Data protection law changes on 25 May 2018 for all of us in Europe & beyond. There is a lot of information out there but little about GDPR for Sole Traders and Micro-Businesses
UPDATED 14 MAY to include ICO registration requirements
The law on data protection says what you should do when you collect, use, store or do anything else with people’s personal data. This law changes on 25 May 2018.
As a freelance or independent professional (working as a sole trader or micro-business/ Limited company), we often handle data differently from many other larger firms. GDPR still impacts us.
There is NO exemption for Sole Traders or micro-businesses. If you hold and work on data from clients, such as job application forms etc, then you need to have a contract with the client stating how that data is to be held and managed.
Two Principles of GDPR
The first principle means that you must have appropriate legal grounds for processing the data and that you do it in a transparent manner.
The second principle says that you must only collect data for a specific purpose and use it only for that purpose
I have discovered for simplicity that these are most important for me to keep in the front of my mind.
There are other privacy principles for General Data Protection Regulation compliance
- Lawfulness, fairness and transparency. Transparency: Tell the subject what data processing will be done
- Purpose limitations
- Data minimisation
- Storage limitations
- Integrity and confidentiality
However, I found myself starting to get lost thinking about all of these avenues.
Simple steps for us as sole traders and small business
Start with the ICO 12 steps checklist – https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Or the version for micro businesses – https://ico.org.uk/media/for-organisations/documents/2258293/eight-practical-steps-for-micro-business-owners.pdf
GDPR is all about permissions. Permissions to collect data, process data, and the right to be removed.
INFORMATION from the ICO
- Know the law is changing – which you now do, so that’s one thing you’ve done already!
- Make sure you have a record of the personal data you hold and why.
- Identify why you have personal data and how you use it.
- Have a plan in case people ask about their rights regarding the personal information you hold about them.
- Ask yourself: before I collect their data, do I clearly tell people why I need it and how I will use it?
- Check your security. This can include locking filing cabinets and password-protecting any of your devices and cloud storage that hold your staff or customers’ personal data.
- Develop a process to make sure you know what to do if you breach data protection rules.
- Don’t panic: we’re here to help. For example, you can click here to see some frequently asked questions and their answers for several different business sectors.
Audit your data
Start by building a list of what data you have, where it is stored, who has access to it and where it was obtained. Can you PROVE consent?
For each piece of data you have, document the Lawful Base for processing, and when the data will be held.
Understand the REASON why you hold and process each piece of data.
|Basis (Legal Base)||Details|
|Consent||Two forms of consent: Consent for Personal Data and Explicit Consent for Special Data|
|Contract necessity||Carrying out the obligations of a contract or legal agreement between two or more parties|
|Legal obligation||Processing mandatory to fulfil laws and regulations|
|Vital Interest||Required processing for the health and safety of the data subjects, or members of immediate family’s vital interests|
|Public Interest||Usually applies to a local authority or other government agency carrying out processing in the public interest|
|Legitimate Interest||Balancing test shows that processing data is in the shared interest of controller and data subject. The controller must demonstrate “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject”.|
For example, a GDPR data audit may look like:
|Data||Where stored||Where collected||Basis||Purpose/ Usage||Delete by date|
|Email, Name||Website – encrypted||Website contact form||consent||Marketing, newsletters||2 years after collection|
|Email, name, address, telephone||Web store||Purchase form||Legitimate interest||To send purchased goods, follow-up on purchase. Provide support||1 year after collection|
|outlook||Response from social media post||consent||To send white paper||After paper has been sent|
IMPORTANT CASE To BE CAREFUL
As freelancers, many of us have been encouraged by marketers to offer a white paper in exchange for an email address. If you do not CLEARLY say that the email will be used for newsletters, emails etc, then you are breaking the law!
If you say, “Sign Up for our monthly newsletters and get this white paper as a welcome gift”, that is better, as at least it is transparent.
BUT if you collect emails to send newsletters – do not send emails about webinars! The use is different! Tell people exactly what they are signing up for.
This is going to get very interesting over time.
Practical things we can do:
- Data protection self-assessment – https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/Get
- Consent for any data being held
- Maintain proof that consent has been obtained for all data collected after May 2018
- Keep a record of what they are consenting to
- Where is your data held? Is it secure, can only authorised people access it?
- If paper, is this in a LOCKED cabinet? – NEVER leave personal files in hotels, cars etc unattended.
- If in a file – is that file password protected?
