What You Need to Know: The Idiot’s Guide to GDPR

21st July 2017

Here’s a thing that’s cropping up quite a bit in conversation and across those social channels upon which we all love to share and comment. The General Data Protection Regulation (GDPR).

You may know all about it already, which is great. Or, you’ve heard about it but aren’t really sure what it’s all about. And then again, perhaps you haven’t heard about it at all.

Well, if you and your organisation capture, handle, store, or share any kind of personal data, then it’s actually something you really do want to get some kind of a handle on. And sooner, rather than later.

Because it’s kind of important.

Which is why, to get you on the right track, we’ve put together a handy little guide featuring the key points that you will need to know.

We’re nice like that.

The Important Questions

What is the GDPR?

It’s as good a place to start as any. GDPR, or the General Data Protection Regulation is a new set of EU regulations set to come into force, as a replacement to the existing Data Protection Act.

Is it already upon us?

No. The regulations don’t come into force until May 25th 2018. But dont do like you used to do with your Geography homework and leave it until the night before. There’s plenty you may need to check or put in place. So now would be a good time to get started.

Who Does It Concern?

It’s the rules and regulations for personal data protection, and every organisation within the EU must comply.

What about Brexit and Article 50 and all that jazz?

Doesn’t matter. Organisations from within the UK will still have to comply with the regulations when they come in. For one thing, the UK will still be in the EU in May 2018 so will be still held to their rules. Second, the Government have confirmed that they will be implementing GDPR regardless of Brexit.

Who Needs to Know About it?

Everyone in the organisation, or company. Business owners need to ensure that they have given their employees clear guidance on the regulations and procedures that need to be in place for due diligence. Saying ‘I didn’t know’ is not going to be a valid excuse.

The Key Requirements

  1. Privacy

All privacy notices that you issue need to be audited, and amended so that they comply with new guidelines.

  1. Accuracy

Any personal data and information held needs to be accurate and up-to-date. Any organisation who shares data with another organisation, must make clear any changes made to the information contained within. If changes to data are made, you need to record these changes, to keep an accurate record / trail of the amendments.

  1. Access

Individuals are set to have much greater access to any of the personal data that an organisation stores on them. They will legally be allowed to view this data in entirety, as well as making it clear on the levels of profiling or direct marketing they will permit. Individuals can also request deletion of all data contained upon them, with organisation procedures and processes altered to ensure this is adhered to post-GDPR enforcement.

  1. Consent

Ensure that your policies are in full compliance with new GDPR laws on granting clear consent for individuals to access their data

  1. Security

GDPR will enforce ever stricter rules upon organisations to ensure that they are taking all reasonable measures to guard against data theft, loss, or other breach. Clear evidence must be shown that you have taken diligent measures in regard to security software, physical security, and other aspects such as disaster recovery plans.

And if you do suffer a breach, then it is your duty to let the Information Commissioner's Office (ICO) know at the earliest possible moment.

Your terms of service need to reflect the seriousness that you take your obligations to security.

  1. Responsibility

Organisations will be required to have an appointed Data Protection Officer to oversee all obligations and responsibilities. 3rd party or external officers are permitted, subject to approval.

And there you have it. Obviously, there’s a little more detail into which you’ll need to delve, but these are the key issues that need to be adhered to, and in place by May 25th 2018. It’s likely that a lot of this stuff is already happening in your company; but you do need to take the fine-tooth comb to your policies, procedures, and safeguards to make sure they comply. And to make sure that everyone in your company is well and truly in the know.

74 responses to “What You Need to Know: The Idiot’s Guide to GDPR

  1. John Price says:

    Hi All,

    I’ve arranged to spend a few days next week with one of the lawyers that actually wrote the GDPR rules for the EU.

    As I’m sure you can imagine that’s not cheap, but it does mean we can get the info for you straight from the horse’s mouth. (He’s no equine, but after 3 days of talking with me he might end up a little hoarse ;))

    Anyway, stay tuned for updates.

