Over the past few months, we’ve seen our inboxes full to overflowing with emails from companies checking we still want to receive communications from them. These businesses are getting themselves compliant with the new GDPR legislation by asking customers to opt into marketing communications and view updated privacy policies, among other things.
You probably know GDPR is something to be aware of. However, like many of us running small or micro businesses, it’s hard to know where to start. You need to be clear with what you have to do before the 25th May deadline, and what happens beyond that.
In this article, we will outline the steps you need to follow right now. Also, we will soon be releasing a brand-new GDPR document bundle. This will provide you with everything we think you need to have in place to confidently approach data protection as a self-employed paid carer.
The GDPR comes into effect on 25th May 2018. While we still don’t know exactly what the final legislation will look like, we do know it will bring higher standards for handling personal data. It will include greater expectations for improved transparency, enhanced data security and increased accountability for processing personal data.
All businesses, whether one-man bands or large organisations, will have to comply with the GDPR. If you’ve already adopted good practice measures under the current Data Protection Act, you’ll be in a strong position to comply with the GDPR provisions.
YtB will help you to look at the implications of processing personal data for your clients/service users.
The definition of personal data is ‘any information relating to a living individual who can be identified from that information’. This would include, for example, the name of the service user. It can even include indirect identification, ie information that could identify them such as their medication or details of a disability.
The new legislation is different, as it also extends the current meaning to include things like identification numbers and location data. It also includes other online information, for example, cookies and IP addresses. Pseudonymised information isn’t personal data unless you also have information to allow the person to be identified.
In addition to the existing categories, special or sensitive categories of personal data that are important to carers, include physical or mental health conditions and medical data, as well as things like genetic and biometric data.
The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data.
In practical terms, this means that as well as being comfortable you satisfy the conditions for processing data (which we detail below), you also need to consider what level of security is appropriate.
You must ensure any personal data you process is done in accordance with the data protection principles. It should be:
As a self-employed paid carer, you’re considered to be a ‘Data Controller’. This is the person who decides what data is needed and why, as well as how the personal data should be processed. As a Data Controller, you must ensure any personal data you process complies with the principles outlined above.
A ‘Data Processor’ means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
If you’re unsure, you can always do a quick-check self assessment here
As a self-employed paid carer, much of the GDPR will apply to you and elements of the work you carry out for your clients/service users, it sounds scary, but there are some fairly straightforward and practical steps you can take to prepare for compliance:
Register with ICO as a Data Controller. You can do this here. As a micro business it will cost you £35.00 a yea.
Review the data you keep, what, why, where and when it’s deleted or updated.
Review any existing documents on data protection you have.
Put relevant/missing processes and documents into place and explain how you will deal with a data breach.
Review the consent mechanisms needed from your client/service user.
Ensure that if you have a team, they are aware of their obligations under the Act.
YtB has put together a document bundle available to purchase for £25 to help you every step of the way. The bundle consists of: