New Data Protection rules.

t.dunphy · 21-04-2018 10:06am #1

Please forgive the ignorance but how would a small company approach these new data protection rules. Say a company with 2/3 employees and up to 40/50 customers during a year, the information recorded is very limited but it's both digital and 'pen & paper', just names, addresses, contact details and in fairness some bank details. Do some strict policies and basically a procedure that says all details are deleted and destroyed after 30 days of inactivity, is this more than acceptable or does anyone know something different. I'm nearly sure my solicitor advised that just policies & procedures would cover the company.

Thanks

Seth Brundle · 21-04-2018 12:03pm

"Policies and procedures" is vague.
The GDPR states that any personally identifiable info about a person in Europe ir doing business with Europe must provide clear reasons for collecting, using and storing of the information.
The information being any personally identifiable information including email addresses, IP addresses and other IDs. This can be digital, paper, smoke signals or anything.
Is the data stored securely?
Is all the information being collected needed? Do you have written permission to use it?
Have you provided them with details on the retention policy?
Is there a defined data protection plan in place? Who is the data protection officer and donthis clear to staff?

Are your mailing lists opt-in rather than opt-out?
If a customer employee request a copy if all the data being held on them, can you supply it in a usable format within the time frame?

There is a fair bit to it to be honest but not difficult to attain. It sounds like you have a handle in it. You should sit in an a free webinar about it and get a better understanding IMO.

jimmii · 21-04-2018 12:25pm

Is it b2c or b2b? What you need to do differently will differ depending on if your customers are customers or individuals.

Seth Brundle · 21-04-2018 2:41pm

It applies to pretty much *any* personally identifiable information but doesn't distinguish between business or customer.
If you as an organisation are collecting, storing, processing, reporting (or any other verb) personal data then the rules apply regardless if whether you have personal data on your customers or on your employees.

This isn't designed to stifle the processes and day to day business. It is to ensure that sloppy manager of the information doesn't happen. This is achieved by having clear policies in place.

If you have a customer who you sell to each week e.g. Jones shop you need some personal data e.g. name, email and mobile and maybe bank details. Fine. The law now is to get you to document how that information can be stored and who should be allowed access it and for what reasons, etc. Hopefully gone are the days when a USB key with customer data gets left on a bus. Now someone will be accountable for any mistakes.
The law is designed to protect the person's personal data rrgardless.of whether the data controller is Facebook or a carpenter or a GAA club or whatever. The important entity is the individual whose data has been collected.

the_pen_turner · 22-04-2018 7:15pm

where do you find out the exact list of what you need to do in practical terms. not corperate and stupid vague wording.

Seth Brundle · 22-04-2018 7:25pm

There are loads of companies providing GDPR services.
I helped compose the following page when I previously worked with this company: www.olas.ie/development/gdpr
It lists the various rights an individual has in terms of their data.

There might not be many free advisory pages in plain English. A quick Google will show you.

the_pen_turner · 22-04-2018 7:40pm

kbannon wrote: »

There are loads of companies providing GDPR services.
I helped compose the following page when I previously worked with this company: www.olas.ie/development/gdpr
It lists the various rights an individual has in terms of their data.

There might not be many free advisory pages in plain English. A quick Google will show you.

thats not a bad page but is still miles away from anything practical . its a sales pitch page. nothing wrong with that

this whole gdpr thing is a disaster. there is nothing availible to help the small company. and definetly nothing i can find that lists the practicallities of it.
we want a list of easy follow steps that must be followed. like
password protect all invoicesm estimates
encript emails etc
store all printed copies in a locked filing cabinet.
shred any old unwanted invoices

simple steps like that.
its alright for huge companies who will just hire in a person for that job .
the tradesman or small comany has to do it all them selves. we are clueless as to what we are being asked to do