  2. Anne Love says:


    I am secretary of a community choir and we keep two lists
    1. name, address and phone number of our members
    2. A Google Group list of name and email address of Friends who have show an interest in being kept up to date with our events

    We do not divulge the information to any third party. Friends can opt out of the Google group at any time by clicking on a link

    Do we need to do anything special to comply with the new regularion

    1. John Price says:


      Its not that straight forward, it never is 😉

      While we cant give advice with such limited information, some questions for you to consider…

      Do your members and Friends know that you keep that information, and WHY you keep it? Can you prove that they know?

      What about ex-members, do you delete their data after a defined period.

      If you can, and thats all you do with that info, then probably be ok. You still need to comply with the rest of GDPR, such as making it as easy to unsubscribe as it is to subscribe, being able to show them what data you hold on them, and give them the chance to object to what you use it for.

      1. Steve says:

        Hi, what about as a small Company we send out a generic email informing our data base of architects & designers of a new or interesting product. No personal data what do ever, only a work email address?

        1. John Price says:

          GDPR applies if an individual can be identified. So, if you are sending emails to sales@xyzcompany.com etc then you might be able to claim that isnt a person. If you are sending to namedperson@xyzcompany.com, and the onhly thing you have is their email address, then telling them you hold it at first contact and giving them the option to receive further info from you is probably acceptable.

  3. Steve Homewood says:

    I am Membership Secretary for 2 private organisations, 1 with about 300 members and the other 600. The data (name, address, e-mail, date of birth) is held in an Excel spreadsheet. The data is used specifically to regularly communicate details of events and send magazines. We have not in the past had a tick box on the Membership Form to ask for permission to hold and use the data to communicate with them. As they receive the magazine at least twice a year they know that we hold their data.
    Do we now need to obtain the explicit agreement from existing Members to hold their data or can we just have a section on the Membership Form for new members? Could we just put an article in the magazine confirming that we hold the Members’ data and why we hold it?

    1. John Price says:

      While its not possible to give specific legal advice on a blog post, my opinion is that you are using data without your members permission.

      Have you said at the point of collecting the data that you need it to send the magazine?

      Your members need to know what you hold and what you are going to do with it. An article in your magazine would be a good starting point. That article needs to say what you hold, why you hold it, and what the members can do if they don’t want you to, and how they can get a copy of what you hold, along with what you are doing to make sure that info is kept safe and secure.

      Holding the name and address in order to send the magazine (and for nothing else – no marketing etc) probably falls under the need to fulfil a contract so you don’t need consent for that, but they still need to know you hold stuff as a said above.

      Why do you need their date of birth? That’s not needed to send the magazine out… If its for marketing, then you will need their consent to be marketed to.

  4. Nigel Shier says:

    I am the manager of a community hub. We have email addresses of the suppliers that we deal with and email addresses of the companies that rent space within the hub. We also hold 3 Personal files of the staff we employ with DOB, addresses etc. Could you point me in the right direction to ensure that we are compliant.
    Thank you

    1. John Price says:

      Hi, the best source of information and a checklist for you is the Information Commissioners Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

  5. Hira says:


    I work with a not-for-profit, charity with minimal employees. We no longer keep hard copy of records, but do have an electronic database of clients. It is never passed on to third parties without prior consent of the client.

    As mentioned we do not keep hard copy of any records/data. But are now unsure whether we have to delete the electronic data after a specific period of time, as we used to with the hard files. Will you be able to clarify if that is the case please, and if so, what is the time period after which it must all be deleted?

    Thank you.

    1. John Price says:


      The medium doesn’t matter for GDPR purposes. It applies equally to paper and electronic records. If you had to destroy paper records after a period of time then you will have to do so with the electronic ones.

      As for how long that is, the time limit isn’t defined in GDPR. Have you told your customers you will keep the information for x years? in which case that’s how long you can keep it for. With no time limit in place, and no regulatory reason to keep the data, then you should delete the data as soon as it isn’t needed.

  6. Craig Bainbridge says:

    Hi, I’ve been asked by my director of the company I work for to look in to GDPR. We keep, company names & addresses, personal names, email addresses and telephone numbers, personal and business, can you point me in the right direction please.

