GDPR - anyone working in this area?
Discussion
DELETED: Comment made by a member who's account has been deleted.
Not shopped there before, just entered my name and email address as part of checkout. Then decided not to proceed with the purchase and left the website.It's standard cart abandonment follow up by an ecommerce system, Shopify offer it for example.
I've read this thread from start to finish & learned a lot so thanks to all that have contributed.
At the same time, as a small business owner I am sure I am not alone with finding a lot of this somewhat mind boggling and overwhelming in respect of understanding where the boundaries lie. Those that are making a living in this field may find this stuff "obvious", but, I suspect like a lot of people, my focus/understanding/daily activity/mental energy is primarily deployed around the daily mechanics of running my business & therefore what will help people like me are some simple & real world examples of do's & don'ts - and these are hard to find.
There are tons of questions arising about both physical and digital data storage.
For example:
In my business (B to C) we will take credit card payments over the phone, sometimes many months in advance of seeing the customer. This generates both a merchant and a customer card slip from the terminal. So what constitutes secure storage of this information in our premises? In a file? in a locked cabinet? in a safe? If so how big a safe? Likewise where we have generated booking confirmations or invoices that are peppered with customer details, what constitutes safe storage of that information? As has been alluded to HMRC obliges all businesses to keep records for 7 years + but is there then a standard set as to how or where that information is held?
With regard to digital information held, inevitably, as has been referenced earlier in this thread we have the monster that is our email correspondence. Again we use Office 365. We are required by our insurers to acquire & retain some information about our clients. Often this is in the form of scanned information sent to us by email (which then gets filed onto a file server, but there may also be copies of such data in our email files).
The question that arises here is both physical and digital, (we think) our network is secure, but that wouldn't help much if some tea-leaf breaks in and steals the computers from our office.......!
At the same time, as a small business owner I am sure I am not alone with finding a lot of this somewhat mind boggling and overwhelming in respect of understanding where the boundaries lie. Those that are making a living in this field may find this stuff "obvious", but, I suspect like a lot of people, my focus/understanding/daily activity/mental energy is primarily deployed around the daily mechanics of running my business & therefore what will help people like me are some simple & real world examples of do's & don'ts - and these are hard to find.
There are tons of questions arising about both physical and digital data storage.
For example:
In my business (B to C) we will take credit card payments over the phone, sometimes many months in advance of seeing the customer. This generates both a merchant and a customer card slip from the terminal. So what constitutes secure storage of this information in our premises? In a file? in a locked cabinet? in a safe? If so how big a safe? Likewise where we have generated booking confirmations or invoices that are peppered with customer details, what constitutes safe storage of that information? As has been alluded to HMRC obliges all businesses to keep records for 7 years + but is there then a standard set as to how or where that information is held?
With regard to digital information held, inevitably, as has been referenced earlier in this thread we have the monster that is our email correspondence. Again we use Office 365. We are required by our insurers to acquire & retain some information about our clients. Often this is in the form of scanned information sent to us by email (which then gets filed onto a file server, but there may also be copies of such data in our email files).
The question that arises here is both physical and digital, (we think) our network is secure, but that wouldn't help much if some tea-leaf breaks in and steals the computers from our office.......!
So on occasion an individual or company contacts me out of the blue as they feel that their services may be of interest to our organisation, I have not opted in but I am interested in what they are offering and welcome them contacting me. Will this cease now GDPR is coming into play? What sort of fine could they be looking at for doing this? Also what if this happens on a social network such as LinkedIn for example?
I really struggle to see how this can work B2B
I really struggle to see how this can work B2B
jonamv8 said:
So on occasion an individual or company contacts me out of the blue as they feel that their services may be of interest to our organisation, I have not opted in but I am interested in what they are offering and welcome them contacting me. Will this cease now GDPR is coming into play? What sort of fine could they be looking at for doing this? Also what if this happens on a social network such as LinkedIn for example?
I really struggle to see how this can work B2B
DELETED: Comment made by a member who's account has been deleted.I really struggle to see how this can work B2B
DELETED: Comment made by a member who's account has been deleted.
This is an interesting comment, as it seems too simple to be the answer!I've been following this thread as one of the things I'm involved with is running B2B email campaigns for a business partner. We have started using Wizemail to handle the emailing, so unsubscribes are all handled by them once I upload the original contact lists.
My questions:
1. I don't know where the all data in the contacts list was sourced from. Is this going to be a problem?
2. How is responsibility split between Wizemail to ensure we are operating correctly? i.e. am I only responsible for the data I hold locally or the data on their server as well?
3. Do we have to do anything with our existing contact list or any future contact list we may buy in other than provide a clear unsubscribe link in the emails we send out?
4. We're looking at running email campaigns for some of our clients who don't have that capability in-house. The client would provide the contact list in this case. So again, where does GDPR responsibility lie between our client, us and Wizemail if we do this?
5. We operate in the SME space and a proportion of our clients will be sole traders and partnerships. I've read they shouldn't be treated in the same way as larger companies, so how do we deal with that?
DELETED: Comment made by a member who's account has been deleted.
