Posts

Originally Posted by Rebecca (PayforPrecision)

“Guess what I received in the post yesterday?? Toys R Us vouchers for the kids!!! ”

nooooooooooo

Its more about justification and permission. Do you need to hold that data? If you do, not a problem, does the customer know this, understand and agreed? Can they easily have any of their information removed if requested, and will you store it securely?

Most of this will be covered off in privacy pages and opt in/out buttons. It's taking a step back and justifying why you capture and hold data. if you don't need my details then don't ask for them. If you do, then reassure me you'll look after them and not flog them on or spam me to death.

Well I asked family and friends not to get any Toys R Us vouchers for the kids for Christmas as expected them to fold in January after the December numbers came in. Looks like it's happened sooner, but not unexpected

Awful for the workforce and a such a shame. There was something magical (and stressful) in Toys R Us visits with the kids.

Toys R Us future in UK plunged into doubt over pension scheme - BBC News

If you are capturing their name and address, maybe an email as well then this is personal info. Or is it your payment gateway which captures this, in which case it's not technically you, ie you don't hold that information on your actual website, the transaction is passed to a third party (sagepay, worldpay, paypal etc).

These are the sort of questions site owners need to be asking themselves, particularly eCommerce stores. Due to the volume of data we hold and collect, we've also have a lot of questions to ask ourselves 

If you are a business owner or marketeer, then I would be surprised if you haven't heard about the changes to the Data Protection laws on the 25 May 2018.

The current rules will be replaced with General Data Protection Regulation (GDPR) and depending on the type of business you are it could have quite an impact. But if you have a good data protection policy in place already, then hopefully the transition to GDPR should be fairly painless.

One of the biggest problems I've found is trying to find useful clear and concise information. There has been lots of publicity about big fines and beating us with a stick, but little on what you actually need to do. So I've pulled this information and summarised it directly from the official ICO website and the information is correct as of December 2017!

At the bottom are links to ICO resources so you can learn more if needed.

Accountability

Document what personal data you hold, where it came from and who you share it with.  If you have inaccurate personal data and have shared this with another organisation, then you will need to tell the other organisation so it can correct its own records.

Communicating privacy information

The first principle of data protection is that personal data must be processed fairly and lawfully. You should currently have a privacy policy that explains what you do with peoples data, but GDPR will have further requirements.

Analyse why you are collecting data, any possible impact and explain this in your privacy policy.

• What information is being collected?
• Who is collecting it?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
• What will be the effect of this on the individuals concerned?
• Is the intended use likely to cause individuals to object or complain?

Any information you provide to people about how you process their personal data must be:

• concise, transparent, intelligible and easily accessible
• written in clear and plain language, particularly if addressed to a child;
• and free of charge.

Privacy information needs to be communicated at the point of collection as well as in a privacy policy. eg:

• Where you need consent from an individual in order to process their information you need to explain what you are asking them to agree to and why. 
• Individuals need to be able to have a choice not to give their details.
• There also needs to be the ability to withdraw consent and allow individuals to easily remove any data or information and for you to give confirmation this has been done.
• Allow the ability for individuals to see any information held on request.

Consent

Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity.

In real terms, this may mean telling a potential customer that they cannot proceed with their transaction if you are unable to hold their data. Or ensuring there is an unsubscribe/remove me button on communications or your website that gives a visual confirmation that information has been completely removed once selected.

Other things to watch are email newsletter lists and communications. If communications are essential to allow the functionality of your product or service, eg a password reset, then be transparent and explain this. But consent will be required before allowing any marketing or promotion activities.

Children

For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.

Data Breaches

Make sure you have the right procedures in place to detect, report and investigate a personal data breach.

You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases.

Data Protection by Design

GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’.  In other words, you need to look at how you collect and store data. eg, have an opt out button or link to your privacy policy before a submit data button. If you are storing personal data, ensure that it is encrypted and secure.

Data Protection Impact Assessments (DPIA)

A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:

• where a new technology is being deployed
• where a profiling operation is likely to significantly affect individuals
• where there is processing on a large scale of the special categories of data.

Personally I don't think this is a cause for concern for any smaller businesses

Data Protection Officers

Regardless of requirements, you should designate someone to take responsibility for data protection compliance .

Under the GDPR, you must appoint a DPO if you:

• are a public authority (except for courts acting in their judicial capacity)
• carry out large scale systematic monitoring of individuals (for example, online behaviour tracking)
• carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

The GDPR does not specify the precise credentials a data protection officer is expected to have.

It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.

Reading that, I personally would say most smaller businesses wouldn't need to officially point a DPO, but it would certainly pay to be fully aware of data protection compliance and makes sense to assign that responsibility to someone if not yourself.

Summary

GDPR is happening, it's getting rolled out on the 25 May 2018. But if you have pretty decent data protection policies in place then it shouldn't be too much of a cause of concern. The impact will be felt by larger companies and those that deal in large volumes of data.

But there are significant changes and most of us deal with personal data at some level, so pay attention, don't ignore it and see what applies to you.

Unfortunately a lot of the information is confusing and the ICO themselves still haven't finished writing documentation. But over the coming months hopefully we will get a lot clearer step by step guides, particularly for smaller businesses.

Let me know what you think, any questions, anything I've misinterpreted? 

Sources:
Guide to the General Data Protection Regulation (GDPR) - ICO
Preparing for GDPR - ICO (PDF)
Privacy notices, transparency and control - ICO

This is without doubt my favourite post from 2017, and it was actually on LinkedIn.

The post was by Oleg Vishnepolsky, the CTO (Chief Technology Officer) of the Daily Mail. He is one very smart cookie and quite a prolific poster, but this stole the show for me...

Original post: Oleg Vishnepolsky

rubbish at these

Watching it on BBC iPlayer?

Hi Redstone, not sure why you were linking to betterhelp dot com. Seemed a little odd as it was just a blog article. 

If you are offering coaching services, a good sales vehicle for that type of business can be LinkedIn. A business coach I use generates all his leads from LinkedIn and swears by it. Have a clear marketing plan/strategy with realistic goals and following it can help keep a positive mindset.

Hope it works out for you, let us know how you are getting on.

I used to work weekends, mainly Sunday evening, catching up for the week ahead, along with most evenings  But I try and make it the exception now rather than the rule.

When working all week, for me proper downtime and family time is more important