GDPR - training!

[Fekko]

Does anyone know of and decent courses to get to grips with this? I've read up on it but still have questions.

I've been on the ICO website. It's not at all clear for people in my situation, unfortunately. Even our professional societies don't seem to know what we have to do. I did their little 'quiz' about who had to register or not, and couldn't answer some of the questions as it didn't quite apply.

As far as I can see, anyone who has anyone's name and phone number saved seems to need to pay a registration fee. Which has to be pretty much anyone who charges anyone for anything. Every babysitter, childminder, cleaner, tutor, music teacher, yoga teacher, mobile hairdresser, whatever, however few hours each week, has to register and have a policy I guess, which seems overkill for this sort of job.

I'm hoping that some of the professional bodies that you can join will provide templates of some sort. But you have to pay your £35 or whatever to the ICO and then implement whatever actions are needed. But without emailing people?

So a babysitter or similar has to work for 5 hours every year just to pay the ICO registration fee? And spend many hours trying to understand the legislation, draw up policies, etc.

Why don't you ring them up?

“And what's this about it being wrong to email people to get permission to keep their data?”

That relates to marketing permissions, and is technically under another regime (PECR). If you want to use people’s emails to send them direct marketing material, you need their advance consent. You cannot seek that consent by using said email to ask, because the request for marketing consent is itself...direct marketing. So, you need to use one of the other, less restrictive channels (post, call them in person speak to them).

But that’s only for direct marketing. If all you are doing is sending them customer service messages (appointment reminders, notice that goods have arrived, etc), that’s not marketing and you can just do it.

Oh - and the PECR rules do t apply to B2B marketing anyway.

I think a lot of it is to do with risk - what are the chances of someone suing you. Until those lawsuits start appearing, no one's necessarily sure of the full implications, or all the twists and turns that will come.

Having said that, I really don't think they're going to be sprinting full speed after piano teachers, the big goal is to stop the massive groups who hold and manipulate data in ways we don't agree to, or hold it in insecure ways.

It's also completely common sense. The main thing GDPR says is that you need written consent to use someone's data in the way you want to (whether that's a name, address, photo or so on). Then you need to store it securely (so if you password-protect files and phones then someone can't just steal a bunch of contact details). Then you get rid of it if you don't need it anymore or if they don't want you to keep it. It's essentially the principles of the 1998 Data Protection Act with some teeth behind it and it's been around for a few years already.

I completely understand how individuals or tiny teams might be surprised but I am a bit that companies or organisations are just finding out.

Data exists forever now, and it keeps getting swept together into bigger forms of datasets, along with increased facial recognition software and so on, it's not good. GDPR is a good thing to start tackling this. Though the real creeps will probably find ways anyway.

“I can't get rid of my physical contact book with names and addresses, surely.”

You don’t have to. You can keep holdin the data, just try and keep it secure. However, even if you lost the data, if it’s only names and addresses it’s not sensitive enough for you to need to notify the ico that you have lost it. Just don’t also keen bank account and card details I. The same book.

“My computer is password protected, as is my phone.”

Good. Add in antivirus and may sure you install the operating system updates that come through, and that’s enough for a small/one man band.

“I'm scared of these million pound fines”

Unless it are a multimillion organisation you don’t need to worry. You won’t be fined at all unless there is a notifiable breach/significant failing that comes to the icos attention, and even then you’d be more likely just to receive advice on improvements they expect.

You don’t need consent for most collection and processing of personal data. There are 5 other lawful grounds and you can usually get things into options 2, 3 or 6.

There’s also a lot of scope for holding special category data without consent.

Just remember it's data protection will bells on.

Don't keep any personal identifying details you don't need, destroy what you don't need, and make sure everything is secure and can't be accessed by anyone who is not authorised.

Document your procedures and make sure you report any breaches.

It's the marketing that's the fucker because you can contact people with 'important' information - so a product recall is very back and white - but a flash sale by a supplier when you could save £000s? If we didn't tell customers that prices are going up by xx% we will get howls of 'why didn't you tell us!!!'.

katieflorins good summing up. I work for a software supplier, we provide software to the legal industry and changes we have made are separate areas to hold personal and sensitive data which work off access rights, area to store consent (either by individual, legal guardian or for marketing), pseudonym fields, request and response logs, reports which can be sent on request to show data held, and destroy dates where data can searches on to be destroyed. Additionally added security relating to passwords and users logging onto the system. That’s in a brief nutshell. Our software does not make a firm ‘compliant*. The firm are responsible for making themselves compliant, our software only assists that process. They also have to consider data stored in emails, paper files etc. It’s been challenging and we have just released our GDPR version so it’s going to be a busy few months upgrading our clients.. all of which seem to have varying understanding of the guidelines/rules set out.

And as I understand (could be very wrong) data we are talking about is sensitive and personal data (mobile no’s, email address, NI number etc) but other data (name and address) which is easily found elsewhere (because of electoral roll) is not related to GDPR..

It’s all personal data and subject to GDPR. BUT public information is much easier to use lawfully and the regulatory reaction to breach is less.

So it sounds like my basic procedures are OK then; I do have anti-virus and up to date software.