- If stored on a HDD – who has access? What encryption is in place?
- If on a cloud, is that cloud storage compliant to GDPR (Google & Microsoft O365 is)
- Where do you collect data from?
- Webforms, surveys etc. Are the tools you are using compliant? Encrypted, password protected etc
- How do you use the information you collect?
- It is great collecting data, but do you have it written down HOW you will use each data field?
- If via your own website, is that data both https & encrypted when stored (ie your web developer cannot see the data)
- How often do you clear out old data?
- You need to delete data if it has not been used
- Third party rights to data you get.
- Cookies, google analytics, Facebook tracking etc. Are you SURE that any services you have on your website comply?
- Have a plan for data breaches
- The GDPR states that any breach that results in a risk to the rights and freedoms of individuals needs to be reported to the relevant supervisory authority within 72 hours of its discovery. Yes even sole practitioners!
- When things go wrong it is easier to act if a plan is in place. This could happen if a bag gets stolen, a computer is lost or stolen, website hacked. Etc
- Is your phone password protected? Are you USB drives password protected & encrypted? Is your Hard drive on your PC encrypted & screen lock used when you are not at the device?
- Do you shred, with a cross-cut shredder all paperwork relating to clients with “personal data” on?
- Due diligence – All services you use, LinkedIn, Facebook, website plugins etc – can you PROVE you have checked they are compliant?
- If you use website plugins, how do you know they are safe and compliant? If you pay for a plugin, you can trace the producer and have some cover. If you use “free” plugins, where is the responsibility?
If working on data supplied by clients
Then under GDPR we are Data Processors.
Do you have a contract that covers – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/
The ICO site says –
When is a contract needed?
Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place. Similarly, if a processor employs another processor it needs to have a written contract in place.
In order to comply we need to do a few things if handling paper documents, which as Job application forms.
These include – transporting documents away from the place in which they are stored. Do you have a lockable bag or case? Storage in your home office, do you have a lockable cabinet to store the documents when not in use?
LinkedIn connections and other platforms
Many of us have done it. We have connected to people on platforms like LinkedIn. We download those contact details and then email them.
Sites like LinkedIn should be GDPR compliant. Messaging people through those sites should be compliant. However, once we download that data and use it for emails and marketing, we are potentially using that data without express consent. If you download such addresses, send an initial email saying where you have the data and what you intend to do with it, and most importantly have an opt-in link. If people do not respond, delete the email address!
Do I need to register with the ICO for GDPR?
Do I need to register my organisation with the ICO for data protection and GDPR? Like many people reading this, I run a very small business. In the past, I have not had to register with the ICO. For micro-businesses, the fee is £40 per year (£35 if paid by direct debit). And unfortunately for all of us involved in:
- Advertising or marketing activity
YES we as small businesses need to register!
It seems that if we are doing any of the activity mentioned above, we do need to register. See these links for reference:
https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf – similar to above but PDF version with more info.
There are exemptions, but alas, for us these are not valid under the new rules! So the ICO fee has become a tax on small business!
The only exemption I can see is if we work as a “not-for-profit”, which for many may be true in reality, but alas the intention is to make a profit!
PS This is only a start
In this document, I have attempted to summarise my learning for my business (GDPR for sole traders). I am not a lawyer, and I may have misunderstood factors. It’s a journey. I hope that it helps you on your journey. We do know that as the days and weeks go on, there will be greater clarity. Along with that will be lots of myths and mistruths. The bottom line is to imagine that when looking after the data of others, others are looking after your data. Be respectful. Remember we all have the right to be forgotten – let’s not make it hard for people.
PPS GDPR for sole traders, the basics
If you believe I have missed any of the ‘basics’ or have given misleading information, please let me know.
PPPS Re Sole Traders & Microbusinesses
There was little on the web for sole traders or micro-businesses when I looked, I hope that we will be better served by providers in time. This is my starting contribution
Disclaimer: This page is designed as a guide, we cannot accept any losses as a result of any errors or omissions. This information is offered on a best-efforts basis, with no responsibility accepted for errors or misunderstandings. This does not constitute legal advice.
GDPR and sole traders
how does the gdpr affect small businesses? – It changes much of what we do.
does the gdpr affect sole traders? – Yes, sole traders are no different from any other business
gdpr and companies with less than 250 employees
gdpr less than 250 employees
gdpr compliance for sole traders – it is not an option!
gdpr micro business – are no different to other businesses.