecting personal data. Keep in mind, that GDPR is mainly concerned with evidence of consent and evidence that data is being collected and stored securely.

Checklist

Here is a list of marketing collection notices that you might be using to collect personal data:

Online Offline
Subscription pop-up/form on website/social media sites Subscription form
Questionnaire Questionnaire
Survey Survey
Competitions Competitions
Webinars/Event registration* Event registration
Application forms Application forms
Website Cookies Business cards
Testimonials Testimonials
Free downloads (E-books/Tips) Retail stores loyalty programmes

I am sure there are many other points but you will know where and how you collect personal data for your own particular business.

The important thing to remember here is that you should not add a person’s data to your Newsletter subscription list if they only consented to receive your E-Book!  You will need consent for both marketing activities.

Where possible, you should refer to the Data Privacy Policy and or Statement on the collection notices, offering the individual the opportunity to Read More before they give consent. (Remember, that’s the bit that many of us ignore!) Whether an individual reads it or not is their choice but we have to ensure that the collection notice does clearly explain why the data is being collected.

Right, I’m glad that bit is over.  In my next post, I will look at Retention, Withdrawing Consent and deleting files. Coming soon. Promise!

GDPR and Sole Traders – No 3

It’s all about Consent!

This blog post is the third in a series of posts on the lovely subject of GDPR.  If you are a sole trader, like me, living in Ireland, you will be keen to find out how to become compliant before the deadline on 25th May 2018. I will be sharing the information I have gathered over the past few months in a series of posts. These views are my own I won’t be using legal jargon or providing information that really only affects bigger companies, as they have their own HR and IT staff to handle their compliance.  I hope you will find the posts helpful and feel free to add comments or tips below.

This third post is all about Consent, a hot topic at the moment!

Consent and GDPR? What’s that all about?

Consent Gdpr

The wording goes, more or less like this:

Consent must be freely given, specific, informed and unambiguous.

Eh, OK, so what does that mean?

As mentioned in Blog post No 1, the regulation has been put in place to protect an individual’s personal data.

With so much of our time spent online, we have become used to giving away our personal data without a second thought.

How many times have we signed up for an online subscription and clicked submit without reading the terms and conditions or data privacy policy?  Millions of times!

How often have you seen pre-ticked boxes pre-determining that you give consent to receiving marketing emails or news updates, just as you click submit?  Loads of times!

As sole traders, we will now have a responsibility to ensure that any collection notices (requests for personal data) clearly state how the requested data will be used so that the person is informed.

Let’s use an example to explain this in more detail. 

When you visited this website to read this post you should have received a Pop-Up box (or you will!) suggesting that you subscribe to my blog so that you can receive upcoming posts directly in your inbox.  I have used a text on the collection notice that I feel clearly states the purpose of the collection notice, see the details below:

By subscribing here, you agree to receive Gillian B’s blog posts. (Specific)

After the personal data text fields, there is a subscribe button stating

Yes, I want to subscribe (Consent is freely given)

And under the submit button is the following text

By subscribing here, you agree to receive Gillian B’s blog posts by email. We take your privacy seriously.  These personal details will be used exclusively to send you upcoming blog posts by email.  You can unsubscribe at any time.  Your personal data will be deleted within six months of unsubscribing. (Specific, informed, unambiguous)

So what I have done is let the person know what they are subscribing to.  I have ensured they click on a subscribe button that clearly shows their consent to subscribe. I have then reiterated what they are subscribing to, in this case, my blog posts, and I have informed them that they can unsubscribe at any time after which, the data will eventually be deleted. They will also be given a Double opt-in by MailChimp (the 3rd party Data Processor) when confirming their subscription. I can also provide more detailed information on subscriptions in my Data Privacy Policy, but more on that in the next blog post.

Thinking back to Blog Post No 2, your data audit sheet can be updated when a subscriber completes this type of collection notice.  You will have the data type, the date consent was received, where it originated from, etc. in other words you have proof of consent.

When and where do I need to ask for Consent?

Consent GDPR ok

You need to ask for consent for every piece of marketing/promotion material that you send to a customer both offline and online.  This is important.  Just because a person has consented to receive my blog posts, I can’t add their details to a separate newsletter mailing or marketing email because they are different marketing activities.  If I only have their consent to include them in my blog mailing list then that’s all I can send.

Similarly, if a person is an actual client/customer who buys my products or services, that doesn’t give me the right to use their data to send them marketing communications.  I must get consent first.  If I want to send the client/customer a newsletter I can use the email data to ASK them if they would like to subscribe to a newsletter.  That way, I am giving them the opportunity to consent to subscribe to the newsletter.  You could also add a collection notice at the point of sale giving them the choice to opt-in for the newsletter (online sales).  Many businesses do this, but the opt-in can no longer be pre-ticked boxes!

This brings me to another point.  Many of you will already have mailing lists that individuals signed up for at one point or another.