Seth Brundle · 22-04-2018 8:04pm

That page gives the rights people will have over their personal data. From there you shoukd apply that to your business.
GDPR is a law and will apply to you in the same way any other law does. In fairness to the GDPR, it is written in a way much easier to understand compared to other laws. However as all businesses are different in terms of their use of personal data, the wording if the law cannot be specific in terms of what you must or must not do.
However it doesn't necessarily relate to invoices or estimates as these aren't personal data (although there may be personal data for private sales). You can keep these for tax audit purposes. They just need to be stored appropriately.
Do you have a CRM or details of employees or collect web stats or do mailshots or collect potential customer details at a trade fair or record cusromer calls? These are personal data.
Have a look around your business. What personal data is being collected or stored.or used? Personal data on your employees. Personal customer details. Personal supplier details. CCTV and so on.
Now with each of those pieces of data ask yourself if you need that information.
Ask yourself if you have provable permission to have that data. Ask yourself if you have a data retention policy for that data. Ask yourself how can that data be used in a manner that you don't have permission for.
Any risks there? I'd hazard a guess and say probably.
Now in terms of your employees and contractors: are they aware of the GDPR and the obligations associated with personal data? What do they do if there's a personal data request? What do they do if theres a personal data breach? Gone are the days when it can be dismissed or ignored or kept secret.

If you don't know what to do then talk to someone who does.

the_pen_turner · 22-04-2018 8:15pm

whats the typical cost of getting in an expert to give a solution for a one man band

Seth Brundle · 22-04-2018 8:18pm

the_pen_turner wrote: »

whats the typical cost of getting in an expert to give a solution for a one man band

How long is a piece of string?
I don't know because I know nothing about your business or processes. You possibly are doing everything right or making a balls of handling all forms of personal data. Every scenario is different.
Look up that link I posted earlier and start from there. I don't work in this area anymore and don't know rates etc.

jacksn · 23-04-2018 12:52pm

Thing about GDPR is that it is coming into legislation in a months time that's fair enough but there is still time for businesses to become compliant after the 25th May and work on their compliancy, you just have to hope you don't have a data breach!

I'm doing an express GDPR package for small business (5 or less) and sole traders. Gap Analysis, Data Mapping, DIPA(Digital Impact Assessment), Data Breach Scenarios, Website Overview & Documentation, Awareness, Contract review with suppliers and clients. At least this will give them some level of GDPR compliancy and show they are taking it seriously if the commissioner comes knocking. Theres no badge or award to say a business is GDPR compliant.

But every business is different of course and I think GDPR is a good thing, I am finding credit card numbers written on postit notes from 5 years ago in some places, personal information stored in notes on iphones, shocking and then some small businesses are totally on the ball making it a lot easier.

IMO The Data Commissioners office have been terrible in terms of GDPR awareness guidance and information. They were supposed to have a new website for https://www.dataprotection.ie/ up and running and it's not even finished, guess when they expect it to go live? 25th May of course.

jimmii · 23-04-2018 6:56pm

In our area there's been quite a few council funded workshops which is good a lot of people still don't have much of a clue about it though.

The biggest problem we have has is due to a fairly old but large membership database to make sure we've got our bases covered we've contacted everyone for consent to be contacted and also due to the new regulations we've switched dd processor and that's meant getting email addresses to be able to set them up with the new company from a lot of old accounts which has been going on for months! Some people are just impossible to get hold of!!

boege · 23-04-2018 7:33pm

OP
There is a 30 day response time for subject access requests. Provided you have policies to delete any personal data within 30 days, and you can demonstrate compliance with such policies, then you should be Ok, but do check with your solicitor. Note: delete really means delete, and includes emails, email backups, as well as your email deleted folder.

If you have staff you will have payroll and retention of PPS numbers is a red flag test question for processing of personal information. If you outsource payroll you have to talk to you solicitor as you will need legal agreements with your payroll contractor.

There are exemptions for personal information which businesses are required to retain by law. Also, don't get mixed up between personal data and confidential information which seems to be confusing a lot of people.

My advice is bone up, check the data protection commissioner website. Lots of resources including a checklist.

https://www.dataprotection.ie/docs/Self-Assessment-Data-Protection-Checklist/y/22.htm

GDPR is a consultants paradise right now!

testicles · 23-04-2018 7:37pm

This post has been deleted.

BarryD2 · 24-04-2018 12:47pm

Risk assessment:

What is the reasonable likelihood that this GDPR will come to bite any small business in Ireland?

Who is going to complain and why?

I can see a case for larger institutions and businesses that hold sensitive financial data etc., but I just don't see any ordinary Sean citizen getting their knickers in a twist if their address has been stored by the local self employed florist???

