GDPR, Any business owners here compliant?

[murkeywaters]

Well I only found/ heard about GDPR (General Data Protection Regulation) the other day.

If you own a small business it’s something you need as you could be fined a huge amount of money if you miss the deadline in May this year.

Are there any other business owners here that have gone through the process of becoming compliant and what did it take?

It looks boring as hell but there is no other way it seems other than to comply.

[aldfort]

I'd suggest not worrying overly.

Here is why:

I serve as a councillor on the local council. We also have to be GDPR compliant. We belong to two professional bodies who are there just to give advice on matters such as this to their members who are all local councils.
Neither body can give us definitive advice on what we must do to comply.

Clearly we will have to comply but confusion seems to reign at the moment. It would be very easy to "over comply" at massive cost in our case and in the case of most small business.

I am also a charity trustee and we face the same problem. We have lost our database administrator as a direct consequence of GDPR as they were worried about the non-compliance issue.
Currently we are trawling our database to knock out those who's membership has lapsed. Those renewing their membership of the charity will be asked to sign off on the fact we hold a record of their name and address. We are looking at removing other data, such as DOB from the record and randomising membership number (which most of them will not like one bit).

[BillyCasper]

I claim no expertise beyond the one-day course, 90% in the test (which I suspect many lawyers could get 100% without doing the course) and the certificate. It was boring.

Putting GDPR aside, just think what is reasonable: only collecting personal data that you need, making the purpose clear, getting consent without the use of hidden tiny wording on web sites, only retaining personal data for the time that you need it, the right to be forgotten, care in transferring data to other parties when necessary for the performance of work, etc.

Big companies are ignoring GDPR, just wait until the first company gets a €20m fine. Brexiters will be pleased to know that it is a EU reg. It’s not unreasonable, but our unrestrained capitalists or Brexiters might think otherwise.

Sent from my iPad using Tapatalk

[vagabond]

I think a lot of businesses are putting together general plans and implementing them with a view to waiting until this is tested in court, so that the requirements can be confirmed.

[adrianw]

SMEs can get an exemption, this legeslation is aimed at marketing organisations, e.g. Facebook amazon etc

By law companies have to keep payroll and personal data.

[BillyCasper]

SMEs can get an exemption, this legeslation is aimed at marketing organisations, e.g. Facebook amazon etc

By law companies have to keep payroll and personal data.

I think the legitimate reasons for holding data are something like: consent, fulfilment of contractual obligation, legal obligation, vital interest of the individual, vital interest of security or something like that.

Doesn’t it also ban processing certain types of personal data? Union membership, ethnic origin, sexual orientation, that sort of thing.

Sent from my iPad using Tapatalk

[SeePee]

When we took advice recently we were told that as long as you are taking it seriously and making steps to comply it’s unlikely that you will be prosecuted.
All of our main data is on 3rd party secure (as they can be) cloud servers and all of our paper records are now in locked cabinets at night and front door locked during the day.Interested to know if SME’s really can claim an exemption ?
Main issue seems to be a requirement to ask all of our many NHS customers for consent to hold their e-mail and phone numbers in our Outlook system.

[adrianw]

When we took advice recently we were told that as long as you are taking it seriously and making steps to comply it’s unlikely that you will be prosecuted.
All of our main data is on 3rd party secure (as they can be) cloud servers and all of our paper records are now in locked cabinets at night and front door locked during the day.Interested to know if SME’s really can claim an exemption ?
Main issue seems to be a requirement to ask all of our many NHS customers for consent to hold their e-mail and phone numbers in our Outlook system.

https://www.hiscox.co.uk/business-bl...a-privacy-law/

[murkeywaters]

Thanks for the advice everyone, so my business is an online ecommerce setup, we dont meet the customer as such but we do have some of their key details with every order such as name, address, email, phone number.
We dont generally deal with payments as that is dealt with by Paypal or another 3rd party payment system, I'm sure we will have to look into securing these details to comply but how far to take it at the moment is a little confusing.

GDPR is another hassle any small business doesn't need but we have to go through with it at least until Brexit happens anyway!

[LuBee]

GDPR is a nightmare even our in-house lawyers can't agree on what we need to do.

As I understand it its is not about how secure your data is stored,it is about how you use it, consent and legitimate interest being the two big buzz words.

[adrianw]

GDPR is a nightmare even our in-house lawyers can't agree on what we need to do.

As I understand it its is not about how secure your data is stored,it is about how you use it, consent and legitimate interest being the two big buzz words.

The way it was explained to me was, other than statutory data, if someone asked you to remove any data you have about them you need to show that you have flushed your systems and all data has been removed,

There are companies selling software to do this.

As I said earlier when we check out the legislation we were exempt

[Kingstepper]

No doubt there will be 'consultants' or companies springing up to advise and take advantage of any confusion.

[LuBee]

No doubt their will be 'consultants' or companies springing up to advise and take advantage of any confusion.

There are plenty of snake oil merchants out there, I receive multiple emails everyday about GDPR trying to frighten me.

[aldfort]

Some of the comments have helped me a little.

I think it's the talk of Data controllers and Data Protection Officers (or whatever the terminology is) that's confusing. That is to say, not so much the what, which seems fairly clear, or the intent, which again is fairly clear. It's the how that seems to be tripping people up, the proof of compliance if you like?

[senwar]

No doubt there will be 'consultants' or companies springing up to advise and take advantage of any confusion.

Absolutely. There's a lot of false information being put out already to scare monger.

I retrained in DP last year and now am a Certified Information Privacy Manager (CIPM) and Certified Information Privacy Practitioner/Europe (CIPP/E) so can act as a DPO. I work within the IT industry and there's a lot of assistance being offered by the main companies but there's still a lot of unknowns.

