- Messages
- 16,432
- Location
- Halifax, Republic of Yorkshire
GDRP ... just over a month to go before this law comes into effect.
We must have loads of small business owners and sole traders here. What are you guys doing?
Mrs is a Sole Trader with a website. The website has just two forms through which customers can contact her and leave feedback. Otherwise, customers will contact her by phone or directly by email.
Minimal customer information is taken - name, address, phone number(s), email address and any business specifics. That information is held in a spreadsheet and in individual customer knowledge documents.
So, data is gleaned and processed ...
I have followed guidance from the ICO and put together a privacy policy for the website. I've also ensured that the two forms have an acceptance box (not pre-filled) and that this is recorded when the forms send their emails on.
I'm struggling now with some of the specifics and it's not for lack of contacting the ICO. I started with a web chat which was merely updated with links to documents that I've already read and then when I started asking specifics, the chat abruptly ended. Annoyed, I rang them and started to talk through a few scenarios to guided to the same documentation.
1. What do we do with existing data? Granted it falls under the GDPR after May 25th, but does she need to seek new consent from all customers to hold their data (that's simply their names, addresses, phone numbers, email addresses and any details pertinent for providing service).
2. Many Sole Traders have a website. Information that comes in via email and/or web forms is hosted by the website provider. Since data under the GDPR cannot be held outside of the EEA, how are folks tackling their web hosting companies - she's with UK2. The person at the ICO said this was between her and her provider.
3. Likewise, how or where are folks backing up their data? Many will keep their business spreadsheets in and amongst their regular files on their computer. Say they sync to cloud, be it iCloud, OneDrive, whatever, it's only with Enterprise versions of these (like Office 365 for Business or Dynamics CRM) that carry GDPR statements. Regular folks for whom these services are not financially viable are left with cloud that could be anywhere ... outside of the EEA to be presumed and therefore in breech of the GDPR. The person at the ICO said this was between her and her provider.
4. Apps. WhatsApp, for example, to communicate with customers, send/receive information and so on holds data outside of the EEA. I'm going to guess iMessage, too. Hang it all, perhaps the mobile phone provider uses storage outside of the EEA and she'll be unwittingly in breech. The person at the ICO said this was between her and her mobile phone provider.
5. Customers that request that she send data to them while they are outside of the EEA. It happens. Is that in breech? The person at the ICO did not know.
6. Say a customer exercises their right to be forgotten and she removes all that data, information, invoices, etc ... and then has a HMRC audit, they'll find missing documents. She could fabricate an entire business and say it was all removed under GDPR. The person at the ICO said that would be for her to work out with the HMRC.
7. Malicious intent. Say she wanted to get rid of all her competition, all she needs to do on the 26th May is visit all competitors' websites and then request her data. Cookies are data. When they reply "Que?", she reports the lot to the ICO and draws them into litigation. The person at the ICO agreed that this was possible. Spun the other way around, what's to stop competitors doing this?
How are folks dealing with GDPR? As I said at the top, she ensures consent for cookies, for data submitted through web forms and has a privacy statement in effect on her website along with notice on forms as to what, why and what will happen to data submitted. She has a data map - knows where all data comes in, where it is, where it goes and who it is shared with.
What we're struggling on is the questions above - it seems to cover herself, she's going to need a Solicitor to go through the privacy statement, engage with a business account for web hosting, buy into Enterprise level agreements for Office 365/Cloud hosting and so on and so on ...
Seems to me the reason GDPR is coming in (see Facebook and the recent Cambridge Analytica debacle) is actually going to cause most headaches for the small business and Sole Trader while the big boys continue to thumb their noses at this sort of thing.
Thoughts?
We must have loads of small business owners and sole traders here. What are you guys doing?
Mrs is a Sole Trader with a website. The website has just two forms through which customers can contact her and leave feedback. Otherwise, customers will contact her by phone or directly by email.
Minimal customer information is taken - name, address, phone number(s), email address and any business specifics. That information is held in a spreadsheet and in individual customer knowledge documents.
So, data is gleaned and processed ...
I have followed guidance from the ICO and put together a privacy policy for the website. I've also ensured that the two forms have an acceptance box (not pre-filled) and that this is recorded when the forms send their emails on.
I'm struggling now with some of the specifics and it's not for lack of contacting the ICO. I started with a web chat which was merely updated with links to documents that I've already read and then when I started asking specifics, the chat abruptly ended. Annoyed, I rang them and started to talk through a few scenarios to guided to the same documentation.
1. What do we do with existing data? Granted it falls under the GDPR after May 25th, but does she need to seek new consent from all customers to hold their data (that's simply their names, addresses, phone numbers, email addresses and any details pertinent for providing service).
2. Many Sole Traders have a website. Information that comes in via email and/or web forms is hosted by the website provider. Since data under the GDPR cannot be held outside of the EEA, how are folks tackling their web hosting companies - she's with UK2. The person at the ICO said this was between her and her provider.
3. Likewise, how or where are folks backing up their data? Many will keep their business spreadsheets in and amongst their regular files on their computer. Say they sync to cloud, be it iCloud, OneDrive, whatever, it's only with Enterprise versions of these (like Office 365 for Business or Dynamics CRM) that carry GDPR statements. Regular folks for whom these services are not financially viable are left with cloud that could be anywhere ... outside of the EEA to be presumed and therefore in breech of the GDPR. The person at the ICO said this was between her and her provider.
4. Apps. WhatsApp, for example, to communicate with customers, send/receive information and so on holds data outside of the EEA. I'm going to guess iMessage, too. Hang it all, perhaps the mobile phone provider uses storage outside of the EEA and she'll be unwittingly in breech. The person at the ICO said this was between her and her mobile phone provider.
5. Customers that request that she send data to them while they are outside of the EEA. It happens. Is that in breech? The person at the ICO did not know.
6. Say a customer exercises their right to be forgotten and she removes all that data, information, invoices, etc ... and then has a HMRC audit, they'll find missing documents. She could fabricate an entire business and say it was all removed under GDPR. The person at the ICO said that would be for her to work out with the HMRC.
7. Malicious intent. Say she wanted to get rid of all her competition, all she needs to do on the 26th May is visit all competitors' websites and then request her data. Cookies are data. When they reply "Que?", she reports the lot to the ICO and draws them into litigation. The person at the ICO agreed that this was possible. Spun the other way around, what's to stop competitors doing this?
How are folks dealing with GDPR? As I said at the top, she ensures consent for cookies, for data submitted through web forms and has a privacy statement in effect on her website along with notice on forms as to what, why and what will happen to data submitted. She has a data map - knows where all data comes in, where it is, where it goes and who it is shared with.
What we're struggling on is the questions above - it seems to cover herself, she's going to need a Solicitor to go through the privacy statement, engage with a business account for web hosting, buy into Enterprise level agreements for Office 365/Cloud hosting and so on and so on ...
Seems to me the reason GDPR is coming in (see Facebook and the recent Cambridge Analytica debacle) is actually going to cause most headaches for the small business and Sole Trader while the big boys continue to thumb their noses at this sort of thing.
Thoughts?
Last edited: