Like most websites, this site uses cookies. To find out more about what cookies are, and how they are used on this website, go to our Privacy Policy. If you continue to use this site, we will assume that you are happy with the website's use of cookies.

GDPR and Data Protection

It is important to be aware of the data protection regulations which govern the way that you are allowed to store and use personal information.

On this page you will find out more about:

  • What GDPR is, and how it may affect you
  • The different data protection laws
  • Using and storing data safely and legally
  • Frequently asked questions about data protection.

Upcoming changes to data protection

All businesses – including sole traders – must comply with data protection laws. Data protection law lays down rules for the processing of personal data. Personal data is any data that relates to a living person.

On the 25 May 2018, the General Data Protection Regulation (GDPR) came into force.

The key principles of GDPR are like the current Data Protection laws, but a few extra considerations have been added, and the potential fines have been significantly increased.

The principles of data protection laws

Principle one: Use data fairly and lawfully

Only process personal data when you have a lawful basis to do so.

There are three lawful basis options that are likely to be relevant to you. You can process personal data if:

1. The person has given you consent

You are only likely to need consent for marketing, or if you are processing sensitive data. The Data Regulator (the ICO) recommends you obtain consent for all marketing – although some marketing is legally possible without consent.

Sensitive data includes: racial or ethnic origin; political opinions; trade union membership; health; sexual life; data relating to offences and biometric data.

2. It is necessary for the contract

For example, you use customers’ contact details to advise them of the dates and times of lessons.

3. You have legitimate interests

This is a wide ‘catch all’ category and will cover most of your processing. Unless you need consent (see point one above), and providing the processing can be reasonably justified, then it’s likely that legitimate interests will be a valid lawful basis.

Principle two: Make your purposes clear

Only use personal data for the purposes that it is needed for.

Clearly explain how you manage and process personal data in a privacy policy – particularly for any processing that may not be obvious, or any marketing activity.

For ideas on writing a privacy policy – look at the ICO’s privacy policy and the associated guidance. Your privacy policy is unlikely to need to be as long or as complicated!

Keep records of your data processing – particularly the details of who has consented or objected to marketing information.

If consent is needed make sure it is an opt-in consent. Opt-out statements like: ‘tick here if you do not want to receive information about our services’ are not acceptable.

 

Principle three: Only hold the data that you need

Can you justify the personal data that you are holding? If you are collecting personal data that you do not need – securely delete it and do not collect any more.

If you only need data for statistical purposes, anonymise it. Anonymous data is not personal data.

 

Principle four: Keep personal data accurate and up to date

Be careful that the personal data you collect is accurate, and keep it up to date.

When meeting people check with them that your records are up to date and accurate.

 

Principle five: Don't hold data longer than necessary

Determine the reasonable period to keep personal data, explain what the period is in your privacy policy, and make sure it is securely deleted at the end of that period. Don’t forget to delete electronic copies too.

It is up to you to justify the retention period in each case – providing you have a reasonable justification for the period, then it will be acceptable.

Customer invoices and order forms are usually maintained for seven years because they may be needed for this period for legal or tax reasons. It is unlikely that you will be able to justify keeping records of a person that has only enquired about your services for that long.

 

Principle six: Explain the data-giver's rights

Explain to anyone whose data you hold what rights they have. These rights include:

  • A right to have a copy of any data you hold about them
  • A right to stop any marketing messages
  • A right have inaccurate data corrected
  • A right to claim compensation.

Principle seven: Keep data secure

You must keep personal data secure. Minimum expectations are likely to include encrypting all computers and other mobile devices, including USB sticks. Don’t forget to keep hard copy data secure too.

Security should be appropriate depending on the data. To determine this, consider the consequences of the data being lost. A bunch of business cards is very low risk data. A list of child students with their residential addresses is, on the other hand, much more sensitive and should be kept secure always.

If you have a data breach post GDPR day (25 May 2018) you must inform the ICO (the Data Regulator), unless it’s a very minor breach.

Never share passwords

If in doubt – don’t click on links

Have up to date anti-malware

If you employ someone who leaves – cut all access to your systems immediately.

 

Principle eight: Stay inside the European Economic Area

Avoid sending personal data outside the European Economic Area (EEA) if possible. If it is necessary – only send when appropriate protections are in place. Usually this will be a contract in a specified form. More information is available on the ICO website.

Frequently Asked Questions

Do I need to get customers to consent for all data processing?
No, consent is your last resort and is only likely to be needed for marketing or the processing of sensitive personal data. Note: Parental consent is needed for children under 13.

What does processing mean?
Essentially, it means doing anything with personal data – using it, storing it etc.

Are there special rules for children?
You should be extra cautious when processing personal data concerning children. For any photos we recommend parental consent is obtained. New guidance concerning GDPR and children has been added to the ICO website.

Do I need to register with the ICO?
The need to register has technically been abolished from GDPR day (25 May 2018), however it’s likely that you will need to pay a fee. An annual fee of £40 will be applicable for most small businesses. There are a few exemptions to the fees. Read the ICO's on their website.

I have a password on my computer – does that mean it is encrypted?
No, encryption software scrambles the data so that is only readable with the correct password. There are free versions available on the web – but choose carefully!

Further information.

Information Commissioner’s Office (ICO) – includes access to newsletters and conferences. You can also contact the ICO by ‘phone or web-chat.

Cyber Essentials an overview of the Cyber Essentials scheme on the UK Government's website.

GDPR Coalition  a not-for-profit initiative working to raise awareness about data privacy obligations. Hosts lots of useful infographics about GDPR.

Get Safe Online  offers free advice on online safety and security, for individuals and buisinesses.

Radius Law vlogs – a series of free to access video blogs which cover GDPR amongst other things.

Related downloads

GDPR Case Studies (PDF 2.82 MB file opens in new window)