Sponsors Announced for the Greater Lincolnshire Construction & Property Awards
The Greater Lincolnshire Construction & Property Awards are gearing up for another exciting year, with an impressive line-up ...
Read More
WRONG GDPR is a UK bill embedded into the UK law system and it is here to stay. Brexit will have NO effect on GDPR. The new Data Protection Regulations will remain and will still be applicable even after leaving the EU.
WRONG Not addressing a Subject Access Request (SAR) correctly and within the correct timeframe is a criminal offence which carries heavy fines and possible prison time. Small businesses should ensure that they have adequate processes in place to full fill all types of SARs within the required timeframe.
WRONG It is true that currently the ICO is focusing on large organisations, but it has recruited heavily in the last 12 months and soon will shift its focus on small businesses. Small businesses should focus on getting themselves as compliant as possible while there is still time.
WRONG Consent is merely one of the six lawful bases for processing personal data (set out in Article 6 of the GDPR). Businesses can process only the personal data they actually need (without consent) in order to perform a contract with the data subject (or to enter into a contract with the data subject) or to pursue their legitimate interests (provided that does not override the individual’s right to privacy).
WRONG Performance of any sale, supply or service contract will, fundamentally, involve the engagement of, and correspondence with individual staff at those contracting organisations, which will contain names and contact details (at the very least). This data must be processed fairly, in a transparent manner, kept up-to-date and appropriately secured and deleted when it is no longer needed (not retained indefinitely). Businesses should still have updated privacy policies, standard terms and conditions or supplier contracts, and internal policies for staff to implement their obligations to protect personal data.
WRONG A business email address or telephone number that relates to an individual (i.e. not an office switchboard or reception desk number) is personal data relating to that individual, not the company. This is the case even if the email address is publicly available on a website. GDPR will apply to any processing of this personal data and procedures will need to be followed before it is processed.
WRONG Processing personal data (including special category data, such as medical records) because it is required to perform an employment contract is a lawful bases for processing (under Article 9), but it requires complete and transparent adherence to the principles under Article 5. This means, all staff have the right to know how their personal data is processed, at the time it is collected. Employers should, therefore, produce a sufficiently detailed, accurate privacy notice (that sets out, as a minimum, what data they need, how they store it, which third parties process it on their behalf and how long they retain it) and issue this to all staff, which may require and prompt them to review how they process their staff data and what they communicate to staff. Staff can be required to sign, date and return copies for internal record keeping.
WRONG Many organisations shoe-horn electronic marketing information into their invoicing process, customer feedback or usage guides. The basic rule is that you cannot market to customers unless you have their permission to do so (e.g. by email, over the phone or by online tick box).
The one limited exception to this is where you have previously sold products or services to them and wish to advise them of related products or services (i.e. on a “you’ve dealt with us before, why not again” basis only), and you contact them using only the contact details you first obtained. These practices will not (in most circumstances) successfully bypass the marketing consent rules. If you have not yet revised your marketing consent processes or segregated your marketing databases between those that have opted-in or opted-out, do not delay in doing so. The ICO has highlighted breach of marketing consent rules as a particular area of focus for enforcement as GDPR beds down.
CVG Solutions has developed a program specifically to support small businesses in identifying gaps and support them in becoming compliant by providing expertise, off the shelf processes, procedures and policies which can be tailored to suit. We are not here to catch you out, we are here to support you!
The Greater Lincolnshire Construction & Property Awards are gearing up for another exciting year, with an impressive line-up ...
Read MoreBring your brand to life with an animated logo that will leave a lasting impression on your social media posts, videos (intro...
Read MoreLog into your account