GDPR and Very Small Businesses

Transcript of the Video

Good evening, ladies and gentlemen. Suzanne Dibble here, data protection law expert coming to you raw and uncut, and I'm doing a video especially for you, smaller business owners. You've probably come into the group. There's an absolute myriad of information in there. You don't know what's going on. You're thinking, "Hang on a minute. I'm a sole trader. I turn over less than 20 grand," or whatever it might be. "Surely I don't have to watch a two-hour training and jump through all these hoops, and blah, blah, blah." I can quite understand your frustration at this.

Now, the first thing to note is that GDPR is not out to catch people like you, okay? It is out to catch people who are doing bad things with lots of data, and people who aren't intentionally bad. You know, things just happen and there need to be consequences for that, so if people don't have the right security in place or the measures in place to keep people's data secure, then there will be consequences for that, but in terms of what you're doing with data, the chances of you getting fined or having any of the sanctions whatsoever are very, very slim.

So I'm going to tell you, I'm going to give you some scenarios and tell you what you need to do which will save you, hopefully, save you watching all of the other videos and even the two-hour video, okay? Although I would recommend that because I don't know your exact situation, so I'll give you a succinct version now, but it's worth knowing the overview, is all I'll say. Anyway, hopefully, this will help.

We had a question posted in the group today which was from somebody who had a brochure website, didn't collect data through the website, didn't market to anybody, didn't have email sequences going out or anything like that, and literally just kept the personal data of clients, so what do you need to think about. Okay. Well, the good news is there's not actually that much that you need to think about if that's all you have. As always, the first step is, are you processing personal data? Well, yes, if you are even storing information that enables you to identify a living individual, then you are processing personal data and GDPR comes into play.

I'm sure that if you've got clients, then you will be processing their personal data, so what you need to do if you are processing personal data is comply with the principles of that. I'm just going to quickly read those out. I've got a really bad cough today. Right. Where are they? Okay. You need to process the data lawfully, fairly, and transparently. What transparently means is being upfront with people about what you're doing with that data. Now, obviously, if it's just processing data about clients in order to fulfill that contractual relationship, there's not a lot you've got tell them there. You've just got to tell them that, essentially. "We will only use your data to fulfill our contractual obligations."

What that tells them is that you're not going to use it for marketing, you're not going to share it with third parties, you're not transferring it internationally, etcetera, but you do still need to tell them that. You need to send them a privacy notice, and the requirements for that are that you have to send it at the time that the personal data is collected from the data subject. Now, obviously, you've got clients who are already clients now. You need to send them a privacy notice before GDPR comes into place, and then on an ongoing basis send new clients a privacy notice at the point of collection of their data, and in that privacy notice, you need to set out certain things. The things that are relevant to you are your identity and contact details. You're not going to have a data protection officer because you're too small, so you don't need to bother about that.

The purposes of processing and the legal bases of processing, and literally, if it is as simple as your processing is for providing the services to the customer, then literally, that's what you'd say, and the legal basis for processing is a contractual ground. You don't need to bother about legitimate interests, so you don't need to bother about recipients or categories of recipients because if you're not transferring to third parties, then that's out. Now, with third parties just be sure that you really aren't transferring the data to third parties because sometimes we are and we think that we're not. Let me think. Now, you might not be doing this. You've not got a CRM system or an email service provider, so that's fine. A bookkeeper, you're probably doing your own bookkeeping.

Who else might you have, typically? Yeah, website hosting or if you use any cloud-based providers, might be just worth looking into whether they are actually a processor or not. I'll actually do a video, a separate video on whether website hosting companies are always processors or not, but have a good think about, are there any third parties that you do actually transfer the data to? If you don't, then that's great. You've got a very simple privacy policy.

You also need to state the period for which the personal data is going to be stored, and the principle there is you only keep the data for as long as is necessary. Now, with client data I would typically say, keep that for at least six years because that is the period in which contractual claims can be brought, so if there is a dispute at any point you want to be able to look back through that client data. You need to tell them about the existence of certain rights like the subject access request, the right to be forgotten, etcetera. You need to tell them about their right to withdraw consent, but you've not got any grounds, lawful grounds of processing on the basis of consent, so you don't need to worry about that. You do need to tell them about the right to lodge a complaint with a supervisory authority, and yeah, the rest of it isn't relevant to you.

So quite a simple privacy policy, okay? Now, if you want to get a hold of one of those, there's one in my pack at the moment. There is a simplified one-page version which is for use by therapists and other people who collect sensitive data on hard copy forms. I think what I will do is another simplified privacy policy which covers the scenario that we're talking about where it is, you are literally just processing clients' data that you can send over to clients when you're collecting that data. Now, if you are collecting data, I'm not sure how you take on your clients, but if you're collecting data over the phone when you're initially taking clients on, then just send an email straight away following up with a privacy notice.

I suspect you're not taking it online because you've just got a brochure website, but the point is that you're supposed to give the privacy notice at the point of collection of the data. Okay, so that is that. You do need to be aware of the enhanced rights of data subjects, so particularly there's this subject access right. You can't charge for it. You have to respond within a certain period of time. Take a look at my video on that, or just have the flag that if somebody does ask for it ... and they might not phrase it as a subject access request. They might just say, "I want to know what data you're holding about me," but realize that that is important, and then you can come back and look at my resources about what to do. Excuse me.

What else do you need to know about? Privacy policy. Yeah. Sorry, back to the principles, okay? Yeah, so the data you collect should be adequate, relevant, and limited to what's necessary, so don't be asking them for their insights like measure if you don't need that for the provision of the services. The data should be accurate, and when necessary kept up-to-date. It should only be stored for as long as necessary for the purpose, so when they are no longer clients, then there may be a certain data that you don't need to keep anymore, but be mindful of the fact that you will need to keep some of it for things like contractual claims, defenses to contractual claims, that type of thing.

And you need to keep the data secure, particularly if it's sensitive data. Sensitive data is things like ethnicity, religious beliefs, political opinions, health matters, things like that, and even if it's not, you need to keep that data secure, so you've got hard copy data, then make you're not leaving it on trains or in toilets or leaving laptops. You still need to have a good level of protection there. What else? If you're not transferring it to third parties, you don't have to think about processors and things like that. I think that is pretty much all you need to think about, is putting a new privacy policy into place with your existing customers, and then as you subsequently take on new ones, to do that.

Obviously, this all on the basis that you've got a really super simple business, and if you're not doing any marketing, that takes the whole of that away, which is a really big thing. I think that is pretty much all you need to think about, which makes it an awful lot easier, doesn't it, really? So really it's a case of understanding what data you are ... and this is in the pack as well, a data inventory, but it'd be really simple if literally all you are doing is holding and processing customer data for the purposes of providing the services. Then it's super simple, but you still do need the privacy notice and you still do need to think about their enhanced data subject rights, but other than that, I think they're the main things.

Still a bit jet-lagged, so if anything else comes to me when I finish this film, I'll pop it in the comments to this video, but please, I know it's a very ... when you come into the group it's quite daunting. There's a lot of information. There are terms that you don't recognize. There's are people that have been in the group for months, who in their months were very clued up on what GDPR is all about, so I know that when you come in and you see discussions, and you think, "What is this all about?" it's very daunting. That's why I've put in the pinned post the steps to work through, but equally, I understand that if you've got a very small and simple business, that's a lot to do, so I hope this has helped in some small way, and also if anything else occurs to me, I'll pop it in the comments. Bye for now.