• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

ICO - are you registered?

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    ICO - are you registered?

    All this talk about the GDPR and data protection recently has got me wondering...who here has take the time to register their business with the ICO as a data controller?

    Chances are, most of us here are data controllers. We all have clients and we probably keep details of those clients somewhere - maybe in a third party system like FreeAgent.

    Along the same lines, if you keep this information elsewhere who has started taking steps to audit these various third party services - most of whom probably count as data processors - to check that they are taking steps to comply with the GDPR?

    It’s not completely clear to me to what extent the exemption for “accounts and records” covers.
    Last edited by Contractor UK; 13 May 2018, 13:31.

    #2
    I don’t keep any personal data on my clients. Other than name and email address for accounts and records. On hat basis I believe I don’t have to register.
    Also. If I had to comply with a DSAR I would be able to comply with that easily as all my data is stored in just FreeAgent and Office365 (the latter allowing compliance searches).
    See You Next Tuesday

    Comment


      #3
      Originally posted by Lance View Post
      I don’t keep any personal data on my clients. Other than name and email address for accounts and records. On hat basis I believe I don’t have to register.
      Also. If I had to comply with a DSAR I would be able to comply with that easily as all my data is stored in just FreeAgent and Office365 (the latter allowing compliance searches).
      But what about the gigs and gigs of client data that you find you accidently seem to have once you've left?
      'CUK forum personality of 2011 - Winner - Yes really!!!!

      Comment


        #4
        Originally posted by TheCyclingProgrammer View Post
        All this talk about the GDPR and data protection recently has got me wondering...who here has take the time to register their business with the ICO as a data controller?

        Chances are, most of us here are data controllers. We all have clients and we probably keep details of those clients somewhere - maybe in a third party system like FreeAgent.

        Along the same lines, if you keep this information elsewhere who has started taking steps to audit these various third party services - most of whom probably count as data processors - to check that they are taking steps to comply with the GDPR?

        It’s not completely clear to me to what extent the exemption for “accounts and records” covers.
        If you are only processing data for core business purposes then there is no requirement for you to register. If you were not required to register under DPA then you are not required to register under GDPR.

        Check the ICO registration self assessment tool here:

        https://ico.org.uk/for-organisations...lf-assessment/

        They key question is number 7, purposes for which you are processing data. Most IT contractors are going to answer None of the Above, as if any of the activities listed are being performed they are being done on behalf of the client not in your own right. If you were providing web hosting services to the client on a B2B basis or developing bespoke software for them outside of the client environment then you may need to register but only if you were processing personal data as part of that activity.

        Question 8 then clarifies this further :

        8. Do you only process personal data for:

        Staff administration (including payroll);
        accounts or records (ie invoices and payments);
        advertising, marketing and public relations (in connection with your own business activity).

        You should answer yes to this. The result being :

        You are under no requirement to register

        You are only processing personal data for the core business purposes. You therefore do not have to register with the ICO.

        However, it is important that your organisation adheres to the principles of the Data Protection Act (DPA) and understands best practice for managing information. To help ensure you are complying with the DPA, we have produced a range of training materials including practical toolkits, training videos and more.

        You can still register voluntarily if you wish.
        Last edited by Contractor UK; 13 May 2018, 13:32.
        "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

        Comment


          #5
          Originally posted by northernladuk View Post
          But what about the gigs and gigs of client data that you find you accidently seem to have once you've left?
          If you've got that data, if you had no reason to have it, if it is personal data under the DPA/GDPR definition, if you were not an identified Data Processor and if it belongs to the client then as data controller they are the ones responsible. It is their failure to comply with DPA/GDPR that has resulted in you having it. They may seek legal redress against your co. as a result but the ICO won't be the ones coming after you. You may also be open to prosecution for theft or other offences connected with you obtaining that data.

          If you have it legitimately and were a Data Processor on behalf of the client then you still do not need to register as a controller, that is the client. However, under GDPR you are still liable for prosecution if you make use of it in ways other than those agreed with the client or in contravention of the GDPR regulations. This includes hanging onto it once you no longer have a legitimate reason to have it.

