Many people approach GDPR from the point of view that they don’t store personal data – as in they don’t keep personal data on others, so they don’t need to worry! However every single time I break this down clients are always amazed at the information that they have access to or is lurking in their files.
Lets look at this from two different angles remembering what “personal data” is
1) You (Person/ Subject)
Here are some examples of places where your personal data is showing up…
Mobile phones, bank details, subscriptions, emails, all forms of social media (remember when you signed up and gave your name, address and date of birth?) whatsapp (name and phone number), online purchases, store purchases etc – it amounts to a lot when you break it down and then count back the amount of years since you changed mobile providers, broadband, sky packages etc.
A great example is when you go into a shop or resturant, even an appointment at a salon. The first thing many as is “Can I have your name please” – they then type this into a computer, cross check and say “ahhh there I have you now Mrs Jones”. This is because their system has stored your data on it for however many years. Now, normally we are absolutely fine with this and see it as part of every day life. However – if their system was hacked, or computer taken, your name, address, mobile number and ANY other information you have given them is now in someone else’s hands. A sobering thought.
2) As A Business Owner
Lets use the example of running a shop – either/or walk-in sales and online sales plus a postal mailing list and an email marketing set up. You are thriving and have a large active social media presence. You might think that you aren’t processing personal data, surely followers or signed up mailing list members made the choice themselves…..
This is where so many businesses fall flat in the GDPR department. If you sell online then you are responsible for processing order details which will include the name, address, mobile number of any customer, same for email lists. The payment details are usually encrypted, and the double security option makes them a lot safer to process. What happens to the name and address and personal details of the client after order has been placed? They are most likely on your website, also possibly in your email inbox as a sales confirmation, and most definately on your email marketing account.
At this point I always ask;
What justification do you have for keeping this information about someone else?
If you can answer that with an honest and valid answer, great. If like many business owners you are scratching your head it is time to review!.
Reviewing your relationship with Personal Data.
To wrap this up I would like to ask you the following;
As an individual are there any occasions where you are concerned about a group or business holding your personal data?
If a client asked you to confirm the amount of personal data you are storing on them (Subject Access Request) would you know where to start? How far back would you go?
I will leave you to think about that but always remember, we are all in charge of the personal data we own and also process through our business and we have to start being more secure about who we are sharing it with.