The only real data I have on the computer is names/emails and records of if they've paid or not. The physical address book has names, phone numbers, and sometimes mobiles; there's also a list of whether they've paid that gets destroyed after it goes on the computer at the end of the year. It's just kept in my house though!

But, and this is the problem, I have no official written consent from anyone that I could keep their name/email/record of payment. It was just assumed, because they contacted me, because that's how lessons of this sort work, that of course I'd keep their detail. Just not written down explicitly. I guess I could design some kind of form for them to sign or click on, and send it to everyone.

I also haven't written down a policy that I keep names/emails etc, because it's so basic! Maybe I can find a template that does that.

But I suppose I still better pay my £35 or whatever to them. Maybe I will email/ring and ask, but I suppose I don't want to draw loads of attention to the problem and risk getting investigated!! I'm sure they're not after little piano teachers who don't make lots of money or similar, but yet it does sound shocking the way the rules/fines are written, applying to absolutely everyone.

Ok thank you.

Oooh just discovered this thread! Only read the last few posts....

I'm a DPO and the biggest challenge is getting people to understand that consent is rarely the basis we're processing on. Mainly for marketing purposes.

I disagree slightly about not having to refer to the ICO if s name/address contact list was lost/stolen - having recently self-referred for a similar loss the threshold is around about 100 people being in the contact list. The number of people affected raises the risk. The ICO agreed that this was referrable.

@PickleFish you don't need consent to store this personal data for your piano teaching business. You are holding the data to allow you to provide the service, ie it's to deliver the contract between you and the individual. 'Contract' is one of the legal bases for processing allowed by GDPR.

If you keep your contact notebook under lock and key in a drawer, it would be more secure, but is there any reason you're unwilling to make it electronic so you can store it more securely? This would let you weed out old data that you no longer need to keep.

You would also be doing really well to have a 'privacy notice' - just a short thing to tell people what you are doing with there data - ie you only ask for the information you need to provide their service, and will keep it for x time after they quit in case they want to return, but they can ask you to delete it as they have a right to do and can ask to know what you hold and can have it corrected... also that you won't give or share it with anyone. I'd probably have a registration form that they keep a copy of, that I'd scan in and keep electronically only (but that's me!).

I don't think you need to do much more than that to comply, to be transparent to your customers, and to meet the accountability requirements of being able to demonstrate records of your processing.

I've not thought about registration fee for your setup will have a think/dig.

*their on phone!

On paying the fee: read this first ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf

Important part is: 8. Are you only processing personal data for ‘core business purposes’?
You do not have to pay the data protection fee if the only processing you carry out is for one or more ‘core business purposes’. These are:
 staff administration
 advertising, marketing and public relations
 accounts and records.
Typically this would apply to a small business that processes personal information only for these purposes to support its primary activity.

Agree with @Chocolala , you don't need to register.

I've been lurking with interest. I found a tool on the ICO website to work out whether you need to register or not.

ico.org.uk/for-organisations/register/self-assessment/

“I disagree slightly about not having to refer to the ICO if s name/address contact list was lost/stolen - having recently self-referred for a similar loss the threshold is around about 100 people being in the contact list. The number of people affected raises the risk. The ICO agreed that this was referrable.”

It does depend on context. I would not expect to have to refer the loss of a piano teachers name and address list. But the patient data losses I usually handle then to be much more fraught.

No sensitive data in the loss I was referring, just contact details and salary bands.

But yes context is important in assessing the risk to the individuals.

I work in a primary school and i suspect the DPO role will fall to me, which is frustrating because i am the lowest paid member of staff! (Tiny school, only me who isn’t a teacher!)
I have adapted policies and procedures etc but having taken over the role from someone who wasn’tvery thorough in destroying old paperwork i suspect secure clearout is going to be my biggest task.
Thank you for this thread!

Thanks for the help.

(not actually piano teacher, but very similar :) )

The handwritten book with lessons etc is just to make it easy to write down as I get given money/paid at the time, so that I can then transfer it more easily to the computer later. I have a paper diary as well! Somehow I just like seeing it more visually. I could do it online if needed, just like paper backups and find it all quicker.

the quiz online said I needed to register when I answered the questions one way, but not when I answered them another way. So thanks for the link about keeping the data just for records - that sounds like actually maybe I don't, which is reassuring.

I guess I should produce a form and get people to sign it when they start, and probably give it to all current pupils too. There are some electronic services that allow you to post forms that people can fill in and click to agree things online, and then it would be stored securely, I suppose. But maybe I don't need to do even that, if it's all for core business purposes. I don't market anything or advertise to my clients, as they've all contacted me first.

'yet it does sound shocking the way the rules/fines are written, applying to absolutely everyone.'

Yes, but it is also shocking that so many businesses don't recognise they are holding data that can cause harm to their customers if it is lost/stolen/given away and people gave the right to trust that their data is being handled adequately.

The ICO like to boast that they are a proportionate regulator. They are more likely to require that you put things right than fine you. Although when I've trawled their enforcement announcement I see it's not uncommon to fine small businesses around £1k inc. costs for not being registered when they should (mainly where they use CCTV).

FWIW, I don't think the ICO are giving enough assistance to micro-businesses with template privacy notices, etc.