          If you find yourself in the scenario above the best thing to do is delete it and inform the client that you have done so.
          "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

          Comment


            #6
            Originally posted by northernladuk View Post
            But what about the gigs and gigs of client data that you find you accidently seem to have once you've left?
            Of course I wouldn’t have stolen any client data......... and if I did it would be on an encrypted data drive on a hidden partition for which I’ve ‘forgotten’ the password. So I don’t have any data like that.
            See You Next Tuesday

            Comment


              #7
              Originally posted by Lance View Post
              Of course I wouldn’t have stolen any client data......... and if I did it would be on an encrypted data drive on a hidden partition for which I’ve ‘forgotten’ the password. So I don’t have any data like that.
              Doesn't protect you. Refusal to hand over passwords or encryption keys is an offence under Part III of the RIPA that carries a two year jail term.

              https://wiki.openrightsgroup.org/wik..._2000/Part_III

              If client suspects you have the data and goes to the police you'll be screwed. Just get rid of it.
              "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

              Comment


                #8
                Originally posted by DaveB View Post
                Doesn't protect you. Refusal to hand over passwords or encryption keys is an offence under Part III of the RIPA that carries a two year jail term.

                https://wiki.openrightsgroup.org/wik..._2000/Part_III

                If client suspects you have the data and goes to the police you'll be screwed. Just get rid of it.
                Indeed.
                Like I said. I wouldn’t steal data. It’s not like I develop anything or have any use for my clients data.
                See You Next Tuesday

                Comment


                  #9
                  Originally posted by DaveB View Post
                  If you are only processing data for core business purposes then there is no requirement for you to register. If you were not required to register under DPA then you are not required to register under GDPR.[/I]
                  I thought the "accounts and records" exemption might exempt most of us. On the face of it it seems like it should apply, but if you look at the exemption in the legislation (in the schedule at the bottom) I'm not completely certain:

                  The Data Protection (Notification and Notification Fees) Regulations 2000

                  Specifically the following two points raise an issue for me:

                  (d)does not involve disclosure of the personal data to any third party other than—
                  (i)with the consent of the data subject; or
                  (ii)where it is necessary to make such disclosure for the exempt purposes; and
                  (e)does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes.
                  Point d - doesn't adding your customer's details to a third-party service, be it a CRM tool, project management tool or bookkeeping platform like FreeAgent count as disclosing to a third party? Do we ask each of our clients for consent to add their details to these systems?

                  Point e - for how long is it necessary to keep this information after they stop being our client? It all seems a bit vague to me. Certainly for project management and CRM tools, should we be removing this information ASAP?

                  Going back to my second point - even if we have no obligation to register, we still count as data controllers don't we? In which case, we have a responsibility to do due diligence when it comes to using third-party hosted services in which we keep our client data once GDPR comes into force.
                  Last edited by TheCyclingProgrammer; 13 March 2018, 12:30.

                  Comment


                    #10
                    Originally posted by TheCyclingProgrammer View Post
                    I thought the "accounts and records" exemption might exempt most of us. On the face of it it seems like it should apply, but if you look at the exemption in the legislation (in the schedule at the bottom) I'm not completely certain:

                    The Data Protection (Notification and Notification Fees) Regulations 2000

                    Specifically the following two points raise an issue for me:



                    Point d - doesn't adding your customer's details to a third-party service, be it a CRM tool, project management tool or bookkeeping platform like FreeAgent count as disclosing to a third party? Do we ask each of our clients for consent to add their details to these systems?
                    Not if those details do not relate to an individual. Keeping the address and a phone number for the clients accounts department for example is not covered. The privacy statements of the 3rd party software provider should also cover you as they should have no access to the data in your instance of the service.

                    Originally posted by TheCyclingProgrammer View Post
                    Point e - for how long is it necessary to keep this information after they stop being our client? It all seems a bit vague to me. Certainly for project management and CRM tools, should we be removing this information ASAP?
                    You keep it as long as you have a requirement to keep it, be that business related for the purposes of fulfilling your contract with the client or as required by law in the case of certain financial records etc. If you no longer have a valid reason to keep it you should destroy it. You also need to have processes in place to deal with subject access requests and requests or removal of individual records under Right to Be Forgotten.

                    Originally posted by TheCyclingProgrammer View Post
                    Going back to my second point - even if we have no obligation to register, we still count as data controllers don't we? In which case, we have a responsibility to do due diligence when it comes to using third-party hosted services in which we keep our client data once GDPR comes into force.
                    You only fall under the regulations if you are holding data relating to Natural Persons (real people) ,not Legal Persons (corporate entities) and outside the scope of your core business processes as listed above. If that data has been given to you by your client for the purpose of providing services (a sample dataset for example) then you are a data processor not a data controller. If you collected it yourself from client staff etc. then you would be the controller. You still have responsibilities under GDPR as a processor but there is a distinction, and it is the responsibility of the Data Controller to ensure that you process their data in a compliant manner.

                    While GDPR is important you do need to maintain a sense of perspective and not start diving down rabbit holes trying to work out what is covered and what is not. You also need to properly understand the relationship between your Co. and Client Co. in terms of what data is shared, how it is shared and where you keep it.
                    "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

                    Comment

                    Working...
                    X