Steve.Richardson - Forum Profile


Forum titleAdministrator
JoinedSep 2009
Latest activity 15th Dec 2017 10:16am  
Business listing  

Recent Posts

If you are a business owner or marketeer, then I would be surprised if you haven't heard about the changes to the Data Protection laws on the 25 May 2018.

The current rules will be replaced with General Data Protection Regulation (GDPR) and depending on the type of business you are it could have quite an impact. But if you have a good data protection policy in place already, then hopefully the transition to GDPR should be fairly painless.

One of the biggest problems I've found is trying to find useful clear and concise information. There has been lots of publicity about big fines and beating us with a stick, but little on what you actually need to do. So I've pulled this information and summarised it directly from the official ICO website and the information is correct as of December 2017!

At the bottom are links to ICO resources so you can learn more if needed.


Document what personal data you hold, where it came from and who you share it with.  If you have inaccurate personal data and have shared this with another organisation, then you will need to tell the other organisation so it can correct its own records.

Communicating privacy information

The first principle of data protection is that personal data must be processed fairly and lawfully. You should currently have a privacy policy that explains what you do with peoples data, but GDPR will have further requirements.

Analyse why you are collecting data, any possible impact and explain this in your privacy policy.

  • What information is being collected?
  • Who is collecting it?How is it collected?
  • Why is it being collected?How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

Any information you provide to people about how you process their personal data must be:

  • concise, transparent, intelligible and easily accessible
  • written in clear and plain language, particularly if addressed to a child;
  • and free of charge.

Privacy information needs to be communicated at the point of collection as well as in a privacy policy. eg:

  • Where you need consent from an individual in order to process their information you need to explain what you are asking them to agree to and why. 
  • Individuals need to be able to have a choice not to give their details.
  • There also needs to be the ability to withdraw consent and allow individuals to easily remove any data or information and for you to give confirmation this has been done.
  • Allow the ability for individuals to see any information held on request.


Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity.

In real terms, this may mean telling a potential customer that they cannot proceed with their transaction if you are unable to hold their data. Or ensuring there is an unsubscribe/remove me button on communications or your website that gives a visual confirmation that information has been completely removed once selected.

Other things to watch are email newsletter lists and communications. If communications are essential to allow the functionality of your product or service, eg a password reset, then be transparent and explain this. But consent will be required before allowing any marketing or promotion activities.


For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.

Data Breaches

Make sure you have the right procedures in place to detect, report and investigate a personal data breach.

You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases.

Data Protection by Design

GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’.  In other words, you need to look at how you collect and store data. eg, have an opt out button or link to your privacy policy before a submit data button. If you are storing personal data, ensure that it is encrypted and secure.

Data Protection Impact Assessments (DPIA)

A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:

  • where a new technology is being deployed
  • where a profiling operation is likely to significantly affect individuals
  • where there is processing on a large scale of the special categories of data.

Personally I don't think this is a cause for concern for any smaller businesses

Data Protection Officers

Regardless of requirements, you should designate someone to take responsibility for data protection compliance .

Under the GDPR, you must appoint a DPO if you:

  • are a public authority (except for courts acting in their judicial capacity)
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking)
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

The GDPR does not specify the precise credentials a data protection officer is expected to have.

It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.

Reading that, I personally would say most smaller businesses wouldn't need to officially point a DPO, but it would certainly pay to be fully aware of data protection compliance and makes sense to assign that responsibility to someone if not yourself.


GDPR is happening, it's getting rolled out on the 25 May 2018. But if you have pretty decent data protection policies in place then it shouldn't be too much of a cause of concern. The impact will be felt by larger companies and those that deal in large volumes of data.

But there are significant changes and most of us deal with personal data at some level, so pay attention, don't ignore it and see what applies to you.

Unfortunately a lot of the information is confusing and the ICO themselves still haven't finished writing documentation. But over the coming months hopefully we will get a lot clearer step by step guides, particularly for smaller businesses.

Let me know what you think, any questions, anything I've misinterpreted? 

Guide to the General Data Protection Regulation (GDPR) - ICO
Preparing for GDPR - ICO (PDF)
Privacy notices, transparency and control - ICO

The sexist snowman or the world gone mad? 13th December 2017 10:51 AM

This is without doubt my favourite post from 2017, and it was actually on LinkedIn.

The post was by Oleg Vishnepolsky, the CTO (Chief Technology Officer) of the Daily Mail. He is one very smart cookie and quite a prolific poster, but this stole the show for me...

Original post: Oleg Vishnepolsky

Hump day riddle 12th December 2017 3:41 PM

rubbish at these

Getting tax back 12th December 2017 3:32 PM

David from Bollands Accountants responded on Twitter:

Hi Graham

This is accountants speak for the short answer is NO and the long answer costs £350 plus VAT and its still "no i'm sorry" and its probably not worth knowing why?

happy retirement and best wishes

Hump day riddle 12th December 2017 3:17 PM

Watching it on BBC iPlayer?

Continuing my business with my savings 12th December 2017 3:16 PM
I actually just hired two phone sales rep that will help me to talk our way out to get sales. Aside from the sales rep, I also have daily sessions in which I talk to a counselor to address my mindset on doing business. I'll give it a month to see if there would be any improvement in my case. Hopefully, there will be.”

Hi Redstone, not sure why you were linking to betterhelp dot com. Seemed a little odd as it was just a blog article. 

If you are offering coaching services, a good sales vehicle for that type of business can be LinkedIn. A business coach I use generates all his leads from LinkedIn and swears by it. Have a clear marketing plan/strategy with realistic goals and following it can help keep a positive mindset.

Hope it works out for you, let us know how you are getting on.

Hello from She Moves South Wales 12th December 2017 2:49 PM
Thanks for the feed back and advise.. 

I did write a long reply, but it hasn’t loaded!? ”


Oh no  There was no sign of it in the moderation queue. Give you computer a kick or try swearing, normally works for me.

Welcome aboard Hammond, great introduction and congratulations on starting your business 

How are you finding things? As expected, easier or are there any areas you are struggling?

Welcome aboard Noelia 

Who works at the weekends? 12th December 2017 2:37 PM

I used to work weekends, mainly Sunday evening, catching up for the week ahead, along with most evenings  But I try and make it the exception now rather than the rule.

When working all week, for me proper downtime and family time is more important