• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Thoughts on GDPR for a contractor who doesn't handle any personal data?

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Thoughts on GDPR for a contractor who doesn't handle any personal data?

    Hi all, first post here, so I'm hoping I don't come off *too* clueless.

    I'm a computer visual effects contractor, operating as a limited company. My contracts invariably take the form of subcontracting for larger visual effects studios.
    Until fairly recently I hadn't even heard about GDPR, and until very recently I just assumed that since my work never involves handling any form of personal data, it wouldn't apply to me any more than previous data protection laws.
    But I've heard from a couple of different acquaintances now, that simply communicating by email with individuals working at my clients' offices could constitute personally identifiable data. Aside from those persons' first and last names, I have never been privy to any other personal data.

    Can anyone advise on what measures, if any, would be best to take? I really would rather avoid throwing money at a specialist unnecessarily, and if necessary, I'd like to keep any potential costs down if I can manage it. I'm somewhat concerned that if I go directly to a specialist, I could end up being "upsold" services that would be overkill for my situation.

    Alternately, I might be massively underestimating the situation. Any advice would be most appreciated.

    #2
    Don't wanna be rude but GDPR coming for a very long time. Hell I'm even getting GDPR jokes and memes on Facebook and the like so head in the sand excuse isn't very good. I can't see how you've got this far without looking in to it.

    We don't know about your company so I'd suggest you read one of the many many guides out there at the moment and make a decision based on your business's situation. It's not just about ticking a box now, it's about understanding it going forward so a good grasp is required IMO.

    Do some reading and get a fair to good understanding and THEN come and ask any specifics you are struggling with IMO.

    SPOILER: Type in GDPR Contractor in to google would be a good start.
    'CUK forum personality of 2011 - Winner - Yes really!!!!

    Comment


      #3
      Originally posted by dw28 View Post
      Aside from those persons' first and last names, I have never been privy to any other personal data.
      First name, last name and email address are classed as personal data for GDPR purposes.

      A one man LTD company isn't going to need to sweat about it though. Just be aware, and if you're asked to comply with a data subject access request don't ignore it as you've got just 30 days. It's best to know roughly what you should do in that case, or in the case of a data breach, rather than waste some of those 30 days finding out simple stuff you can do now.

      I'd also suggest you make sure all your data is secure, and searchable. Any that isn't just delete it.
      See You Next Tuesday

      Comment


        #4
        I'd not heard of it until my inbox clogged with all the emails in the last few weeks. I imagine many others are the same if they don't follow the news, unless their accountant or someone contacted them. For instance I don't think I received anything from my accountant, and I don't recall CUK posting an article on it - or did they?
        Originally posted by MaryPoppins
        I'd still not breastfeed a nazi
        Originally posted by vetran
        Urine is quite nourishing

        Comment


          #5
          Yeah, I know it seems absurd that I'm only just approaching the whole subjuct this late in the day - I've had my head down working on a single contract for quite some time, and company admin has been on the back-burner.
          It genuinely wasn't something I ever expected I'd need to have on my radar in the first place, but I understand there's little point making excuses. I just want to get to the bottom of what I need to learn and what, if anything, I need to implement, as quickly as I can manage.

          I've been searching for information for the past couple of days - the problem I'm having is that every resource I read seems to presume to advise solely on how GDPR applies to contractors who are handing public data for their clients. I never have and never will - my services are entirely limited to the creation of graphics for client companies.

          The specific concern I'm unsure about has only come to light via a couple of friends who have been working on compliance for the companies they're employed by - who have both suggested that "personal data" under GDPR may include basic contact information of employees working for my own clients. I've yet to find a specific reference to this in any online literature however.

          Comment


            #6
            Originally posted by Lance View Post
            First name, last name and email address are classed as personal data for GDPR purposes.

            A one man LTD company isn't going to need to sweat about it though. Just be aware, and if you're asked to comply with a data subject access request don't ignore it as you've got just 30 days. It's best to know roughly what you should do in that case, or in the case of a data breach, rather than waste some of those 30 days finding out simple stuff you can do now.

