Help - GDPR Question

[perhapstomorrow]

We are a small company and our clients are other businesses. I obviously have contacts at these companies so have their company e-mail addresses and work numbers. As a result, do I need to get their permission and let then know what data we hold about them as I need to their work details in order to arrange contracts and send invoices.

I'm a bit confussed and I'm finding the ICO website a bit overwhelming.

If the information is publicly available (e.g. on their websites), then you're fine.

Otherwise, it depends under what circumstances you got the information - and whether you can show they have given permission for you to store it. You also need to have been clear to them why you are storing their data (e.g. for marketing emails from you only, or for marketing emails from you and other associated businesses) and for how long you'll hold onto their details.

Hope that's a helpful start!

Thanks Sheepy. The info probably isn't available from their website but the information would only be used for arranging contracts and invoicing. It won't be used for marketing. Perhaps I just need to send them a copy of our privacy document and that will do?

I'm not sure you need to do anything (note not sure!) as you aren't doing any form of marketing, and you already have a legitimate business use for the data. I do get to send what could be seen as marketing emails, so focussed on my responsibilities for that during training - I know less about your situation.

Check the Facebook group called 'GDPR For Online Entrepreneurs (UK, US, CA, AU)' - it's run by Suzanne Dibble, a GDPR lawyer, and there's loads of useful information and it's aimed at small businesses. I'm not an expert but I believe as you have a contractual reason for contacting them, you don't need to ask their permission. You do need to keep their data secure though (obviously!) and not keep anything more than necessary.

Obviously if the email address doesnt have a personal name with it ie [email protected] there is no issue but [email protected] is personal data (you have a name and company they work for). However, you need this information for the 'Legitimate Interest' under GDPR.

The ICO recommends you undertake a Legitimate Interest Assessment (LIA) but all you really need to be able to show is:

1. Purpose Test - are you pursuing a legitimate interest?
2. Necessity test - is the processing necesarty for the purpose?
3. Balancing Test - do the individuals interests override the legitimate interest?

Hope that helps

You only have to do the legitimate interests assessment if LI is the 'lawful basis' under which you are processing the data.

There are 6 'lawful basis':

1. consent (the most talked about)
2. legal obligation (like having to keep accounts for 6 years)
3. vital interest (e.g. life savings, n/a here)
4. contract - quite possible here
5. Public duty (e.g. council tax collection, n/a here)
6. LI - only to be used as a last resort and need to do the assessment, the questions posted above are only the questions to decide if you need to go on and DO the assessment (and they are only the headlines too, there are about 5 questions under each of them on the ICO assessment, more for clarification - I'll post them underneath). If you decide from them that you do have a LI then you have to go on to the second part of the assessment which has about 20 questions and where you note your answers to show you have properly considered it.

For the OP - I'd assume that as they are doing business there is a contract, so that is the lawful basis.

Though you still need a privacy notice for your clients.

First stage LI questions:

1. Purpose test:are you pursuing a legitimate interest?

Why do you want to process the data – what are you trying to achieve?
Who benefits from the processing? In what way?
Are there any wider public benefits to the processing?
How important are those benefits?
What would the impact be if you couldn’t go ahead?
Would your use of the data be unethical or unlawful in any way?

1. Necessity test:is the processing necessary for that purpose?

Does this processing actually help to further that interest?
Is it a reasonable way to go about it?
Is there another less intrusive way to achieve the same result?

1. Balancing test:do the individual’s interests override the legitimate interest?

What is the nature of your relationship with the individual?
Is any of the data particularly sensitive or private?
Would people expect you to use their data in this way?
Are you happy to explain it to them?
Are some people likely to object or find it intrusive?
What is the possible impact on the individual?
How big an impact might it have on them?
Are you processing children’s data?
Are any of the individuals vulnerable in any other way?
Can you adopt any safeguards to minimise the impact?
Can you offer an opt-out?

Second stage:

We have checked that legitimate interests is the most appropriate basis.
We understand our responsibility to protect the individual’s interests.
We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
We have identified the relevant legitimate interests.
We have checked that the processing is necessary and there is no less intrusive way to achieve the same result
We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason
We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason
Ifwe process children’s data, we take extra care to make sure we protect their interests.
We have considered safeguards to reduce the impact where possible
We have considered whether we can offer an opt out.
If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA
We keep our LIA under review, and repeat it if circumstances change
We include information about our legitimate interests in our privacy information