The smaller firms have scope to be taken for a ride....

[AndyMilts]

Some of the comments have helped me a little.

I think it's the talk of Data controllers and Data Protection Officers (or whatever the terminology is) that's confusing. That is to say, not so much the what, which seems fairly clear, or the intent, which again is fairly clear. It's the how that seems to be tripping people up, the proof of compliance if you like?

The regulation is not quite as complicated as it being made out to be. When a lawyer writes something it has to be complicated. If you handle data that can be used to identify an individual you must make sure you look after it and can delete it completely if asked. Looking after it means taking reasonable steps to stop it being stolen or misused. Asking permission is the first stage, ensuring you know where it is including copies, usb sticks and laptops. We suggest you use encryption on everything. DPO is responsible for making sure the company has a policy and process and follows it. For medium to large customers to cover their bases we recommend using a data discovery tool, to find everything and find out who is touching it and using it. A making/classification tool to ensure it is marked in the correct way and a Data Loss prevention tool to stop classified data or data that is in breach of a regulation, pci, GDPR, DPA. Then we are recommending the use of an education tool to ensure the users know what is expected and what to do. This should demonstrate the company has made reasonable steps to protect the data. Thus mitigating the risk of a major fine. Plus you have 72 hours to report any breach. If you take responsibility of your customers data, if it can identify an individual, this could include user names and IP addresses, you should be fine. We are doing lots on this at the moment, but you will not be compliant as such as you need to keep checking that you are doing it correctly still. The reality is most people will suffer a breach of some type but if your sensitive data is identified and protected you should be ok.

[Carlton-Browne]

The regulation is not quite as complicated as it being made out to be...

I'd be grateful if you could share some examples of the tools you speak of; particularly the education tools.

[AndyMilts]

I'd be grateful if you could share some examples of the tools you speak of; particularly the education tools.

Tool sets recommended will vary from customer to customer depending on what technologies they already use, but on a green Field we would recommend Varonis for Discovery, Bolden James for classification, DLP we use McAfee mostly as we are a Platinum partner or Forcepoint or Symantec. Education wise, Axelos Frontline, Wombat are the best but there are others if you want to discuss drop me a PM.

[Omegamanic]

I think it fairly complicated, but then I’ve designed, written and implemented the policies and procedures, and with the intention of also meeting ISO.

[Gurmot]

I think the legitimate reasons for holding data are something like: consent, fulfilment of contractual obligation, legal obligation, vital interest of the individual, vital interest of security or something like that.

Doesn’t it also ban processing certain types of personal data? Union membership, ethnic origin, sexual orientation, that sort of thing.

Sent from my iPad using Tapatalk

We are managing this in house using a risk assessment approach linked broadly to the headings above. My personal view is that we are low risk and it won’t be an issue in practice. Just need to update policies, put in some new processes (or have them ready if we are asked) and train staff. Mostly common sense.

[Bristolian]

Thanks for the advice everyone, so my business is an online ecommerce setup, we dont meet the customer as such but we do have some of their key details with every order such as name, address, email, phone number.
We dont generally deal with payments as that is dealt with by Paypal or another 3rd party payment system, I'm sure we will have to look into securing these details to comply but how far to take it at the moment is a little confusing.

GDPR is another hassle any small business doesn't need but we have to go through with it at least until Brexit happens anyway!

If you sell anything into the r27 countries, you will be obliged to follow it or risk prosecution in the country your customer lives in.

Even if Brexit happens, the UK will be likely to have full matching regulations as divergence would just be too big a hassle to cope with.

There are some useful resources, but the best Ive come across yet that gives a good explanation of what its all about is https://www.futurelearn.com/courses/...ion-regulation

[mindforge]

I work in this area on a daily basis. Ignore the scaremongering and sales pitches. Read the ICO website and its useful guidance and take a proportionate approach depending on what your business does. Worst thing is to be paralysed and do nothing, at least demonstrate an attempt to comply.

[Carlton-Browne]

Tool sets recommended will vary from customer to customer depending on what technologies they already use, but on a green Field we would recommend Varonis for Discovery, Bolden James for classification, DLP we use McAfee mostly as we are a Platinum partner or Forcepoint or Symantec. Education wise, Axelos Frontline, Wombat are the best but there are others if you want to discuss drop me a PM.

Thanks, I'll do a bit of background reading and drop you a note if there's something to discuss.

[Geoff W]

SMEs can get an exemption, this legeslation is aimed at marketing organisations, e.g. Facebook amazon etc

By law companies have to keep payroll and personal data.

Simply not true. It's any business that holds personal data and then there are additional requirements around if you actively (genius piece of non-information in the laws) market to those individuals which hits the like of FB and others. Payroll data is managed by separate At it's most basic level it's not that different to people opting in to receiving information as they do today. They tricky part, thus far, seems to be how you implement the 'right to be forgotten' and remove people.

if you read emails on your phone that come from mass marketing you may have noticed the unsubscribe button next to your name, certainly in gmail. That is GDPR in action.

GDPR as it's basic is pretty simple, the issue is that there are sections that contradict existing data protection laws. Hence some confusion, esp around right to forget.

[solwisesteve]

tbh I've left this to others in our company to think about but, from what I'm hearing in the office, there seem to be a couple of issues. One is still having customer and invoice and payment details to satisfy the tax man and the other issue is having details so we can keep track of warranty issues. i.e. if a customer says 'forget me' but then a year later comes back and tries to send some goods back under warranty then we might find it hard to prove that the customer purchased the goods from us and when!

Oh and the other one recently was no credit card surcharge! Net effect is we have to put ALL our prices up even for those customers that pay via cash or bank transfer or on account!