Here we are again with GDPR. Every time I think we’ve turned the corner, there are some more questions. So I got back in touch with our GDPR fairy godmother Robyn Banks and she again kindly answered. (You might want to read GDPR – Busting some misconceptions first)
Common Sense seems to be evaporating due to four magical letters – GDPR
Many small business owners/sole traders seem to have been very happy running their businesses effectively and with common sense –until the middle of last year when the four magical letters “GDPR” started to appear on everyone’s lips and have been causing havoc ever since.
So here are the latest batch of popular queries.. – all start with “I’m a Sole Trader, do I need….
Q – “..to have written policies on why I collect data and requests to access clients’ data. It’s just me, my clients’ names and addresses and what they’ve ordered in the past.”
A – The short answer is Yes – but in a certain way. The first part you can put into the Privacy Notice and you should have an outline procedure to follow if anyone makes a Request upon you for a copy of their data. This is all personal data under the terms of the legislation.
Q – “I take brief medical histories because I’m a beauty therapist. Do I need to have written policies if they want to access their data? It’s all kept in a locked filing cabinet.”
A – See the first answer. Keeping data locked away is separate part of compliance. Al structured manual data and electronic data needs to be protected from unauthorised access.
Q – “If you go through the checklist on the ICO website, it asks if you have updated all your records..”
A – yes it does! “Privacy by Design” is a new legal requirement (currently best practice!) which asks each business owner/organisation to look at their business and procedures around personal information – then “document” the activities – this can be in the Privacy Notice, Data Retention Schedule and Policy and a new “internal” document – Accountability. You should always be making sure that the data you are relying on is up-to-date anyway – that’s in the current legislation.
It may be prudent to point out here that you do not need consent to process data every time you use it – and you are not required to re contact everyone on your existing list to re seek consent either.
Q – “if I meet someone when I’m networking and they verbally ask/agree to go on my mailing list, do I need to have more concrete proof of their consent?”
A – No. If someone gives you verbal consent to use their data, just ensure that you record the date of this consent on your records. When you first “market” to this person, it could be prudent to reinforce their right to withdraw consent at any time and also reconfirm that you have their consent to send them marketing material.
I hope the above makes certain points clearer for you
Robyn Banks from aDaVista, Specialists in utilising the Data Protection Act 1998 & the Freedom of Information Act 2000.
Thank you so much Robyn for taking time to answer these questions.
As I hope you are now learning, GDPR doesn’t mean you need to turn to drink but if you still feel unsure about anything, I strongly recommend you book a session with Robyn; she’s worth every penny and really knows her stuff.