The biggest shocker about this legislation is that the State has conveniently exempted itself. And IMHO, they can be significant offenders in this area.

jacksn · 24-04-2018 1:33pm

testicles wrote: »

This post has been deleted.

no advertising intended, typing too fast - thanks for the tip.

Vetch · 24-04-2018 2:12pm

BarryD2 wrote: »

Risk assessment:

What is the reasonable likelihood that this GDPR will come to bite any small business in Ireland?

Who is going to complain and why?

I can see a case for larger institutions and businesses that hold sensitive financial data etc., but I just don't see any ordinary Sean citizen getting their knickers in a twist if their address has been stored by the local self employed florist???

The biggest shocker about this legislation is that the State has conveniently exempted itself. And IMHO, they can be significant offenders in this area.

Lots of people submit DP queries or make complaints to the DPC if they're not happy. In terms of small businesses with limited customer data, employees might cause bigger issues as they will likely know of weaknesses.

jacksn · 24-04-2018 3:03pm

BarryD2 wrote: »

Risk assessment:

I just don't see any ordinary Sean citizen getting their knickers in a twist if their address has been stored by the local self employed florist???

not until the local florist that operates an entry level wordpress/woocommerce website to carry out orders is hacked or the data is breached by an unauthorised user or Mary in the shop decides to start using customer emails for newsletters that Sean didn't consent to when placing an order.

Will the local florist have a 'right to erasure' policy in place? will they have a breach notification policy and will they have a process for Sean to access the information they have stored on him? .. doubt it

also the personal information they may store may fall under 'special categories' if Sean is gay and sent flowers to his boyfriend and this was noted by the florist in Seans order history?

GDPR is giving the power very firmly to Sean and every punter out there and the process of reporting a business for failing to protect their data is going to be as simple as possible with the DPO office.

Seth Brundle · 24-04-2018 3:49pm

BarryD2 wrote: »

Risk assessment:

What is the reasonable likelihood that this GDPR will come to bite any small business in Ireland?

Who is going to complain and why?

I can see a case for larger institutions and businesses that hold sensitive financial data etc., but I just don't see any ordinary Sean citizen getting their knickers in a twist if their address has been stored by the local self employed florist???

The biggest shocker about this legislation is that the State has conveniently exempted itself. And IMHO, they can be significant offenders in this area.

In terms of why will complain? Customers obviously. However a disgruntled employee could also.
Why? Depends on what has happened. There is also the issue of compensation now which may make it more attractive to some.
I used to be a member of a small club who it turned out left paper forms (with credit card details on them) lying around the office.
I don't want a company using my details for a purpose other than what I originally gave them. I didn't ask to join their mailing list. I didn't ask to be cold called.
I don't want to find out that a company I called a few years ago still has my personal details.
I don't want the small company blacklisting me because they have incorrect details on me.
There are loads of reasons people can object to a misuse of personal data and it doesn't necessarily just involve the behemoths.
It is wrong about the state though.

testicles · 24-04-2018 4:59pm

This post has been deleted.

MAJJ · 24-04-2018 5:03pm

This site should be of help to the OP and others it from the source, the EU, and explains things in clear language.
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

Also for SMEs
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/do-rules-apply-smes_en

BarryD2 · 04-05-2018 10:46am

Seth Brundle wrote: »

There are loads of reasons people can object to a misuse of personal data and it doesn't necessarily just involve the behemoths.

Maybe, maybe not - the culture of a people doesn't just change because a new law is brought out. In fact, Irish people mostly ignore new regulation and just carry on as before. Maybe it'll just become a charter for the disgruntled. As it is, there is the scent of Y2K about it - lots of consultants trying to raise some work from it.

testicles wrote: »

This post has been deleted.

https://www.independent.ie/business/data-sec/ten-exemptions-for-state-institutions-as-new-data-regulations-come-into-force-35635579.html

Reported here as 'small' exemptions. But read the detail and some are very generalised and could apply as suits.

Seth Brundle · 04-05-2018 11:13am

BarryD2 wrote: »

Maybe, maybe not - the culture of a people doesn't just change because a new law is brought out. In fact, Irish people mostly ignore new regulation and just carry on as before. Maybe it'll just become a charter for the disgruntled.

