GDPR and (very) small businesses

[MarklahMarklah]

I'm trying my best to plough through all the requirements but I'm getting confused. I wondered if someone could explain, in idiot-proof terms the following.

If someone contacts my business, by telephone or email, and I'm not available, I have to take their details and call them/email them back. This may or may not lead to a business relationship.
At the moment, messages are written on a notepad and placed on my desk. At home. The office can be locked.
The emails are on my personal computer which is password protected.

Where do I stand with regard to processing this data under GDPR terms? I don't do any marketing or selling on of customer details. If there is no business relationship the information is destroyed - emails deleted, and paper shredded.

We also keep customer invoices. They hold name and address information. Obviously we need to retain the invoices for tax calculations. The database of these is also electronic and password protected. I'm guessing we need to ensure the data is encrypted too?

I'm trying to read up what I can but this has been a sole trader business. I'm a relative and have just come on board to help with admin duties. Due to the nature of the business the main person is out of the physical office for long periods of time, actually doing the job that the admin relates to.

As long as you keep details secure, delete/shred when no longer required and only store data about enquirers who have opted in for a specific purpose and ongoing suppliers/customers plus any statutory information you should be ok. Your correspondence and website should carry a privacy notice, with details of how to opt out. You may still need to appoint a data protection officer and have a process in place for any data access requests. The complications are if you routinely share data with external organisations or operate a mailing list.

Thanks LIZS- I appreciate your feedback.

Its a small business with a small turnover, and I think we can likely cover data protection between the two of us. From what you say, we're already doing all the res:

I'm actually working on the privacy notice now. It'll be live in the next day or so.

There is a mailing list, but operated through an external provider (one recommended under current legislation) so that is covered, I understand.

We do not share data with any external organisations.

We hold no data on sex, age or customer preferences. It's literally X may contact us because they're interested in what we do. We get back to them to see if we can meet their requirements. Either we proceed and they pay for the service, or they don't and we delete their information.

From what I understand, as we do not use information for mailshots or random contact, we do not need to contact people whose details are on our records.

I think it is more of an issue if you deal with individuals, whereas we are a B2B company.

Not 100% on any of it though!

We deal with individuals and small (often charitable) organisations, but when the latter, through a named individual contact. As I say, we ask for minimal information.

It's a minefield!

All the above sounds right. I would also recommend people check if they need to be registered with the ICO and also check what lawful basis they can use to process data. there are on line toosl on the ICO's website for both of those things you can use to check.

I found this statement on a page all about GDPR which seems to cover us -
"However, consent is only one of six lawful grounds for processing data, and it’s generally the least preferable option. Therefore, organisations will probably adopt an alternative ground wherever possible:
 A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract."

I assume that by telephoning/emailing they are consenting to us having some personal data in order for us to fulfil their requirements.

The more I read, the more confusing this is!

Essentially we're a small run-from-home business. Think gardener/painter or personal trainer type situation.
People contact us to ask if we can do XYZ
We speak with them to find out their needs - agree price.
We then go and do what needs to be done.
On our website there is the option to sign up to a newsletter about what we do.

So we take name/contact number/email address/sometimes address. Usually we meet the client at a public place, but occasionally have to go to their home.

The data we collect about them is used to produce an invoice.
We keep copies of the invoices for tax purposes.

Your confusion may stem from a belief that you now need consent for everything to do with processing personal data. You don't.

There are six legal grounds for processing personal data. Of these, four are potentially relevant to you:

• Consent
• Legitimate interest
• Contract
• Legal obligation

When you agree a price for the services you provide with someone they are entering a contract with you under which you will provide the agreed services and they will pay the agreed price. That means you are entitled to hold whatever personal data you need to fulfil that contract (i.e. deliver the services, produce an invoice and collect the money owed). You do not need the customer's consent for that. Your justification is that you have a contract.

"Contract" also covers steps the customer asks you to take before entering into a contract. So the process you describe from people contacting you up to the point where they place an order is also covered under "contract" as far as GDPR is concerned. Provided you only keep the personal data needed for the pre-contract process (which sounds like it is the case from your description) you do not need consent from the customer.

You are obliged by law to keep copies of invoices for tax purposes. That processing is therefore justified by "legal obligation". Again, you do not need consent from the customer.

That leaves us with your newsletter. It may be possible to deal with that under "legitimate interest" which would mean that consent would not be required, but it is safest to deal with it under "consent". You therefore need to be able to show that you have received specific consent from everyone who receives your newsletter and that they can easily withdraw their consent at any time.

The ICO has good guidance for small businesses here. I think their guidance is fairly easy to follow.

Thanks prh - I'll follow that link up on Monday. As far as I can tell, the newsletter thing is covered by the Mailchimp. People have to opt in to the newsletter, it's not automatically sent. But I'll check the link to be sure.
I'm putting together some T&C revisions/privacy policy so I will make sure we include a definition of 'contract'.

I'd be careful about defining "contract" in your terms and conditions. There is a legal definition which does not include the pre-contract negotiations.

GDPR states that processing is legal if it is required to fulfil a contract or if it is required to take steps the customer has requested prior to entering a contract. Although that is often shortened to "contract" when discussing GDPR, it does not alter the legal meaning of the term.

I would recommend separating your privacy policy from your terms & conditions so that you have a separate privacy notice. The privacy notice needs to be compliant with GDPR.

If you have a website you will also need a cookie policy.

If you are not sure on the privacy notice have a look at similar but bigger organisations or professional websites - they will have privacy statements on them (bigger companies would have paid a lot to get them done) and you can then copy and paste the relevant bits.

Watch out on the not sharing details with third parties - do you use separate accountants for the tax returns or send copies of the invoices to the Inland Revenue as, if they have the client's data on them, that would be sharing them with a third party.

Cookie policy is in place Sass but thanks for mentioning it. There are so many things!

Trina - it's self-assessed for tax and no, invoices are not sent out to anyone other than to the client.

Can I also jump on this thread? My company are getting confused with other companies referring to Privacy Policies (they're different to the notices) and Data Protection Policies. Are they one and same thing? Also what does your DP Policy look like? Ours is an internal policy (I.e. employee facing) but what about our customers? Do we adapt it so it's also customer facing (but most wont be relevant) or have two policies? Any help from someone in the 'know-how' would be appreciated. We have a GDPR headache!

The Privacy Notice (or policy) is something you need to give to anyone for whom you hold data specifiying, amongst other things, what data you hold, how you use it, their rights and so on. There is guidance on the ICO website.

It is different to your Data Protection Policy. That is employee facing and describes the steps you will take internally to protect data.

Privacy policy is what I am finalising now. There are only two of us in the company, so not sure we need a written data protection policy. I can't imagine gardeners or freelance hairdressers have this either?

You are probably ok without a written Data Protection Policy. However, if you want to be safe there are a number of free templates available on the internet.