It is now your responsibility as a sole trader (perhaps after your data audit) to contact those individuals to get a fresh opt-in to your subscriptions.  If a person is signed up to several of your subscriptions then you need a renewed opt-in for each one.  It is good practice anyway to renew subscription lists every two years.

Next steps to becoming compliant

In my next post, we will look at updating forms and collection notices or other materials that include collection notices, it’s just a bit of a checklist.  Coming soon! Promise! 🙂

GDPR and Sole Traders – No 2

Data Collectors and Data Processors – Which am I?

This blog post is the second in a series of posts on the lovely subject of GDPR.  If you are a sole trader, like me, living in Ireland, you will be interested in finding out how to become compliant before the deadline on the 25th May 2018. I will be sharing the information I have gathered over the past few months in a series of posts. These views are my own.  I won’t be using legal jargon or providing information that really only affects bigger companies, as they have their own HR and IT staff to handle their compliance.  I hope you will find the posts helpful and feel free to add comments or additional tips below.

This second post covers the roles of the Data Collector and Data Processor and suggests how you can start to become GDPR compliant.

Who or what is a Data Controller?

In the case of a sole trader, you are a Data Controller because you are collecting personal data for your business activities including sales and marketing and/or any other activities that involve recording personal data. To draw comparisons, FACEBOOK is a company and it’s also a Data Controller.  But because it’s such a big company it will have several Data Officers taking care of its GDPR compliance. They are probably quite busy at the moment!

GDPR and sole trader 2

Who or What is a Data Processor?

If you are a sole trader or small business owner and you are recording and storing your customers’ personal data for business, either on hard or soft copy files, on your laptop, computer, external hard drive or in your filing cabinets, then you are also a Data Processor.  If you are using online software systems such as MailChimp, ActiveCampaign or Sage to process that personal data then you are using 3rd party Data processors. To draw comparisons again, FACEBOOK is a Data Processor when its algorithm selects your Customised Audiences for advertising campaigns and MailChimp is a Data Processor when it stores data and delivers your newsletter campaigns to your customers or prospects.

How do I become compliant?

Right, you are going to have to put in some work to become compliant, however, once you have a system in place, it should be plain sailing from then on.  Becoming compliant involves reviewing how you have been collecting and storing data up until now, and then putting systems in place to ensure that you start collecting and processing data with GDPR in mind.  This applies to both offline and online data collection.

Where do I start?

You start with a Data Audit.  If like me, you aren’t long in business (I’m a year in business, my first milestone…hurray!) then you won’t have to check back too far.  Ideally, you should review all of the personal data which you have collected in the past, including current clients or customers.  Then you have to start answering some questions.  (I created my Data Audit on an excel file).  The easiest way to start is to think of one regular client and perhaps one once-off client, and then ask these questions.  Here is an example relating to a sales customer:

Question Answer
What is this data? Sales customer information
When was the data collected/recorded? 18 March 2017
How was it collected? Online sales transaction by a customer on {your website}
Legal basis for collecting data? Business sales transaction contract *
What information is included? Name and Address Details
Is the data accurate? Reasonably **
Is the data sensitive? No
Where is the data held? Laptop / Filing cabinet
Is the data secured? Password-Encrypted Laptop / Locked Cabinet
Why is the data held? Regular customer/Accounts records
Is the data shared with 3rd parties? Nightline couriers (deliver product)
Is the data shared outside EEA? No
How long will the data be kept? At least six years
How will the data be destroyed? Online and offline shredder

*because the data was collected for a business transaction it is the legal basis for collecting the data.

**the data should be accurate but if it is old data, it could be out of date i.e. person changed address and in that case, you should probably answer ‘not sure’.

As you can see there is a lot to think about and in some cases, you may not have all of the details on your files to answer these questions about your past or existing customers, but you can make a stab at it.  Once you are happy with the data audit you can use the template and update it with new customer information going forward.

The example I gave above was focussed on a sales client but if you are trying to grow your business you are probably engaged in marketing activities to attract leads. So let’s see how different that might look:

Question Answer
What is this data? Lead details of a potential client
When was the data collected/recorded? 18 March 2018
How was it collected/originated? Newsletter sign-up by a person on {your website}
Legal basis for collecting data? Consent on signing up *
What information is included? Name and email details
Is the data accurate? Yes
Is the data sensitive? No
Where is the data held? MailChimp mailing list/external hard drive
Is the data secured? Privacy Shield **/hard drive locked in a cabinet
Why is the data held? To send a monthly newsletter
Is the data shared with 3rd parties? MailChimp
Is the data shared outside EEA? Yes
How long will the data be kept? Until person unsubscribes from the mailing list
How will the data be destroyed? Delete from MailChimp list/external hard drive copy

*this is important because you are stating that you have this data because the person consented when he/she signed up for your newsletter.

