Originally posted by Lance
View Post
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "Thoughts on GDPR for a contractor who doesn't handle any personal data?"
Collapse
-
Originally posted by xoggoth View PostNot a contractor anymore but do have a tiny business with online sales so have a lot of personal details. A lot of the stuff that applies to larger businesses, making your staff aware of procedures, providing training to deal with data breaches etc. is obviously irrelevant. The main things I have done are:
a) Updating privacy policy - saying what I use data for and how long it's kept in general.
b) Having a link so they can ask to see what data I have on them or request removal.
c) Writing some tools to delete personal data from online database records over a certain age, when I no longer need to chase payments etc.
Think that about covers it. Got a lot of stuff in old excel accounts records but I could delete that manually if needed. Ditto deal with an individual request for view/deletion in database.
Pretty much spot on.
We have decided to keep financial records for 7 years (from point at which balance is zero,which I think is a tax thing) but any other PII data we have will be gone within 6 months to 1 year. The biggest challenge we seem to have is with our marketing team who have not seemed to fathom that they cannot now keep customer data for an indeterminate length of time and use it for whatever they want.
In another area we are trialing something which potentially may have meant we would have to pass our network tablets/laptops to clients so they could perform an online credit check/finance application - again had to stress that we cannot do this as we would be handing to the member of the general public a device which can be used to access PII in an unauthorised manner. Again people seem to be trying to sweep this under the carpet.
Maybe I have missed the point but my understanding was GDPR was bought in with the express purpose of stopping these sorts of practices.
For me however what these people want does not actually add that much value and the risk of GDPR breach brings such a large fine you just need to say NO!
Leave a comment:
-
Not a contractor anymore but do have a tiny business with online sales so have a lot of personal details. A lot of the stuff that applies to larger businesses, making your staff aware of procedures, providing training to deal with data breaches etc. is obviously irrelevant. The main things I have done are:
a) Updating privacy policy - saying what I use data for and how long it's kept in general.
b) Having a link so they can ask to see what data I have on them or request removal.
c) Writing some tools to delete personal data from online database records over a certain age, when I no longer need to chase payments etc.
Think that about covers it. Got a lot of stuff in old excel accounts records but I could delete that manually if needed. Ditto deal with an individual request for view/deletion in database.
Leave a comment:
-
Originally posted by dw28 View PostSo long as any hypothetical future action is something I would simply be required to respond to in good time, that would be entirely managable. All data that could possibly be requested would be easy to identify in that one account.
I'll keep reading up on it all, but at least it doesn't sound like I'm in imminent danger of being fined.
Thanks again!
here are some quotes from the head of the ICO. Elizabeth Denham. Bear in mind these are the people who would issue a fine.
“The GDPR is a work in progress for us as I am sure it is for many of you - but we’re making sure we respond to what we hear you need.”
“The misinformation about massive fines being an ICO default under the GDPR prompted the first in my series of myth-busting blogs last summer. I hope by now you know that enforcement is a last resort. I have no intention of changing the ICO’s proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law. Those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action.”
“And when we do need to apply a sanction, fines will not always be the most appropriate or effective choice. Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data. None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line.”
“Because I’ve always preferred the carrot to the stick. I don’t want to punish organisations for breaching the law. I want to help stop that happening in the first place.”
“As you know, I believe the public should be and is at the heart of everything we do. Today we’re officially launching our public information campaign “Your Data Matters”.“
“So here we are, days away from the first day of a new era for data protection. Does it feel like there’s a light at the end of the tunnel? it’s important that we all understand there is no deadline. 25 May is not the end. It is the beginning. This is a long haul journey. But it’s not a holiday. There’s a lot of work to be done along the way.”
“It’s your job to make sure you keep your foot on the gas. Your preparations, your work – your important work – must continue beyond the 25th. Perhaps that’s when the real journey begins.”
Leave a comment:
-
Originally posted by d000hg View PostI'd not heard of it until my inbox clogged with all the emails in the last few weeks. I imagine many others are the same if they don't follow the news, unless their accountant or someone contacted them. For instance I don't think I received anything from my accountant, and I don't recall CUK posting an article on it - or did they?
https://www.contractoruk.com/success...practices.html
Another from the 7th Mar and there are a few others...
https://www.contractoruk.com/success...y_cash_in.html
The threads about GDPR seem to have started as far back as April 2017 it seems
https://forums.contractoruk.com/acco...dpr-mfeatsdungLast edited by northernladuk; 18 May 2018, 13:22.
Leave a comment:
-
Originally posted by Lance View Postread this https://ico.org.uk/for-organisations...gulation-gdpr/
They're the people who will enforce it in the UK. Every other source is selling you something.
And you're right that you don't have to worry too much. It sounds like all you'll have are email to/from people that count. If someone says 'delete my data' then delete their emails.Originally posted by Lance View Postyou would only delete emails within a certain timeframe if your policy was to do that.
For example, I'm currently working with a client who retain data for 6 years then delete it. That's their policy and limits their exposure to holding data for too long if accused.
I'll keep reading up on it all, but at least it doesn't sound like I'm in imminent danger of being fined.
Thanks again!
Leave a comment:
-
Originally posted by dw28 View PostThanks,
So there shouldn't be any specific requirement that I erase emails sent from clients within a certain timeframe, that sort of thing? The only place any such information exists is in one gmail account, which is secured with two-factor authentication and a strong manager-generated password.