    1. John Price says:

      Theres no way I can provide help based on such a limited description. We do have services that will do an impact assessment so you know what to do. Depending on your data, we can also be your Data Protection Officer. Send me an email to john.price@schemeserve.com with some contact details if you are interested. In the meantime, the Internet Commissioners Office is a good starting point. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

  7. j brown says:

    Hi I run a small consultancy to the energy industry, Including myself, there are only two employees. We contract consultants through their own limited companies to work on contracts we have won. These consultants, through their own Limited companies, provide their name, mobile number and Photo plus a short description of their skills, all of which appear on our website. This is the limit of the information held. Do I now need to do anything with regard to GDPR?

    1. John Price says:

      While this is not advice, GDPR applies to ‘natural persons’. i.e. a real individual. If you are showing details of limited companies, then I don’t think much will change from your front end. You will need to think about any data you hold outside of this though. For example, do you send marketing material out? in which case you will need to demonstrate you have permission to do so.

  8. Helen says:

    Hi I work for a small business – all our personal details are on paper.
    Some details are held on the government run app that we use for wages.
    I’m guessing that they need to inform us about gdpr.

    What i would like to know about is what position we are in at work.

    Thanks in advance

    1. John Price says:

      Not enough info to answer fully, but paper or electronic records doesn’t matter. If its information about an individual it counts. Now, if all you are recording it enough information to pay wages, then you already have permission from your staff to do that – its part of the employment contract. If you are using the information for other reasons, then you need to make sure that reason is known to those who data it involves and you have permission to do so.

      a source of information and a checklist for you is the Information Commissioners Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

  9. M Barnes says:

    Hi. I work with a members’ only charity which has been going for many decades. Early membership forms required DOB.whilst later forms did not. Members are contacted to inform them of meetings or social occasions and may contact us for consideration of financial or pastoral help. Does each member require to be advised of the specific details we hold (ie DOB where this applies) on an individual basis or would a more generic approach suffice?

    1. John Price says:

      A general approach is good where you write to each member and explain the data you hold “which may include DOB, etc”. Ask them if its ok to keep them on file, and to check its right. Only if an individual asked you do you need to provide a copy of the information to hold on them personally.

      General gist is to make sure that your members know what data you collect, how long you keep it, why you have it and what will you do with it. Advising them they can ask for there own records if they want, have the option to ask you to consider deleting it and allowing them to correct mistakes.

      A source of information and a checklist for you is the Information Commissioners Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

  10. Bev Nicol says:

    If we have old data that has been collected prior to the GDPR, do we have to remove this from our systems?

    When getting the customers to confirm their details and “Opt In” can this just be one form to cover the whole of the company or does it have to be each individual?

    We have suppliers, do we need to get them to sign and opt in with the company as we hold names, contact numbers, addresses.

    I know that all of us as employees are completing a form for the HR and Accounts team.

    What is really shocking me, is I have not heard anything from my Bank, my Estate Agents etc, and these hold all my personal data, you might be able to help/explain.

    1. John Price says:

      No you don’t have to remove old data if it is already being held in a compliant way. GDPR has been law since April 2016 and the Data Protection act since 1988. Your bank will already have told you what they do with their data in the terms and conditions, which some may have updated recently, though I’d be surprised if the estate agents have already.

      For data to already be compliant, the data subjects (the individual people) have to know what information you hold, for what purpose and for how long. If you can prove that they already know that, say because you asked them when they signed up, then all well and good.

      If your contacts are not people, but are companies then GDPR is not relevant anyway, unless its obvious thats a person. So storing a companies name, address, phone number, and sales@ email address is outside GDPR, which is only about individuals. Its a bit odd that your HR and Accounts team are asking employees to fill in forms, they already have your permission to store work records on you from your contract, and permission to pay you. What other permission are they seeking?

      If you have old data that is not compliant, then writing to those people if they would like to stay on your mailing list (or whatever) would be a good thing to do.