            I'd also suggest you make sure all your data is secure, and searchable. Any that isn't just delete it.
            Thanks,

            So there shouldn't be any specific requirement that I erase emails sent to me by clients within a certain timeframe, that sort of thing? The only place any such information exists is in one gmail account, which is secured with two-factor authentication and a strong manager-generated password.
            Last edited by dw28; 18 May 2018, 12:34.

            Comment


              #7
              Originally posted by dw28 View Post
              Yeah, I know it seems absurd that I'm only just approaching the whole subjuct this late in the day - I've had my head down working on a single contract for quite some time, and company admin has been on the back-burner.
              It genuinely wasn't something I ever expected I'd need to have on my radar in the first place, but I understand there's little point making excuses. I just want to get to the bottom of what I need to learn and what, if anything, I need to implement, as quickly as I can manage.

              I've been searching for information for the past couple of days - the problem I'm having is that every resource I read seems to presume to advise solely on how GDPR applies to contractors who are handing public data for their clients. I never have and never will - my services are entirely limited to the creation of graphics for client companies.

              The specific concern I'm unsure about has only come to light via a couple of friends who have been working on compliance for the companies they're employed by - who have both suggested that "personal data" under GDPR may include basic contact information of employees working for my own clients. I've yet to find a specific reference to this in any online literature however.
              read this https://ico.org.uk/for-organisations...gulation-gdpr/

              They're the people who will enforce it in the UK. Every other source is selling you something.
              And you're right that you don't have to worry too much. It sounds like all you'll have are email to/from people that count. If someone says 'delete my data' then delete their emails.
              See You Next Tuesday

              Comment


                #8
                Originally posted by dw28 View Post
                Thanks,

                So there shouldn't be any specific requirement that I erase emails sent from clients within a certain timeframe, that sort of thing? The only place any such information exists is in one gmail account, which is secured with two-factor authentication and a strong manager-generated password.
                you would only delete emails within a certain timeframe if your policy was to do that.
                For example, I'm currently working with a client who retain data for 6 years then delete it. That's their policy and limits their exposure to holding data for too long if accused.
                See You Next Tuesday

                Comment


                  #9
                  Originally posted by Lance View Post
                  read this https://ico.org.uk/for-organisations...gulation-gdpr/

                  They're the people who will enforce it in the UK. Every other source is selling you something.
                  And you're right that you don't have to worry too much. It sounds like all you'll have are email to/from people that count. If someone says 'delete my data' then delete their emails.
                  Originally posted by Lance View Post
                  you would only delete emails within a certain timeframe if your policy was to do that.
                  For example, I'm currently working with a client who retain data for 6 years then delete it. That's their policy and limits their exposure to holding data for too long if accused.
                  So long as any hypothetical future action is something I would simply be required to respond to in good time, that would be entirely managable. All data that could possibly be requested would be easy to identify in that one account.
                  I'll keep reading up on it all, but at least it doesn't sound like I'm in imminent danger of being fined.

                  Thanks again!

                  Comment


                    #10
                    Originally posted by d000hg View Post
                    I'd not heard of it until my inbox clogged with all the emails in the last few weeks. I imagine many others are the same if they don't follow the news, unless their accountant or someone contacted them. For instance I don't think I received anything from my accountant, and I don't recall CUK posting an article on it - or did they?
                    Nice article from 6th of March on it which is a good read for the OP as well.

                    https://www.contractoruk.com/success...practices.html

                    Another from the 7th Mar and there are a few others...

                    https://www.contractoruk.com/success...y_cash_in.html

                    The threads about GDPR seem to have started as far back as April 2017 it seems
                    https://forums.contractoruk.com/acco...dpr-mfeatsdung
                    Last edited by northernladuk; 18 May 2018, 13:22.
                    'CUK forum personality of 2011 - Winner - Yes really!!!!

                    Comment

                    Working...
                    X