By Yvonne Morris, Consultant
Triumvirate Assuming Power in the Name of the Prince of Orange, 21 November 1813
Jan Willem Pieneman
Photo credit: Rijksmuseum
Data Protection law is changing on 25 May 2018 and organisations big and small, public, private and third sector, will have to comply with the new legislation. In this blog post I answer some of the questions Naomi Korn Associates has been receiving from small businesses and clubs about the steps they need to take to ensure General Data Protection Regulation (GDPR) compliance.
Are clubs and small businesses (e.g. Bridge Club, Dog Training, Dancing Classes) covered by data the new GDPR regulations?
Yes they are! If you are processing EU resident’s personal data, the GDPR applies to you. The ICO’s 12 Step Guide will help you to prepare:
I run a monthly book club for 20 people, we do not have a web site but I keep an e-mail list so I can let people know about the next meeting. There is no fee for attendance. Do I need to do anything?
At the heart of the GDPR are the six principles that should be applied to any collection or processing of personal data and these are a good place to start. If you are keeping an e-mail list and contacting the people on it you are processing personal data, and that data must be:
- processed lawfully, fairly and transparently
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary for processing
- accurate and kept up to date
- kept in a form such that the data subject can be identified only as long as is necessary for processing
- processed in a manner that ensures appropriate security
So you need to consider whether, for example, you are keeping the email addresses longer than you need to – do all 20 regularly attend, or have some people not attended for years? Are you getting bounce backs? Is the personal data secure?
You also need to identify your lawful basis for the processing activity. There are 6 lawful bases under GDPR and one of these is consent. Maybe you got consent each time someone gave you their email address? If you did, be aware that GDPR sets a high standard for consent and if you can’t meet it, you will need to refresh. Was there a positive opt-in, not a pre-ticked box, and do you have evidence of consent – who, when, how, and what you told people?
If the answer is “no” and refreshing is going to be difficult do not worry, look for a different lawful basis; one to consider is “legitimate interest”.
Broadly speaking “legitimate interest” means that personal data can be processed where there is a genuine and legitimate reason and the rights and interests of the person whose personal data is being processed are not being harmed.
If your legitimate reason for keeping emails is to fulfil your objective of running a book club and not for any other purpose, and its legitimate to assume that people who have shared their contact information with you want to attend so need to be kept informed of meeting dates, then this could be your lawful basis.
However, you must ensure that:
- You state that legitimate interest is your lawful basis on your Privacy Notice. More about Privacy Notices below.
- It’s easy for people to opt out of receiving emails from you.
How should I make my GDPR actions clear to clients if I don’t have a web site?
You can make your clients aware of your Privacy Notice through a variety of media:
- Orally – face to face or when you speak to them on the telephone (a script is advisable for the latter and in both instances, document that the privacy information was given)
- In writing – printed media; printed adverts; forms, such as financial applications or job application forms.
- Through signage – for example an information poster in a public area.
- Electronically – in text messages; in emails; in mobile apps.
I have a web site – what sort of Privacy Notice should I have?
All Privacy Notices must be understandable, accessible, and written in plain language.
Under GDPR there are certain things the Privacy Notice must contain, including:
- The identity and contact details of the company and the Data Protection Officer (if required under GDPR to appoint one)
- The reasons for processing personal data and the legal basis for doing so
- Categories of personal data being processed
- Sources of the data
- Who it might be disclosed to
- Details of where it might be going in the world
- How long it’s kept for
- If customers are legally or contractually required to provide it and the consequences if they refuse
- Details of any profiling
- Information on the right to lodge a complaint with the Regulator
The ICO has produce this useful checklist:
I just keep names and addresses of the students who come to my Bridge classes on my computer – I give out the spreadsheet of names and addresses to the students so they can meet up between lessons and practice.
Stop sharing the names and addresses immediately unless the necessary consent is in place. Remember, GDPR sets a high standard for consent; were the students made aware that their data would be shared in this way? If they were, did they opt-in to this? If they did, did you keep a record? And remember, to be GDPR compliant, the personal data stored on your computer must be kept secure.
I’m a personal trainer/ gardener/ cleaner and don’t have a web site but I keep some notes of my clients on 6 x 4 cards – there is no contract between myself and these clients – do I need to do anything? I keep their phone numbers on my mobile phone
GDPR applies to these hard copy records as well as to the numbers on your mobile phone. The personal information in the notes and on your phone must be kept secure. If you haven’t had any business off a client for a while, you need to justify holding on to their personal data (see the six GDPR Principles). And you need to identity your lawful basis for processing your clients’ data, which will require segmenting your client list. If there is no contract between you and Client X – and remember, contracts don’t have to be in writing, it can be an oral agreement which meets the requirements of contract law – you cannot rely on contract as your lawful basis, but if potential Client Y asks you for a quote, you can.
You also need to be mindful of the rights individuals have when you process their personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
So, for example, if a client asks you to erase their personal data, deleting a number from your mobile is quite straightforward, but are you confident you can locate the notes you hold about them and delete what is required? And how would you deal with a Subject Access Request? There is more information about the right to erasure and the right to access on the ICO’s website.
I offer dancing classes to children and adults – are there additional things to consider when processing the children’s data?
Yes. Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved. The ICO states that:
“If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind”.
They have produced this useful guide:
(c) Naomi Korn, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is CCO, sourced from Rijksmuseum.