      Information Commissioners site https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

  11. Gary Mardle says:

    Hi, I have just started my Hypnotherapy practice and I am unsure how this affects my practice.
    When a client comes to see me they fill in a questionnaire form so that I have the information to treat them, it includes name, address, age, phone number and email.
    What exactly do I need to do?
    Many thanks.

    1. John Price says:


      Its very hard to answer exactly based on such little information. Basically, you need to make sure that information about your client that you record is kept safe; that your client knows what information you have on them and what you will use it for and how long will you keep it. Is it just for there treatment? Will you do analysis on the data? Will you use it to market to them? All are ok, so long as the client knows, and you can prove you have permission. Add a statement about what you will do with the data, and a check box next to it so they can confirm each one is a simple solution, so long as you don’t send marketing to someone who hasn’t agreed to it will be fine.

      Something to consider, would you be recording medical information about the client? Details of drugs, past history etc that could be damaging to the client if it got leaked? If you have special classes of data such as this, you require a Data Protection Officer (DPO). These can be expensive people to employ, have to sit on your board, and cant be involved with day to day running of your business. Some useful information can be found on the Information Commissioners site https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ . If you think the type of data you hold might require the services of a DPO then let me know as we have options where you can borrow ours from time to time to keep you legal.

  12. D Henderson says:

    Hi, I work for a small property consultancy. We hold name, email address, telephone number, business address, mobile number. We market properties to other agents, do I need to get the individual agents permission to continue to do so? We also manage property. Do I need to contact tenants/landlords to get their permission to keep their data in my CRM even though we are contracted to manage their property?

    1. John Price says:

      Hi, If you already have a contract to manage their property, does that say what you will do with their data? If not, I would send out a revised contract to your existing customers telling them that in order to manage their property effectively you will keep x,y,z data and use it for the purposes of ….. You should include in there a statement about their rights to see, amend and restrict the use of that data.

      then, this becomes part of your contract fulfillment under GDPR. No-one is likely to object, and you can deal with those individually – but you can only do what you said you will do with their data.

      If you want us to send some more time with you directly, then get in touch, another source of information and a checklist for you is the Information Commissioners Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

  13. Marc Zazeela says:

    This is all very helpful.

    I have customers that send product catalogs to people who have specifically requested them. Am I allowed to process that request and keep it the name and address in a database?

    Thanks for your help.

    1. John Price says:

      Yes, you can send the catalog to those that have requested it. thats fulfilment of contract under GDPR. Keeping the data is a different question. At the time they asked for the catalog, did you record if they gave you permission to store the details and use it to contact them later? If not, then you cant. If this is the case, i would write to all the contacts before 25th May and ask them if they would like to remain on your mailing list so you can send them catalog updates etc. You should have in place a data retention policy saying you will keep the data for 28 days (or whatever, so long as you tell them) before you delete it if they don’t want to remain on your mailing list.

      Theres way more here, contact us if you would like more direct support, or a source of information and a checklist for you is the Information Commissioners Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

  14. John Stanton says:

    Der Sirs,

    I have a one man band recruitment company and hold around 1000 applicant profiles – freely provided by applicants. Do I need further permission from them to keep their data.

    After 28th May how do I approach a potential new client to get their permission to send them CV’s for consideration.

    kind regards,


    1. John Price says:

      Hi, Firstly, GDPR is already law, since April 2016, so should already be compliant – the 25th May date is a date the ICO will start enforcing the law. If you already hold data on individuals you will need to make sure that each individual knows you have that data and what you will use it for. For example, do you send out to prospective employeers without asking for the persons permission for each one? Nothing changes on 25th May, you need to make sure each individual knows what you have, what you are doing with it, and how long you are keeping it for (it can be a long time, but must have a policy on it). Individuals can ask you to delete the data, ask for a copy of it; and ask you not to use it and to correct anything they think is wrong.

      Theres much more than I can write here. Please let me know if you would like us to contact you directly about this. In the meantime a source of information and a checklist for you is the Information Commissioners Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

  15. Jacqueline Smith says:

    I have received a letter from a private healthcare company notifying me that the care for my condition has been transferred to them and they are requesting consent to obtain my personal details from my GP. They state that if they have not heard from me in 10 days they will take that as consent – is this legal?

