The Information Commissioners Office (ICO) has increased what it’s doing around data protection.
As this BBC interview explains, it’s not about stopping people going about their lawful business. It’s about trying to restrict the activities of spammers and scammers.
I am not claiming to be a Data Protection or GDPR expert and anything said in this article should be treated as a fellow business owner giving his interpretation of the requirements. I may be wrong (it has been known) and having read this article, it’s still up to you to ensure that your business complies with the ICO’s requirements. If you discover that I am wrong about any aspect, please let me know!
First, GDPR (General Data Protection Regulation) is an extension of the existing Data Protection Act 1998, and this extension comes into effect on 25 May 2018.
So, the first step would be to make sure you’re complying with the existing regulations. For example, do you need to be registered as a Data Controller?
A Data Controller is the person that decides what is done with the data, as distinct from a Data Processor, who acts under the Data Controller’s instruction. A Data Controller may need to register with the ICO, whereas a Data Processor doesn’t need to. Both may register voluntarily if they wish.
The ICO’s self-assessment resource may tell you that you do need to register. If that is the case, my advice would be that before you go through the process, call them on 0303 123 1113. I found them to be helpful and approachable, and if their website tells you to register, I discovered that there are exemptions that the online test does not account for.
These exemptions centre around whether:
If in doubt, contact them for clarification.
You should also have a Data Protection Policy, but this is for internal use so that you and your staff are aware of how you intend to keep and secure personal data. Think about what data you collect; where you collect it from; and how you keep it. Then think about how you store it.
We take your privacy seriously and will only use your personal information to administer your account and to provide the information, products and services you have requested from us.
This statement should be expanded:
Above: an ICO example what the full notice might look like.
You might consider using this Privacy Notice as a starting point, but I cannot write it for you as I do not know what you do with your data. This example will need to be amended if you collect data for general marketing and/or if you intend to share the data with a third party as described above.
The ICO has produced this helpful document, which you might find useful.
If you do email, SMS text, phone or post marketing and have developed a marketing list (as distinct from a client list), you will need your prospects’ consent to continue marketing to them by way of an opt-in. It is not sufficient for you to write something like
unless we hear from you, we’re going to assume that you consent to future mailings. Sorry, please don’t shoot the messenger, but they must agree by opting-in. You cannot continue to send marketing communications if you do not obtain consent.
Note: what I’m writing about here is a marketing list, not a client list. You can still contact your own clients about your normal business or club activities etc.
I hope you have found this article of use. And to my clients: I look forward to receiving your Privacy Policies and Privacy Statements in due course!
Article by Chris Addams of Swift Image Web Design, dated 4 May 2018.
the website design company
for Ampthill, Baldock, Bedford, Biggleswade, Flitwick, Hitchin, Letchworth, Luton, Sandy, Shefford, Stevenage and Stotfold