• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Collapse

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

  • You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
  • You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
  • If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Previously on "ICO - are you registered?"

Collapse

  • DaveB
    replied
    Originally posted by TheCyclingProgrammer View Post
    I thought the "accounts and records" exemption might exempt most of us. On the face of it it seems like it should apply, but if you look at the exemption in the legislation (in the schedule at the bottom) I'm not completely certain:

    The Data Protection (Notification and Notification Fees) Regulations 2000

    Specifically the following two points raise an issue for me:



    Point d - doesn't adding your customer's details to a third-party service, be it a CRM tool, project management tool or bookkeeping platform like FreeAgent count as disclosing to a third party? Do we ask each of our clients for consent to add their details to these systems?
    Not if those details do not relate to an individual. Keeping the address and a phone number for the clients accounts department for example is not covered. The privacy statements of the 3rd party software provider should also cover you as they should have no access to the data in your instance of the service.

    Originally posted by TheCyclingProgrammer View Post
    Point e - for how long is it necessary to keep this information after they stop being our client? It all seems a bit vague to me. Certainly for project management and CRM tools, should we be removing this information ASAP?
    You keep it as long as you have a requirement to keep it, be that business related for the purposes of fulfilling your contract with the client or as required by law in the case of certain financial records etc. If you no longer have a valid reason to keep it you should destroy it. You also need to have processes in place to deal with subject access requests and requests or removal of individual records under Right to Be Forgotten.

    Originally posted by TheCyclingProgrammer View Post
    Going back to my second point - even if we have no obligation to register, we still count as data controllers don't we? In which case, we have a responsibility to do due diligence when it comes to using third-party hosted services in which we keep our client data once GDPR comes into force.
    You only fall under the regulations if you are holding data relating to Natural Persons (real people) ,not Legal Persons (corporate entities) and outside the scope of your core business processes as listed above. If that data has been given to you by your client for the purpose of providing services (a sample dataset for example) then you are a data processor not a data controller. If you collected it yourself from client staff etc. then you would be the controller. You still have responsibilities under GDPR as a processor but there is a distinction, and it is the responsibility of the Data Controller to ensure that you process their data in a compliant manner.

    While GDPR is important you do need to maintain a sense of perspective and not start diving down rabbit holes trying to work out what is covered and what is not. You also need to properly understand the relationship between your Co. and Client Co. in terms of what data is shared, how it is shared and where you keep it.

    Leave a comment:


  • TheCyclingProgrammer
    replied
    Originally posted by DaveB View Post
    If you are only processing data for core business purposes then there is no requirement for you to register. If you were not required to register under DPA then you are not required to register under GDPR.[/I]
    I thought the "accounts and records" exemption might exempt most of us. On the face of it it seems like it should apply, but if you look at the exemption in the legislation (in the schedule at the bottom) I'm not completely certain:

    The Data Protection (Notification and Notification Fees) Regulations 2000

    Specifically the following two points raise an issue for me:

    (d)does not involve disclosure of the personal data to any third party other than—
    (i)with the consent of the data subject; or
    (ii)where it is necessary to make such disclosure for the exempt purposes; and
    (e)does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes.
    Point d - doesn't adding your customer's details to a third-party service, be it a CRM tool, project management tool or bookkeeping platform like FreeAgent count as disclosing to a third party? Do we ask each of our clients for consent to add their details to these systems?

    Point e - for how long is it necessary to keep this information after they stop being our client? It all seems a bit vague to me. Certainly for project management and CRM tools, should we be removing this information ASAP?

    Going back to my second point - even if we have no obligation to register, we still count as data controllers don't we? In which case, we have a responsibility to do due diligence when it comes to using third-party hosted services in which we keep our client data once GDPR comes into force.
    Last edited by TheCyclingProgrammer; 13 March 2018, 12:30.

    Leave a comment:


  • Lance
    replied
    Originally posted by DaveB View Post
    Doesn't protect you. Refusal to hand over passwords or encryption keys is an offence under Part III of the RIPA that carries a two year jail term.

    https://wiki.openrightsgroup.org/wik..._2000/Part_III

    If client suspects you have the data and goes to the police you'll be screwed. Just get rid of it.
    Indeed.
    Like I said. I wouldn’t steal data. It’s not like I develop anything or have any use for my clients data.

    Leave a comment:


  • DaveB
    replied
    Originally posted by Lance View Post
    Of course I wouldn’t have stolen any client data......... and if I did it would be on an encrypted data drive on a hidden partition for which I’ve ‘forgotten’ the password. So I don’t have any data like that.
    Doesn't protect you. Refusal to hand over passwords or encryption keys is an offence under Part III of the RIPA that carries a two year jail term.

    https://wiki.openrightsgroup.org/wik..._2000/Part_III

    If client suspects you have the data and goes to the police you'll be screwed. Just get rid of it.