For example, I'm currently working with a client who retain data for 6 years then delete it. That's their policy and limits their exposure to holding data for too long if accused.
Leave a comment:
-
Originally posted by dw28 View PostYeah, I know it seems absurd that I'm only just approaching the whole subjuct this late in the day - I've had my head down working on a single contract for quite some time, and company admin has been on the back-burner.
It genuinely wasn't something I ever expected I'd need to have on my radar in the first place, but I understand there's little point making excuses. I just want to get to the bottom of what I need to learn and what, if anything, I need to implement, as quickly as I can manage.
I've been searching for information for the past couple of days - the problem I'm having is that every resource I read seems to presume to advise solely on how GDPR applies to contractors who are handing public data for their clients. I never have and never will - my services are entirely limited to the creation of graphics for client companies.
The specific concern I'm unsure about has only come to light via a couple of friends who have been working on compliance for the companies they're employed by - who have both suggested that "personal data" under GDPR may include basic contact information of employees working for my own clients. I've yet to find a specific reference to this in any online literature however.
They're the people who will enforce it in the UK. Every other source is selling you something.
And you're right that you don't have to worry too much. It sounds like all you'll have are email to/from people that count. If someone says 'delete my data' then delete their emails.
Leave a comment:
-
Originally posted by Lance View PostFirst name, last name and email address are classed as personal data for GDPR purposes.
A one man LTD company isn't going to need to sweat about it though. Just be aware, and if you're asked to comply with a data subject access request don't ignore it as you've got just 30 days. It's best to know roughly what you should do in that case, or in the case of a data breach, rather than waste some of those 30 days finding out simple stuff you can do now.
I'd also suggest you make sure all your data is secure, and searchable. Any that isn't just delete it.
So there shouldn't be any specific requirement that I erase emails sent to me by clients within a certain timeframe, that sort of thing? The only place any such information exists is in one gmail account, which is secured with two-factor authentication and a strong manager-generated password.Last edited by dw28; 18 May 2018, 12:34.
Leave a comment:
-
Yeah, I know it seems absurd that I'm only just approaching the whole subjuct this late in the day - I've had my head down working on a single contract for quite some time, and company admin has been on the back-burner.
It genuinely wasn't something I ever expected I'd need to have on my radar in the first place, but I understand there's little point making excuses. I just want to get to the bottom of what I need to learn and what, if anything, I need to implement, as quickly as I can manage.
I've been searching for information for the past couple of days - the problem I'm having is that every resource I read seems to presume to advise solely on how GDPR applies to contractors who are handing public data for their clients. I never have and never will - my services are entirely limited to the creation of graphics for client companies.
The specific concern I'm unsure about has only come to light via a couple of friends who have been working on compliance for the companies they're employed by - who have both suggested that "personal data" under GDPR may include basic contact information of employees working for my own clients. I've yet to find a specific reference to this in any online literature however.
Leave a comment:
-
I'd not heard of it until my inbox clogged with all the emails in the last few weeks. I imagine many others are the same if they don't follow the news, unless their accountant or someone contacted them. For instance I don't think I received anything from my accountant, and I don't recall CUK posting an article on it - or did they?
Leave a comment:
-
Originally posted by dw28 View PostAside from those persons' first and last names, I have never been privy to any other personal data.
A one man LTD company isn't going to need to sweat about it though. Just be aware, and if you're asked to comply with a data subject access request don't ignore it as you've got just 30 days. It's best to know roughly what you should do in that case, or in the case of a data breach, rather than waste some of those 30 days finding out simple stuff you can do now.
I'd also suggest you make sure all your data is secure, and searchable. Any that isn't just delete it.
Leave a comment:
-
Don't wanna be rude but GDPR coming for a very long time. Hell I'm even getting GDPR jokes and memes on Facebook and the like so head in the sand excuse isn't very good. I can't see how you've got this far without looking in to it.
We don't know about your company so I'd suggest you read one of the many many guides out there at the moment and make a decision based on your business's situation. It's not just about ticking a box now, it's about understanding it going forward so a good grasp is required IMO.
Do some reading and get a fair to good understanding and THEN come and ask any specifics you are struggling with IMO.
SPOILER: Type in GDPR Contractor in to google would be a good start.
Leave a comment:
-
Thoughts on GDPR for a contractor who doesn't handle any personal data?
Hi all, first post here, so I'm hoping I don't come off *too* clueless.
I'm a computer visual effects contractor, operating as a limited company. My contracts invariably take the form of subcontracting for larger visual effects studios.
Until fairly recently I hadn't even heard about GDPR, and until very recently I just assumed that since my work never involves handling any form of personal data, it wouldn't apply to me any more than previous data protection laws.
But I've heard from a couple of different acquaintances now, that simply communicating by email with individuals working at my clients' offices could constitute personally identifiable data. Aside from those persons' first and last names, I have never been privy to any other personal data.
Can anyone advise on what measures, if any, would be best to take? I really would rather avoid throwing money at a specialist unnecessarily, and if necessary, I'd like to keep any potential costs down if I can manage it. I'm somewhat concerned that if I go directly to a specialist, I could end up being "upsold" services that would be overkill for my situation.
Alternately, I might be massively underestimating the situation. Any advice would be most appreciated.Tags: None
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Leave a comment: