Thoughts on GDPR for a contractor who doesn't handle any personal data?

the reality of fines.....
here are some quotes from the head of the ICO. Elizabeth Denham. Bear in mind these are the people who would issue a fine.


“The GDPR is a work in progress for us as I am sure it is for many of you - but we’re making sure we respond to what we hear you need.”

“The misinformation about massive fines being an ICO default under the GDPR prompted the first in my series of myth-busting blogs last summer. I hope by now you know that enforcement is a last resort. I have no intention of changing the ICO’s proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law. Those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action.”

“And when we do need to apply a sanction, fines will not always be the most appropriate or effective choice. Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data. None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line.”

“Because I’ve always preferred the carrot to the stick. I don’t want to punish organisations for breaching the law. I want to help stop that happening in the first place.”

“As you know, I believe the public should be and is at the heart of everything we do. Today we’re officially launching our public information campaign “Your Data Matters”.“

“So here we are, days away from the first day of a new era for data protection. Does it feel like there’s a light at the end of the tunnel? it’s important that we all understand there is no deadline. 25 May is not the end. It is the beginning. This is a long haul journey. But it’s not a holiday. There’s a lot of work to be done along the way.”

“It’s your job to make sure you keep your foot on the gas. Your preparations, your work – your important work – must continue beyond the 25th. Perhaps that’s when the real journey begins.”

Not a contractor anymore but do have a tiny business with online sales so have a lot of personal details. A lot of the stuff that applies to larger businesses, making your staff aware of procedures, providing training to deal with data breaches etc. is obviously irrelevant. The main things I have done are:

a) Updating privacy policy - saying what I use data for and how long it's kept in general.
b) Having a link so they can ask to see what data I have on them or request removal.
c) Writing some tools to delete personal data from online database records over a certain age, when I no longer need to chase payments etc.

Think that about covers it. Got a lot of stuff in old excel accounts records but I could delete that manually if needed. Ditto deal with an individual request for view/deletion in database.

Pretty much spot on.

We have decided to keep financial records for 7 years (from point at which balance is zero,which I think is a tax thing) but any other PII data we have will be gone within 6 months to 1 year. The biggest challenge we seem to have is with our marketing team who have not seemed to fathom that they cannot now keep customer data for an indeterminate length of time and use it for whatever they want.

In another area we are trialing something which potentially may have meant we would have to pass our network tablets/laptops to clients so they could perform an online credit check/finance application - again had to stress that we cannot do this as we would be handing to the member of the general public a device which can be used to access PII in an unauthorised manner. Again people seem to be trying to sweep this under the carpet.


Maybe I have missed the point but my understanding was GDPR was bought in with the express purpose of stopping these sorts of practices.

For me however what these people want does not actually add that much value and the risk of GDPR breach brings such a large fine you just need to say NO!

Thanks for this link!