No, it’s not.
Personal data is any information relating to an identifiable person who can be directly or indirectly identified.
What identifies an individual could be as simple as a name or a number or could be an IP address or a cookie.
The rules apply to both electronic personal data and to certain manual filing systems.
Processing means doing just about anything with the personal data including collecting, storing and disposing of it.
Employees and job applicants are covered so it can relate to making notes about candidates at a job interview. So don’t write anything that you don’t want the candidate to read as they have a right to make a subject access request.
In relation to marketing, we also have to bear in mind the Privacy and Electronic Communications Regulations which apply when you send electronic marketing messages, by phone, fax, email or text.
Find out more
That’s great news.
The ICO’s like many regulators have an issue-driven enforcement policy.
If there is a significant data breach or numerous complaints then enforcement action may well follow.
If this happens, the ICO will ask how you demonstrate compliance.
If you can’t you will have no excuse and have to face the consequences which more than likely will include reputational damage.
Find out more
Yes, it will.
GDPR was led & directed by the UK & the ICO has publicly stated that it plans to introduce something which mirrors the GDPR post-Brexit.
Find out more
It actually applies to any organisation that processes personal data about people.
The ICO has made it very clear that small size is not an excuse for non-compliance.
Find out more
We are very pleased to say that one of the newest Reputation Advocates Bascule Disability Training, has recently appeared in the Parliamentary Review.
Read more about the Parliamentary Review here…
Read the full article here…
There is no specific legal requirement to have a data protection policy under the Data Protection Act 2018 or the General Data Protection Regulations (GDPR). However, there are some areas where such a document could prove useful.
The GDPR contains explicit provisions about documenting your processing activities:
- You must maintain records on several things such as processing purposes, data sharing and retention.
- Documentation can help you comply with other aspects of the GDPR and improve your data governance.
- For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities.
In addition, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR. You must provide individuals with information including:
- your purposes for processing their personal data,
- your retention periods for that personal data, and
- who it will be shared with
You must provide privacy information to individuals at the time you collect their personal data from them.
If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
Using Data Processors
The regulators’ purpose is to ensure there is a level playing field and protect the weaker party in any transaction (which is usually the client/customer).
If a regulator has cause to investigate a business, they will try to demonstrate insufficient control over business processes.
It makes sense to be in a position to show that you have done everything possible to comply and that you carry out checks to make sure that your procedures work.
That way the regulator will be more likely to help resolve compliance failures, rather than take enforcement action which can prove costly for a business.
When seeking referrals off people in my networking group, what information is safe to gather? So, let’s say, for example, I ask Bob for referrals of our ideal client. Bob knows somebody who may be interested in our service – so passes us their contact details. Is this safe?
Samuel Poole Marketing Communications Manager Syn-Star Complete I.T. Solutions
Great question, actually in Data Protection terms it is not safe to do this unless certain things are in place.
Essentially when dealing with personal information such as contact details the person who decides what to do with the information is a data controller, in this case, Bob.
The data controller has to “process” personal data fairly (processing includes passing it to a third party i.e. you). They also have to have one of six lawful reasons to be able to process the data. The most appropriate one of which in these circumstances is the consent of the data subject. This has to be GDPR compliant consent i.e. given freely, not under duress and in full knowledge of what they are consenting to.
The data controller also has to give “privacy information” explaining how the subjects data will be used. There are specific things that have to be included in this information which often takes the form of a notice, but can also be given verbally depending on the circumstances.
It is incumbent on you to check that the necessary consent is in place for the use you wish to make of the data before acting on it.
Of course, once the information comes into your hands for marketing purposes you become a data controller, in addition, you will need to comply with the Privacy and Electronic Communications Regs in relation to electronic marketing messages (phone, fax, email or text).