It gives the individual control over how their personal data is being used by others.
The culture is being forced to change. Previously people gave their data because they couldn't avail of whatever service unless they agreed. Now the processes for its use will be more transparent.
People now can make educated choices on whether to provide their personal data - although, yes, they probably won't change their mind.
It also forces companies to be more responsible over the personal data they have which will be a big cultural change for many organisations!

BarryD2 wrote: »

As it is, there is the scent of Y2K about it - lots of consultants trying to raise some work from it.

The consultants wouldn't be making any money if companies already had their house in order!

MOH · 11-05-2018 10:38am

the_pen_turner wrote: »

simple steps like that.
its alright for huge companies who will just hire in a person for that job .
the tradesman or small comany has to do it all them selves. we are clueless as to what we are being asked to do

It's actually far harder for huge companies, who have to try and work out what's being done with data across dozen of departments. It's a couple of years work.

Basically, it boils down to knowing what customer data you have, protecting it, be able to provide it to the customer and let them correct it, know what you're using for, have explicit consent for that usage, and getting rid of it as soon there's longer a valid usage for it.
And having documented procedures in place showing you've covered all this. That's the core of it anyway.

If you're dealing sensitive information like criminal, medical, or children's data, there's additional requirements around that.

The UK data commissioner's site is a better structured than the Irish one, might help.

But you probably won't get a step by step guide for exactly what you need to do unless you hire someone in, as it's going to vary greatly between businesses.

Riskymove · 11-05-2018 10:43am

BarryD2 wrote: »

https://www.independent.ie/business/data-sec/ten-exemptions-for-state-institutions-as-new-data-regulations-come-into-force-35635579.html

Reported here as 'small' exemptions. But read the detail and some are very generalised and could apply as suits.

That is Article 26 of the GDPR so it comes from Brussels and applies to all Member States - not something doen by the State here

Those kind of issues have always been around - i.e. restricitng data protection where security of the state is concerned etc

They are not generalised at all

NeptunesMoon · 24-05-2018 1:23am

I'm a one man small business. Can someone please advise me just how far I need to go with deleting stuff, or do I really need to delete stuff at all??

I've only ever gotten business through my website and the odd bit through facebook.

I run a service business.

The customer will typically fill in a form where I ask for their number, email address and description of what they need.

I'll then get that by email and will then reply with a quote. There may be a few emails back and forth to confirm the job, others may never get back to me after I send the quote.

Once a job is confirmed, I add their phone number to my Google contacts and give them a customer number in their name and I add the job info to Google Calendar, where I typically have their name and phone number in the job description too, there are addresses provided but they aren't necessarily the address of the customer.

Once the job is complete, I'll send an invoice.

Payment is typically made by cash, cheque or bank transfer. I've only accepted card payment a handful of times and would have processed the payment over the phone, so didn't get the card number sent via email etc. I've had to process a refund maybe once or twice if a customer overpaid by accident etc, so may have gotten bank details then.

I have tens of thousands of emails that were sent back and forth between customers. Customers aren't regular and some may return for similar services after years of not having used me. It's great to be able to check back on previous emails if the job may have had any complicated requirements.

If I get a phone call from a customer I haven't heard from in 5 years, their customer number will show up on my phone and if I can put it into google calendar to bring up old jobs so I can recall any specifics of the job.

Losing the ability to check back on old jobs would be a huge knock to the running of my business. Also, having to go through tens of thousands of emails to delete the ones with customer info and keep other relative ones, would take me as a one man operation way way wayyyy too long.

I don't have any customer info on paper, everything is digital so that's ok, but I've the emails as part of system back ups and then separate to Gmail too, so on the cloud.

There's really no useful information that any hacker could use.

I've been told by someone who's read up on all the GDRP that as a small business, I probably don't have much to worry about even if I do nothing and keep everything, that the likelihood of any breach and of any of that info being used for anything malicious, is so small it's not worth the time I'd have to put into making everything compliant and still never being 100% that everything I've done is correct or that there's non compliance still in the business.

Cheers for any replies!!!

Seth Brundle · 24-05-2018 9:58am

What personal information do you have?
Do the people know that you have it?
Did they give you verifiable permission to store and use it?
Do people know how long you will keep it for?
Do the people know what you will be using it for?
Will it be used for any purpose other than the reason they gave it to you?
Who will have access to the personal data?
Have you steps prepared to delete all of a persons personal data if they require it (including on backups)?
Is the personal data being held actually correct?