Lack of response isn't necessarily a reason to delete a contact from a mailing list. Marketeers would answer this by saying "we haven't yet found the compelling reason for them to respond" and they can be correct in thinking that.Given the BMW example discussed previously, a dealer could email you 50 times about 50 different cars, but the 51st car might be exactly the spec you want to buy. That's a B2C example, but there are parallels in B2B.
Anyway, I'd be interested to hear your thoughts and thanks for the informative thread!
Edited by FurtiveFreddy on Tuesday 13th March 14:07
I must admit, I haven't read through all of this, but it would seem TinRobot is doing a fantastic job in this sector.
An interesting question came up today.
Lets say your business gives out financial advice and the suggested retention period from the FCA is 7 years. Without gaining additional permission I would presume you are expected to delete the data at the end of the 7 years.
It's quite possible that legal matters could require that data in say 10 years time. Surely the PPI thing is showing that.
I am an IT guy, not in the finance sector, but I thought it was interesting and worth discussing. Apologies if this has been covered already.
An interesting question came up today.
Lets say your business gives out financial advice and the suggested retention period from the FCA is 7 years. Without gaining additional permission I would presume you are expected to delete the data at the end of the 7 years.
It's quite possible that legal matters could require that data in say 10 years time. Surely the PPI thing is showing that.
I am an IT guy, not in the finance sector, but I thought it was interesting and worth discussing. Apologies if this has been covered already.
desolate said:
DELETED: Comment made by a member who's account has been deleted.
For the vast majority of small businesses this is all people need to remember. Use the data for the purposes it was given to you. Look after it whilst you keep it. Dispose of it carefully when you no longer need it.
Cheers for all the input on this , most helpful. I starting implementing and planning for GDPR 12 or so months ago, but there was too many initial grey areas and have had to wait for the dust to settle and the more complex issues, I simply couldn't get answers on the topics I needed . I have a couple of three questions:
1. Anyone recommend a good DPA consultant/legal advisor, I want to be able to ask questions, seek advice and get it, happy to pay whatever this costs (obviously within reason)
2. I was struggling to get this one answered and have had conflicting advice:
We are process personal information on non eu nationals, supplied from non eu companies, we are based in EU . Does the GDPR apply to this data. I presumed it does, or even if it doesn't it would be good practice to treat it as it does. BUT, I had conflicting advice on this when I looked into this months ago, some advised GDPR applies, one legal advisor said no.
3. We process personal data in regards to legal compliance, often we are processing this data as we believe laws are being or have been broken, therefore we cannot obtain consent from the individual the data is about as it could compromise legal proceedings, or future legal proceedings. Where do we stand with this?!!
1. Anyone recommend a good DPA consultant/legal advisor, I want to be able to ask questions, seek advice and get it, happy to pay whatever this costs (obviously within reason)
2. I was struggling to get this one answered and have had conflicting advice:
We are process personal information on non eu nationals, supplied from non eu companies, we are based in EU . Does the GDPR apply to this data. I presumed it does, or even if it doesn't it would be good practice to treat it as it does. BUT, I had conflicting advice on this when I looked into this months ago, some advised GDPR applies, one legal advisor said no.
3. We process personal data in regards to legal compliance, often we are processing this data as we believe laws are being or have been broken, therefore we cannot obtain consent from the individual the data is about as it could compromise legal proceedings, or future legal proceedings. Where do we stand with this?!!
Sheepshanks said:
jonamv8 said:
This is encouraging. We do this already so I'm guessing we need to do zero in relation to GDPR then which is good news!
I think our (in B2B) main pain is going to be writing down a policy so that we can show it to whoever asks.Apologies if this has been asked before. Where does general paper correspondence sit within GDPR? Do we need to audit every single document held within filing systems, identifying individual Data Subjects? Our business is primarily retail, so the bulk of our correspondence is with suppliers, professional bodies etc (I'm obviously not including HR here).
Leithen said:
Apologies if this has been asked before. Where does general paper correspondence sit within GDPR? Do we need to audit every single document held within filing systems, identifying individual Data Subjects? Our business is primarily retail, so the bulk of our correspondence is with suppliers, professional bodies etc (I'm obviously not including HR here).
DELETED: Comment made by a member who's account has been deleted.
Wondering if I could get some advice. Not very knowledgeable in this area.
I work for a small franchised take away business. Could someone explain in leymans terms how this legislation will affect us? I'll just add I'm not in agreement with all of what goes on in the shop
We have a database of customers, contact details, redacted card info, address etc, accessible at will by any member of staff with no trace of who and when etc
Same sort of database for current and previous staff. Accessible by anyone. Not sure if it is possible to download any of this data, which I have seen may be required.
Loose control of paperwork, no locked private document storage, just scattered. Loose control of receipts too, card details and customer receipts, including addresses.
Sorry if this is a big ask
I work for a small franchised take away business. Could someone explain in leymans terms how this legislation will affect us? I'll just add I'm not in agreement with all of what goes on in the shop
We have a database of customers, contact details, redacted card info, address etc, accessible at will by any member of staff with no trace of who and when etc
Same sort of database for current and previous staff. Accessible by anyone. Not sure if it is possible to download any of this data, which I have seen may be required.
Loose control of paperwork, no locked private document storage, just scattered. Loose control of receipts too, card details and customer receipts, including addresses.
Sorry if this is a big ask
Gassing Station | Business | Top of Page | What's New | My Stuff