    1. John Price says:

      Consent is consent – if you don’t reply you have not given consent. If you want to be sure they don’t take it, you could always replay and actively decline your consent, but taking your silence as consent is not allowed.

  16. Tony Dobbs says:

    I am holding supporter/follower data for a small charity. I know we need to take action to be compliant with GDPR for this data. But what about names, emails and in some cases addresses of others the charity is in contact with that are the essential for the functions of other Trustees such as Local Councillors, local press or contractors. These are generally only used by a single Trustee, the Treasurer for example.
    Any guidance very welcome.

    1. John Price says:

      Hi, so long as there is a record of what information you hold, and why you hold it, and some evidence that the person knows that, then should be ok.

  17. Tay says:

    I run fitness classes. I hold basic medical details, Name, contact number and email address. I send emails out every now and then updating on any class changes.
    Do i need to ask everyone for permission to keep their email? And delete the ones that do not reply?

    1. John Price says:

      Short answer is yes.

      I would write/email all of people and ask them to confirm you have their details correct, and if not please tell you what they should be. Tell them you’ll use that information to make sure they get to know about last minute class changes.

      As people attend each class, I would have them also check a paper version and tell you its ok. Again, add a note saying that you will use the contact details to let them know of issues. Get them to sign or initial the paper. Making sure that medical data is up to date is something you should probably do regularly anyway.

      Now you have everyone permission to keep that data, so long as you only use it for the purpose of keeping them updated about classes. (you cant use it to mailshot them about something unrelated).

      In relation to the medical data, I don’t know what you store but if it could cause embarrassment or hassle if it was leaked, you may need to look for the services of a Data Protection Officer. If you do, we can help there – its far too expensive to do yourself. A source of information and a checklist for you is the Information Commissioners Office, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

  18. Lesley Matthewson says:

    I run a small company with two PAYE employees, myself and one other. Companies contact us for a sub-contractor, we then book the subbie onto the job. I think I know what to do about GDPR for sub contractors, but what about the companies we deal with. Obviously we have the company name and telephone number, email etc., But emails are often sent to an individual person i.e. sara@fredsmith.co.uk. but only for work purposes. Do we need to get our client company and the individual persons permission. Honestly not sure how all this happens and what we are supposed to do.

    1. John Price says:

      Not advice here, there may be more to this but my view depends what you do with information you are given. If its not personal information, then GDPR doesn’t apply. After the job is complete, what do you do with that information? Do you continue to use it to market to them? If so, and you want to send to an individual, then you might need to tell them thats what you will do. Thats probably just a change to your terms and conditions document. You need to decide how long you are going to keep the data for and tell them. But again, if its not personal information, but just a company address then GDPR isn’t applicable.

  19. Danni says:

    I own my own refrigeration engineering company. I currently don’t have any employees and I’m a LTD company.
    I don’t process any data, send mail shots etc. The only data I hold is company names, address, email and phone number for contact purposes only. All of this information is stored on a engineering program that I buy through a monthly subscription. Most of the work I carry out is sub contracted but I do have a growing private client list. I’m unsure where this leaves me with the new regulations as nothing I hold is personal information.

    1. John Price says:

      If you have no personal information, only company data, then GDPR is unlikely to affect you.

  20. Alan Thomas says:

    I work as a marketer for a UK based company. We have a database comprising about 15,000 contacts which we regularly use for bulk email purposes to inform our contacts regarding upcoming training courses, new product releases, invitations to seminars, etc.
    Our clients are located in the UK & Ireland.
    From what I have read, it would appear that I can continue to contact these people via email under the heading of ‘legitimate interest’ but am I wrong to assume this is the case?

    1. John Price says:

      No legal advice, but it seems reasonable. Legitimate interest can include your own. So long as you can show that you have a reason – perhaps they purchased from you in the past (you cant just collect names and addresses randomly – thats not legitimate interest) or have contacted you directly before. You’ll need to offer them an easy way off the list though.