The reality is that if someone gave you their number previously then you should be ok as long as you take steps to ensure that it doesn't get lost or into the wrong hands. In terms of your phone, do you have the phone encrypted and protected with a strong password?

NeptunesMoon wrote: »

I don't have any customer info on paper, everything is digital so that's ok, but I've the emails as part of system back ups and then separate to Gmail too, so on the cloud.

There's really no useful information that any hacker could use.

I've been told by someone who's read up on all the GDRP that as a small business, I probably don't have much to worry about even if I do nothing and keep everything, that the likelihood of any breach and of any of that info being used for anything malicious, is so small it's not worth the time I'd have to put into making everything compliant and still never being 100% that everything I've done is correct or that there's non compliance still in the business.

You have email addresses and presumably in the signatures you have other details including phone numbers. That's all personal data.
Is it properly protected?
If you think there's nothing in your emails of use to a "hacker" then you're wrong. You have plenty of correspondance there from yourself which should make it easy enough to fake at least one profile (but possibly more).
The concept that "everything is digital so that's ok" is nonsense. In fact digital data is more likely to be fall into the wrong hands.
As for someone who read up on GDPR telling you that you're ok - did you not do any reading up yourself? If it's your business and reputation at stake then surely you bothered your arse finding out the basics on it? It's actually not that confusing!

jmreire · 26-05-2018 11:42pm

Since the new data protection law kicked in on the 25th, I have been getting emails, basically saying the same thing...." We don't want to lose contact with you, so please click on the "I Agree" box to our terms and conditions regarding data. If you don't do this, then you cannot avail of our service's etc."
Seems to me that this is completely against the spirit of the new laws..In effect, you are forced to submit to their terms and conditions. So what has changed?

BarleySweets · 26-05-2018 11:52pm

jmreire wrote: »

Since the new data protection law kicked in on the 25th, I have been getting emails, basically saying the same thing...." We don't want to lose contact with you, so please click on the "I Agree" box to our terms and conditions regarding data. If you don't do this, then you cannot avail of our service's etc."
Seems to me that this is completely against the spirit of the new laws..In effect, you are forced to submit to their terms and conditions. So what has changed?

It’s brand new legislation that hasn’t been tested in court yet. Right now it’s a bit all up in the air about what the hard limits are. When the court cases happen, we’ll all get told what’s what quickly enough.

For now the big change is that company’s have to be proactive in explaining to customers a few things:

- your data *is* being collected by us
- here’s how we use your data
- and who we share your data with
- and for how long we retain your data
- we promise not to use or misuse your data in any way that breaches what we detailed in the above points
- you can ask us to delete every scrap of data we’ve stored about you

That’s a pretty good start in the grand scheme of things. The finer details will come later as the legislation gets challenged and clarified via the courts system.

Seth Brundle · 27-05-2018 1:01am

jmreire wrote: »

Since the new data protection law kicked in on the 25th, I have been getting emails, basically saying the same thing...." We don't want to lose contact with you, so please click on the "I Agree" box to our terms and conditions regarding data. If you don't do this, then you cannot avail of our service's etc."
Seems to me that this is completely against the spirit of the new laws..In effect, you are forced to submit to their terms and conditions. So what has changed?

The GDPR coming into full force is what's chsnged.
Now a company must have explicit verifiable permission to have your personal data. If they don't have permission then they can't use your personal data.
As most social media companies provide a "free service" to users, their users must each confirm that the company may use their personal data. As the saying goes, if the product is free then you're the product. Only now the companies must have your permission to make you their product.

jmreire · 27-05-2018 10:51pm

Which goes directly back to my question.....either accept our terms and conditions ( meaning we are going continue on our merry way and share it etc.) or else you can't use our app. etc. I'm thinking solely in terms of personal use of apps which look for permission to access your contact list ( which may indeed be needed for the app to work, but for sure not every app) but your camera? your message list? etc. You will know what I mean..seeking permission for any access which has no bearing on the app in question. The difference as I understand it now, ( Thanks Seth ) you can legally request that any data they hold on you, they must inform you and delete it if you insist.

New Data Protection rules.

Comments