    Leave a comment:


  • Lance
    replied
    Originally posted by northernladuk View Post
    But what about the gigs and gigs of client data that you find you accidently seem to have once you've left?
    Of course I wouldn’t have stolen any client data......... and if I did it would be on an encrypted data drive on a hidden partition for which I’ve ‘forgotten’ the password. So I don’t have any data like that.

    Leave a comment:


  • DaveB
    replied
    Originally posted by northernladuk View Post
    But what about the gigs and gigs of client data that you find you accidently seem to have once you've left?
    If you've got that data, if you had no reason to have it, if it is personal data under the DPA/GDPR definition, if you were not an identified Data Processor and if it belongs to the client then as data controller they are the ones responsible. It is their failure to comply with DPA/GDPR that has resulted in you having it. They may seek legal redress against your co. as a result but the ICO won't be the ones coming after you. You may also be open to prosecution for theft or other offences connected with you obtaining that data.

    If you have it legitimately and were a Data Processor on behalf of the client then you still do not need to register as a controller, that is the client. However, under GDPR you are still liable for prosecution if you make use of it in ways other than those agreed with the client or in contravention of the GDPR regulations. This includes hanging onto it once you no longer have a legitimate reason to have it.

    If you find yourself in the scenario above the best thing to do is delete it and inform the client that you have done so.

    Leave a comment:


  • DaveB
    replied
    Originally posted by TheCyclingProgrammer View Post
    All this talk about the GDPR and data protection recently has got me wondering...who here has take the time to register their business with the ICO as a data controller?

    Chances are, most of us here are data controllers. We all have clients and we probably keep details of those clients somewhere - maybe in a third party system like FreeAgent.

    Along the same lines, if you keep this information elsewhere who has started taking steps to audit these various third party services - most of whom probably count as data processors - to check that they are taking steps to comply with the GDPR?

    It’s not completely clear to me to what extent the exemption for “accounts and records” covers.
    If you are only processing data for core business purposes then there is no requirement for you to register. If you were not required to register under DPA then you are not required to register under GDPR.

    Check the ICO registration self assessment tool here:

    https://ico.org.uk/for-organisations...lf-assessment/

    They key question is number 7, purposes for which you are processing data. Most IT contractors are going to answer None of the Above, as if any of the activities listed are being performed they are being done on behalf of the client not in your own right. If you were providing web hosting services to the client on a B2B basis or developing bespoke software for them outside of the client environment then you may need to register but only if you were processing personal data as part of that activity.

    Question 8 then clarifies this further :

    8. Do you only process personal data for:

    Staff administration (including payroll);
    accounts or records (ie invoices and payments);
    advertising, marketing and public relations (in connection with your own business activity).

    You should answer yes to this. The result being :

    You are under no requirement to register

    You are only processing personal data for the core business purposes. You therefore do not have to register with the ICO.

    However, it is important that your organisation adheres to the principles of the Data Protection Act (DPA) and understands best practice for managing information. To help ensure you are complying with the DPA, we have produced a range of training materials including practical toolkits, training videos and more.

    You can still register voluntarily if you wish.
    Last edited by Contractor UK; 13 May 2018, 13:32.

    Leave a comment:


  • northernladuk
    replied
    Originally posted by Lance View Post
    I don’t keep any personal data on my clients. Other than name and email address for accounts and records. On hat basis I believe I don’t have to register.
    Also. If I had to comply with a DSAR I would be able to comply with that easily as all my data is stored in just FreeAgent and Office365 (the latter allowing compliance searches).
    But what about the gigs and gigs of client data that you find you accidently seem to have once you've left?

    Leave a comment:


  • Lance
    replied
    I don’t keep any personal data on my clients. Other than name and email address for accounts and records. On hat basis I believe I don’t have to register.
    Also. If I had to comply with a DSAR I would be able to comply with that easily as all my data is stored in just FreeAgent and Office365 (the latter allowing compliance searches).

    Leave a comment:


  • TheCyclingProgrammer
    started a topic ICO - are you registered?

    ICO - are you registered?

    All this talk about the GDPR and data protection recently has got me wondering...who here has take the time to register their business with the ICO as a data controller?

    Chances are, most of us here are data controllers. We all have clients and we probably keep details of those clients somewhere - maybe in a third party system like FreeAgent.

    Along the same lines, if you keep this information elsewhere who has started taking steps to audit these various third party services - most of whom probably count as data processors - to check that they are taking steps to comply with the GDPR?

    It’s not completely clear to me to what extent the exemption for “accounts and records” covers.
    Last edited by Contractor UK; 13 May 2018, 13:31.

Working...
X