  21. Gareth says:


    I work for a large manufacturing company and our dispatch labels show the name of the person who printed them along with our company’s name (not site specific i.e no address). The staff have raised this as a potential breech of GDPR rules but I am not convinced that it is.
    What would your thoughts be?

    1. John Price says:

      Its a potential breach. You are using your employees names for a purpose not obvious to them. When they joined, they expected you to use their details for payroll, HR that sort of thing. Unless theres something in their contract that says you can use their data for putting on labels, you shouldn’t. However, without knowing the reason for the name on the label its hard to assess. For example when you pick up a prescription, the person who dispensed it name is on there – but the staff know this and its in their contracts. You could get around the problem and potential issue by using First name and Initial, or perhaps a number instead. If you have a reason for including their full name, and you document that reason – shouldn’t be an issue.

  22. Helen F says:

    We are a small manufacturing firm with no employees. We hold customer details on quotes and invoices. Some of the information is company information with a contact name, but will usually have private mobile numbers/email addresses.
    These are stored on a dedicated accounts program (not cloud based).
    We receive/send all information via email.
    What action do we need to take?

    1. John Price says:

      Seems to me you are storing those details for the purposes of operating your business, and that you could not operate without those details. I would cite Legitimate Interest and Contractual Terms as the reason for GDPR. Write down somewhere why you store each thing and how you store it and for how long and that should cover it.

  23. Lesley Matthewson says:

    Thank you. The Companies contact us and we supply temporary workers to them. Could be one day or three weeks. So the actual Company contact name/s, telephone number/s and email/s are in continual use. We can deal with several different people at the same Company. We do not approach them for further marketing purposes, as we only supply one specialist type of machine operator, and they come to us for that.

  24. Sean Dillow says:

    I run a photography business as a Ltd company. I have a variety of clients from large plc’s, local newspapers, and individuals. I have a large database of email addresses for individuals and clients that I contact on a regular basis for bookings. I also have a large database of images taken for all of my clients dating back 20 years that have embedded captions highlighting the subjects names for identification and search purposes. I understand that I need to document how I securely store the images.
    Am I still able to use images on my website that have been taken for clients that initially had the subjects permission and are already in the public domain/published?
    Going forward My clients always obtain photographic consent, do I need to have a copy of this consent if I store the images after I’ve sent them to the client? Ta!

    1. John Price says:

      If you previously had consent, then so long as you can prove that you can use those images. They need to be kept safely. If they are already in the public domain it becomes a copyright issue not data protection. If you ask your clients permission to use the image that should be fine as that would imply storage. You could always add that you store images for a number or years/months to your contract. Include why you store them, perhaps backup purposes, and thats fine.

  25. Hi, my wife and myself run a t-shirt printing business, we have no other employees. I can’t work out what we are supposed to be doing to be GDPR compliant….what constitutes ‘data processing’? When we take an order, we take a contact phone number or an email address (or use the email address they contacted us with), so that we can let the customer know when their order is ready. We add their address on their invoice (if required) and invoices are produced by a cloud accounting provider. That is all we do….we do not ‘process’ (whatever that means) their details, we do not forward our customer details to anyone else, so what do we need to do? Confused!

    1. John Price says:

      Consent is not the only possible route to GDPR. The one you are likely to rely on is Contractual terms, or possibly Legitimate Interest. Its perfectly reasonable as part of your business to ask for contact details so you can tell them the orders ready – they would probably complain if you didnt. So long as you are not selling on that list or anything like that, sounds perfectly fine to me.

  26. We are a gym and hold members email addresses, home addresses etc on file. We email promotions to both members and ex-members from time to time. What do we need to do?

    1. John Price says:

      So long as the information is held securely, so noone unauthorised can access it. You remove peoples names if they ask you to. You stop sending stuff if they ask you to. That the information is not about children. That the information is relevant to them, then thats probably it.

