Reply to: Thoughts on GDPR for a contractor who doesn't handle any personal data?

Thanks for this link!

Pretty much spot on.

We have decided to keep financial records for 7 years (from point at which balance is zero,which I think is a tax thing) but any other PII data we have will be gone within 6 months to 1 year. The biggest challenge we seem to have is with our marketing team who have not seemed to fathom that they cannot now keep customer data for an indeterminate length of time and use it for whatever they want.

In another area we are trialing something which potentially may have meant we would have to pass our network tablets/laptops to clients so they could perform an online credit check/finance application - again had to stress that we cannot do this as we would be handing to the member of the general public a device which can be used to access PII in an unauthorised manner. Again people seem to be trying to sweep this under the carpet.


Maybe I have missed the point but my understanding was GDPR was bought in with the express purpose of stopping these sorts of practices.

For me however what these people want does not actually add that much value and the risk of GDPR breach brings such a large fine you just need to say NO!

Not a contractor anymore but do have a tiny business with online sales so have a lot of personal details. A lot of the stuff that applies to larger businesses, making your staff aware of procedures, providing training to deal with data breaches etc. is obviously irrelevant. The main things I have done are:

a) Updating privacy policy - saying what I use data for and how long it's kept in general.
b) Having a link so they can ask to see what data I have on them or request removal.
c) Writing some tools to delete personal data from online database records over a certain age, when I no longer need to chase payments etc.

Think that about covers it. Got a lot of stuff in old excel accounts records but I could delete that manually if needed. Ditto deal with an individual request for view/deletion in database.

the reality of fines.....
here are some quotes from the head of the ICO. Elizabeth Denham. Bear in mind these are the people who would issue a fine.


“The GDPR is a work in progress for us as I am sure it is for many of you - but we’re making sure we respond to what we hear you need.”

“The misinformation about massive fines being an ICO default under the GDPR prompted the first in my series of myth-busting blogs last summer. I hope by now you know that enforcement is a last resort. I have no intention of changing the ICO’s proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law. Those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action.”

“And when we do need to apply a sanction, fines will not always be the most appropriate or effective choice. Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data. None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line.”

“Because I’ve always preferred the carrot to the stick. I don’t want to punish organisations for breaching the law. I want to help stop that happening in the first place.”

“As you know, I believe the public should be and is at the heart of everything we do. Today we’re officially launching our public information campaign “Your Data Matters”.“

“So here we are, days away from the first day of a new era for data protection. Does it feel like there’s a light at the end of the tunnel? it’s important that we all understand there is no deadline. 25 May is not the end. It is the beginning. This is a long haul journey. But it’s not a holiday. There’s a lot of work to be done along the way.”

“It’s your job to make sure you keep your foot on the gas. Your preparations, your work – your important work – must continue beyond the 25th. Perhaps that’s when the real journey begins.”

Nice article from 6th of March on it which is a good read for the OP as well.

https://www.contractoruk.com/success...practices.html

Another from the 7th Mar and there are a few others...

https://www.contractoruk.com/success...y_cash_in.html

The threads about GDPR seem to have started as far back as April 2017 it seems
https://forums.contractoruk.com/acco...dpr-mfeatsdung

So long as any hypothetical future action is something I would simply be required to respond to in good time, that would be entirely managable. All data that could possibly be requested would be easy to identify in that one account.
I'll keep reading up on it all, but at least it doesn't sound like I'm in imminent danger of being fined.

Thanks again!

you would only delete emails within a certain timeframe if your policy was to do that.
For example, I'm currently working with a client who retain data for 6 years then delete it. That's their policy and limits their exposure to holding data for too long if accused.

read this https://ico.org.uk/for-organisations...gulation-gdpr/

They're the people who will enforce it in the UK. Every other source is selling you something.
And you're right that you don't have to worry too much. It sounds like all you'll have are email to/from people that count. If someone says 'delete my data' then delete their emails.

Thanks,

So there shouldn't be any specific requirement that I erase emails sent to me by clients within a certain timeframe, that sort of thing? The only place any such information exists is in one gmail account, which is secured with two-factor authentication and a strong manager-generated password.

Yeah, I know it seems absurd that I'm only just approaching the whole subjuct this late in the day - I've had my head down working on a single contract for quite some time, and company admin has been on the back-burner.
It genuinely wasn't something I ever expected I'd need to have on my radar in the first place, but I understand there's little point making excuses. I just want to get to the bottom of what I need to learn and what, if anything, I need to implement, as quickly as I can manage.

I've been searching for information for the past couple of days - the problem I'm having is that every resource I read seems to presume to advise solely on how GDPR applies to contractors who are handing public data for their clients. I never have and never will - my services are entirely limited to the creation of graphics for client companies.

The specific concern I'm unsure about has only come to light via a couple of friends who have been working on compliance for the companies they're employed by - who have both suggested that "personal data" under GDPR may include basic contact information of employees working for my own clients. I've yet to find a specific reference to this in any online literature however.

I'd not heard of it until my inbox clogged with all the emails in the last few weeks. I imagine many others are the same if they don't follow the news, unless their accountant or someone contacted them. For instance I don't think I received anything from my accountant, and I don't recall CUK posting an article on it - or did they?

First name, last name and email address are classed as personal data for GDPR purposes.

A one man LTD company isn't going to need to sweat about it though. Just be aware, and if you're asked to comply with a data subject access request don't ignore it as you've got just 30 days. It's best to know roughly what you should do in that case, or in the case of a data breach, rather than waste some of those 30 days finding out simple stuff you can do now.

I'd also suggest you make sure all your data is secure, and searchable. Any that isn't just delete it.

Don't wanna be rude but GDPR coming for a very long time. Hell I'm even getting GDPR jokes and memes on Facebook and the like so head in the sand excuse isn't very good. I can't see how you've got this far without looking in to it.

We don't know about your company so I'd suggest you read one of the many many guides out there at the moment and make a decision based on your business's situation. It's not just about ticking a box now, it's about understanding it going forward so a good grasp is required IMO.

Do some reading and get a fair to good understanding and THEN come and ask any specifics you are struggling with IMO.

SPOILER: Type in GDPR Contractor in to google would be a good start.