Sorry to mention it but this may help https://www.crimsoncrab.co.uk/crab-alert/prepare-your-business-for-the-uk-leaving-the-eu/
The regulators’ purpose is to ensure there is a level playing field and protect the weaker party in any transaction (which is usually the client/customer).
If a regulator has cause to investigate a business, they will try to demonstrate insufficient control over business processes.
It makes sense to be in a position to show that you have done everything possible to comply and that you carry out checks to make sure that your procedures work.
That way the regulator will be more likely to help resolve compliance failures, rather than take enforcement action which can prove costly for a business.
When seeking referrals off people in my networking group, what information is safe to gather? So, let’s say, for example, I ask Bob for referrals of our ideal client. Bob knows somebody who may be interested in our service – so passes us their contact details. Is this safe?
Samuel Poole Marketing Communications Manager Syn-Star Complete I.T. Solutions
Great question, actually in Data Protection terms it is not safe to do this unless certain things are in place.
Essentially when dealing with personal information such as contact details the person who decides what to do with the information is a data controller, in this case, Bob.
The data controller has to “process” personal data fairly (processing includes passing it to a third party i.e. you). They also have to have one of six lawful reasons to be able to process the data. The most appropriate one of which in these circumstances is the consent of the data subject. This has to be GDPR compliant consent i.e. given freely, not under duress and in full knowledge of what they are consenting to.
The data controller also has to give “privacy information” explaining how the subjects data will be used. There are specific things that have to be included in this information which often takes the form of a notice, but can also be given verbally depending on the circumstances.
It is incumbent on you to check that the necessary consent is in place for the use you wish to make of the data before acting on it.
Of course, once the information comes into your hands for marketing purposes you become a data controller, in addition, you will need to comply with the Privacy and Electronic Communications Regs in relation to electronic marketing messages (phone, fax, email or text).
The system of rules, practices and procedures by which a business is directed and controlled.
It essentially involves balancing the interests of a business’s many stakeholders, including shareholders, owners, management, employees, customers, suppliers, financiers, government and the community.
This may include policies on:
- ethical trading
- social responsibility and
- carbon reduction.
Dealing with such things as:
- regulatory compliance e.g. the Provision of Services Regulations;
- supplier payments and
- credit control and debt management including late or non-payment of invoices.
Your clients have a legal right to know who they are dealing with (i.e the legal entity that they are trading with).
If you use a name to trade under other than that of the legal entity, then you need to disclose the full details of the legal entity including an address where you will accept service of documents.
For corporate bodies, there are specific disclosure requirements.
All of this needs to go on business documents including letters and emails and websites amongst other things.
An association, corporation, partnership, proprietorship, trust, or individual that has legal standing in the eyes of law. A legal entity has the legal capacity to enter into agreements or contracts, assume obligations, incur and pay debts, sue and be sued in its own right, and to be held responsible for its actions.
There are specific requirements relating to the name a business wishes to trade under and rules to prevent the use of misleading names. Business names must not:
- be the same as an existing trademark
- include ‘limited’, ‘Ltd’, ‘limited liability partnership, ‘LLP’, ‘public limited company’ or ‘plc’
- contain a ‘sensitive’ word or expression unless you get permission
There are requirements about the details business have to disclose to their customers:
- An individual trading under a name which is not their surname, with or without initials, has to give their name and an address at which the service of documents will be accepted;
- Partnerships that use a name other than the surnames, with or without initials, of the individual partners, have to give the names of all the partners and an address at which the service of documents will be accepted; and
- Incorporated bodies such as limited liability companies or partnerships (Ltd and LLP) have to make Trading Disclosures.
What are Trading Disclosures?
This is the term used in the Companies Act 2006 to cover the rules about the information companies must provide.
The Companies (Trading Disclosures) Regulations 2008
These Regulations deal with trading disclosures to be made by companies registered in any part of the United Kingdom.
The disclosures have to be made at certain locations (the registered office and other places of business), in company documentation e.g. letters (including electronic equivalents e.g. emails) and on company websites.
The Regulations also require companies to respond to enquiries about where their company records are kept available for inspection.
The short answer is no longer than necessary.
Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be based on individual business needs. A judgement must be made about:
- the current and future value of the information;
- the costs, risks and liabilities associated with retaining the information; and
- the ease or difficulty of making sure it remains accurate and up to date.
There are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.
The CIPD have a great resource regarding HR records which can be found here.
The UK’s third generation of data protection law has entered Parliament.
The Data Protection Bill was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come.
This explains the relationship between the Bill and the GDPR, detailing the additional areas the proposed new legislation covers. It also includes links to the ICO’s GDPR and Law Enforcement pages and to a Data Protection Bill fact sheet.
When the General Data Protection Regulations (GDPR) come into effect next year there will no longer be a requirement to notify the Information Commissioner’s Office (ICO) as there is now.
There is a provision in the Digital Economy Act which means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines will be passed directly back to the Government.
The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing. The final fees will be approved by Parliament before being put into place.
For the purposes of the Data Protection Act the quick definition is data which identifies a living individual.
The Information Commissioners Office has put together a quick reference guide to help. Please click here to access the guide which will open in a new window.