  27. maggie lea says:

    I compile, print and send out a magazine for the church. it doesn’t contain any advertising, links to websites, just encouraging articles. no one else helps with the production, I send 60 copies via post and the names and addresses are held in an excel spreadsheet. no-one else has access to these details as they are held on my personal computer.
    I have been doing this for 20 years, do I need to obtain written consent from all the people in order to continue to send them a magazine?

    1. John Price says:

      I don’t think you need consent no. You should provide a way of them telling you to remove their addresses, like an unsubscribe link on a website does though.

  28. Jay Cee says:


    We run a small accountancy practice. There are two employees, myself and my husband. We also use three self employed bookkeepers who do some work on client records on our behalf.. These bookkeepers do sometimes contact our clients directly to request information for the work they are doing. We also run PAYE for about 40 companies.

    A number of our clients are one man bands or small firms who work from home so we have their personal information as opposed to business address information.

    We do not give out their information to third parties unless the client asks us to (I.e. if they ask for a bookkeeper or for solicitor or financial service advice when we can put them in touch with people we use – we would never give out details unless expressly asked). We don’t send out any marketing information.

    We only contact our clients for work reasons.

    We have clients who we no longer act for. Legally we have to keep all of the files for 7 years. After that, the information is shredded. Do we need to contact clients who we no longer act for but still have information in archives until the 7 years has passed?

    Any help appreciated as we’ve done the whole leave it to the last minute and panic thing!

    1. John Price says:

      I don’t think you need to contact those clients no. There are exemptions in the GDPR if you are required to keep data for legal reasons – sounds like already have a process to destroy the data when non longer needed.

  29. Aimee says:

    Hi, I’ve been reading through as many GDPR guides, webinars, checklists and help pages as I can for weeks and I’m still at a loss. I have also booked into a local seminar on Monday but I’m not sure it will be much help.

    I run a small screen printers and I have established that the data I hold on data subjects is Name, Address, Email and Phone number at best. This information is all stored within Gmail and Quickbooks, with the odd enquiry coming in on telephone, instagram, twitter, facebook (all data stored on their respective servers) or walk ins to the shop.

    Information we take is written on a hard copy order form and only the customers name is kept in an excel database of job lists. All information is only used in relation to the job at hand, i.e. producing the order and shipping it, emailing an invoice, etc. We don’t send information to anyone else, and we don’t email adverts, newsletters, offers or anything that requires people to opt in to correspondence that we know of (they are the ones that initiate correspondence by enquiring). – I have mapped where the data comes from, what it is, where it is likely to be kept and why we need to have it on a data map.

    I understand that I need to write a policy about what data is stored and how it’s used to go on our website, facebook, emails and any message we send back to customers/potential customers.

    But is there anything else I need to do? Do I need to start keeping a database of all information held separate from those servers (gmail and such)? If I do, does it need to be encrypted? Do I have to delete all old emails as that contains email address of people who have not “given consent” for me to keep it? Do I need to mass email customers now to let them know I have their email address? I’m finding it all very confusing and can’t find any documentation able to offer me answers.

    Thank you for any help or advice.

    1. John Price says:

      If you know what data you have, youre doing well. You have to delete data which you have no reason to hold. So if you have customer records from 2010 why do you need it? If theres no reason delete it, if there is document it. Consent is only one of 6 valid reasons for data processing under GDPR, legitimate interest (including your own) is just as valid.

  30. Elisabeth Bowyer says:

    We are a small kitchen company – supplying and fitting kitchens. Do we have to let our old clients (ie those who we did a job for in the past) know that we still hold securely (on our computer and on Sage accounting package) the personal data they gave us (eg name, address, email address)? We are holding this info for accounting purposes (hmrc) and in case of any warranty queries.

    1. John Price says:

      No legal advice, but as long as you have a reason to hold that data legitimate interest is a valid reason under GDPR.

  31. Karen Fryett says:

    My daughter and myself work as a business partnership supplying balloon decor and hiring items for weddings.
    We work from home and clients contact us via phone, email, website. Private Facebook messages. We store their contact details until the day of their event/ wedding etc. After that we do not contact them for further business.