**lots of cloud-based software companies are based outside the EEA and you need to ensure they are secure.  As for Privacy Shield….its another conundrum, google it.

How can I manage it all and why do I have to do all of this?

GDPR and Sole trader 3

For sole traders and small business owners, who don’t have a dedicated person to handle this, it is really a question of dedicating time to getting your house in order.

If Revenue called on you tomorrow to audit some of your accounts, would you be ready? Hopefully yes!  So being GDPR compliant is similar however it’s really about security.

Do you have a customer’s credit card details?  Do you have sensitive information about an individual (coaching or counselling notes for example?) Do you have personal data that if leaked, lost or stolen could ‘upset’ the individual concerned and cause them to look for compensation?  Or, consider this, what if a person asked you to delete all of their personal records, would you know where to find the data? Could you guarantee that you have complied?

If you are holding information on your systems (laptop, computer, phone, hard copy files, external hard drive, etc.) that you no longer need for business (except for your financial accounts  which are held for a period of six years), then its probably best to delete it, shred it or burn it!

As of 25th May 2018, you will need to have a legal basis or individual consent to control and process personal data.  More about getting Consent in my next post, coming soon! Promise! 🙂

GDPR and Sole Traders – No 1

The Bare Basics

This blog post is the first in a series of posts on the lovely subject of GDPR.  If you are a sole trader, like me, living in Ireland, you will be keen to find out how to become compliant before the deadline on  25th May 2018. I will be sharing the information I have gathered over the past few months in a series of posts.  These are my own views. I won’t be using legal jargon or providing information that relates to bigger companies, as they have their own HR and IT staff to handle their compliance.  I hope you will find the posts helpful and feel free to add comments or tips below.

This first post covers the bare basics, which you may now be familiar with.

GDPR and Sole Traders

What is GDPR?

It stands for the General Data Protection Regulation (I still struggle remembering what it stands for!) which is being brought into force in May 2018 because the current Data Protection legislation is considered outdated.

Who does it affect?

It affects us, that’s all you need to know.  It’s being put in place to protect an individual’s personal data.  And so, it affects sole traders handling the personal data of individuals for business reasons, here in Ireland, or elsewhere in Europe. It also affects any 3rd parties outside of Europe who handle the data of Europeans! I’ll explain more about that in my next post.

Who is enforcing GDPR?

In Ireland, it’s the Data Protection Commissioner.  In each member country, they are called the Supervising Authority.  In our case, they have provided a website called www.gdprandyou.ie so that you can make yourself familiar with the regulation. It’s worthwhile spending time going through it. It’s easy enough to follow.

Why do we need a Supervising Authority?

This is the bit that people are worried about.  It all sounds a bit strict! The GDPR will give the Supervising Authority power to impose fines on companies or organisations that are not compliant. I am not going to discuss non-compliance as it is quite detailed but basically if companies don’t follow the rules of the regulation they can be fined.  When it comes to fines, it is likely to apply to larger companies and organisations in Ireland, that are holding large amounts of personal data.  We have all heard about the Facebook data breach crisis by now!

But the GDPR also means that we as individuals can claim compensation if we can show that our personal data has been misused, lost, destroyed, stolen, or altered, or any of those kinds of things.

As sole traders, collecting and handling personal data, we can be called Data Controllers and Data Processors and therefore we have a responsibility to ensure that the personal data we have on our clients or customers is collected and stored with the regulation in mind.

What is meant by the collection of Personal Data?

This bit can confuse people. The GDPR suggests we have to get Consent to collect personal data however as a sole trader you know you need to record customer or client details just to do business.

“But I need their data for my accounts to send my invoices or to deliver the goods they purchased! Do I have to ask for their consent in writing now?

From what I understand, the GDPR is being put in place to ensure that we secure the information that we are holding.  So in the case of sales, it’s not really about asking for consent each time you take a customer’s details for a sale.  It’s really about ensuring that the information is kept safe.  As a sole trader, you need to keep your financial records in a safe accessible place for six years so that if Revenue gets in touch, your accounts are in order. We already know we have to do that.

GDPR and sole traders 1

The GDPR will especially apply to marketing activities. If you collect any personal data for marketing purposes, then, as a Data Controller you are accountable and must ensure that it is collected and stored with the regulation in mind. If you are also processing that Data, then you are also a Data Processor and must ensure that it is collected and stored with the GDPR in mind. I will discuss those two roles further in the next post.

The typical data collected or processed are names, addresses, emails, dates of birth, telephones, photos, and ID numbers for example, but the less obvious things are browsing history, online shopping behaviours, sensitive information and so on.  In simple terms, anything that can directly or indirectly identify a person is Personal Data and as a sole trader, you are accountable to collect and store that data appropriately.

How do I become compliant?

There are steps to put in place in order to become compliant and that’s what I will talk about in the next post, coming very soon! Promise 🙂