    We use photographs of our work at events on our Facebook page and website but never mention clients names, only venues and type of event

    Most of our supplies are ordered via a website. We do have a florist that we contact via email, so do keep her email details.

    Are you able to advise us on what if anything we need to do. This whole thing has escaped me until today !

    1. John Price says:

      Theres no simple answer, look at the ICO website. One thing that jumps out from your description though is, after the event theres a period of which you might want to keep the data, but decide how long that is and have some process in place to destroy it after that. If you are not using it, theres no need for you to keep it.

  32. David Holt says:

    I run a company that provides flight simulation experiences, when customers book sessions with us I ask for their email address and phone number only.
    I want to be able to use these items to send them an email outlining only what new products we have coming on-line soon, we do not pass on any details to any other bodies at all, what do we have to do to comply

    1. John Price says:

      Tell them you are going to send them stuff on new products, and if they object to you doing that, don’t do it! Inform them that you will keep the data for what time (perhaps 2 years – just decide) and remove their data after that will get you a long way.

  33. I have a small nail bar / sunbed salon – we keep a record of treatments ie nails, polish colour, waxing etc the card just has name and telephone number on top of card. The info is only used within the salon, the sunbed clients fill in a record card and sign giving name address e Mail and phone number this is signed and kept in the salon to record every time they use the sunbed. We never use any of the info on the sunbed record card or share it with anyone. They are kept in a locked file and only taken out to update when sunbed is used. We would only use the telephone number to contact a client regarding an appointment or if they had left anything in the salon. Hope I am compliant.

    1. John Price says:

      Sounds like you have taken lots of precautions around keeping the data safe, which is good. Bits to look at for compliance would include telling your customers they have a right to see what data you store, and for you to decide at which point that data is useless and can be destroyed – So a record of sunbed uses 10 years ago is probably useless, but a record of the last 12 months might be fine. Define a period and then remove data older than that.

  34. William says:

    Thank you for your assistance with all these enquiries, I do understand about GDPR and photographs with the exemptions and justifications for exemptions etc. Is it the position that old photographs of indviduals on websites DO NOT have to be removed if you can already prove that under the DPA consent was obtained for taking and using the photographs?

    1. John Price says:

      No legal opinion, but if you have consent then i’d suggest you’re fine. GDPR only covers the identity of an individual so if you have pictures of random people who generally are not identified (label under pictures etc) then GDPR may not apply anyway.

  35. Imran Ali says:

    I am a member of a local cricket league and they have my name, address and date of birth for the purposes of my club registering me with the league so that I am allowed to play for my club. There has recently been an issue regards to a game that I played in and somebody from the league turned up at my house, I was not in so they asked my father for information about whether or not I played in the game on the date in question. I was not asked for and have not given my permission for anybody to attend my home address or discuss personal details with any third party (in this case my father). I was of the understanding that the data was specifically held solely for purposes of registration and not for attending peoples houses and speaking to third parties. Has this league breached GDPR

    1. John Price says:

      Possibly. Giving out your address without your consent, or without a legitimate reason to, for example to the Police, could be considered a breach.

  36. Christopher Valenzia says:

    We carry out home improvements and do the majority of the work ourselves. However, where we need to use other trades on a job – eg Gas Safe Engineer, Electrician, we have to give them the client’;s name and address. Also where we need our suppliers to deliver materials and goods to site, we need to pass on the client’s address to them.
    Question: Do we need to get the client to sign something prior to us starting work on their property that says they give us their permission to pass on their personal information to other trades and suppliers connected to the job? Thank you

    1. John Price says:

      No, that would be covered under the terms of the contract. Clearly you need to tell the driver where to deliver goods to.

  37. LC says:

    My employer expects me to use my personal mobile for work – I teach in higher education – so I need to give my personal mobile number to my colleagues, and to students.
    Does this comply with GDPR?

    1. John Price says:

      If you give out your contact details, thats up to you. If your Employer gives out your contact details without your consent, thats not allowed.

Leave a Reply

Your email address will not be published. Required fields are marked *