GDPR for Sole Traders – Contacts and Communications

This entry is part 2 of 4 in the series GDPR for Sole Traders

I’ve had variations of this question on contacts a few times since the first post, and I can understand the confusion around it. I’ve been asked by a few people whether lists you have of friends, family, or similar fall under GDPR (technically, yes, which is where the magic word ‘reasonable’ keeps coming in to play), and a lot of questions seem to be around the use of personal details for everyday business purposes.

Now, there’s various advice about legitimate interests as a basis for processing, notifications to send out to your address book and so on. When you are not collecting and processing personal data beyond contact details for clients, what needs to be done to be compliant?

The bad news, from one point of view, is that this is still personal data, it still falls under the act and therefore you need to think about what you are doing with it.

The good news is that it is extremely unlikely you need to do anything particularly special about it. The reason for this is that GDPR recognises two categories of data – personal data, and sensitive personal data. Sensitive personal data is personal data that relates to a protected characteristic. Normal personal data is personally identifying data which does not relate to a protected characteristic – an e-mail address or phone number would be personal data, but would not fall under sensitive personal data.

Unambiguous consent

The obvious question then is why it matters – and the answer is simple. Sensitive personal data requires explicit consent for any form of collection or processing – in other words to collect it or do anything with it, the data subject must be asked the question ‘do you agree to us collecting and holding this data for these purposes’, and a very definite yes is required from them for usage to be allowed.

Non-sensitive personal data (for want of a better term) requires only unambiguous consent. This means that they must have taken an affirmative action indicating their consent, but some aspects can be implied rather than having to be spelled out. So in the case of contact details, let’s say someone gives you a business card and says to get in touch. In that moment they have provided you with their personal data, and given you unambiguous consent to use it for the purposes of contacting them. The same would apply if they sent you an e-mail asking to start a business relationship, or picked up the phone.

However here’s where the whole purpose thing comes in again – while it is reasonable to say that someone who has given you their contact details and asked you to get in touch has given unambiguous consent for contact (or if you’re a larger company, and if you are we can talk consultancy fees or you can talk to your own GDPR experts, for one of your sales/relationship team to get in contact), they have not given consent to be signed up to your automated mailing list. If you think they might be interested in it, and want them to sign up, then get in touch and ask for their consent to use their data that way – then make sure you keep a record of that consent (saving an e-mail would count).

When someone makes personal data public it’s a slightly different matter. By having some of my contact details publicly available I am providing unambiguous consent to being contacted using them – although signing them up to an automated mailing list would be a different matter.

Please note that in this particular article, I am looking only at personal data used in an everyday business way, and what is reasonable to do with it. In terms of contacts and communications a sole trader is likely already compliant, unless they are carrying out some sort of automated marketing rather than handling things directly.

To sum this all up in some simple answers (and I still believe the GDPR can be summed up in a few sentences for the vast majority of cases, but that’ll come later):

  • someone giving you their contact details is providing all the consent you need to contact them, but nothing else such as subscribing them to an automated list
  • if you want to do anything other than contact them, then to be compliant you need to very clearly inform them of what you want to do and confirm that they consent to it
  • you need to be very clear with people you contact on how they can ask for their data to be removed, and do so promptly if they ask
  • take reasonable security precautions with these contact details (I would hope that most sole traders would consider them valuable enough to protect from disclosure in any case)

I’ve put together a quick and dirty tutorial on how to use one of the better encryption tools out there. I’ll go more into depth once I’m back at a real computer and have a little more time, maybe with a full video exploration and explanation of the different options. I’ll also be looking to do an evaluation of cloud storage options and how they play in to the situation. As always, if there are particular questions or particular urgent areas then drop me a line either here or on twitter (@coffee_fueled).

How To: Basic Encryption Tutorial

This entry is part 1 of 1 in the series How To

One thing that’s come out of the GDPR questions I’ve seen is around encryption. Since under GDPR you are obliged to take ‘reasonable’ security precautions it’s definitely worth talking about, but is a bit more general than focused purely on GDPR.

In practical terms with encryption we are either talking about whole-disk encryption, or a secure volume. You may even have both. It’s important to note that while whole-disk encryption will help protect your data in the event of theft or losing a computer, it won’t help against someone breaking in while the computer is switched on using malware or similar. This is because with your whole disk encrypted, it is decrypted while your computer is switched on to make it usable.

So why encryption rather than setting permissions so that only you can see things? Simply put those permissions really mean very little – they are applied by the operating system, and work only as long as the operating system is running. It is very easy to extract a hard drive, plug it in to another machine, and ignore the permissions completely. Or just boot off an external disk and do the same. Encryption makes sure that only those with the secret required can get access to the data.

Built-In Encryption

If you are using some versions of Windows, or using Linux and have it set up in a certain way, encrypting your whole system is very easy. If you’ve got the option of using BitLocker, enable it. If you’re installing Linux, probably worth setting up encrypted LVM right at the start so you can largely ignore it (except for trying very hard not to forgot your password and have to start over).

Again on Windows you can apply more limited encryption (encrypted folders, etc) through your normal file manager. That sort of folder encryption isn’t necessarily ideal, but is easy to set up and better than nothing.

In either case it’s vitally important to remember your password. The whole point of encryption is that it can only be accessed with the password – if there’s another way to get in then it is less secure. If you forget the password, that data is essentially gone (unless your encryption tool is really, really bad).

Homebrewed Encryption

If you don’t have a handy built-in option, or if you want a different tool, the general recommendation these days is for VeraCrypt. There are a lot of expensive tools out there which are fine, but as well as being well-respected VeraCrypt has the added bonus of being open source. This means that it’s demonstrably secure, as all the code is visible and regularly checked by people looking for holes, and that it’s free. It’s also a very capable, easy to use tool.

There are plenty of tools out there, and tutorials on all of them. I’m trying to give simple practical advice here though, so will stick with VeraCrypt and how to use it to encrypt your whole disk, and create secure volumes for more sensitive data.

First thing’s first, and I will repeat this multiple times as it is important, before trying any of these things back up your machine in full. If something goes wrong with encryption, such as mistyping the password when you are setting it, you will not be able to restore it without a backup. That backup should be to an external drive or something else separate from your computer, as you really don’t want to discover it’s been encrypted along with everything else right when you need it.

Creating a small encrypted store

To start off simple we’ll use VeraCrypt to create a small encrypted volume to put our especially sensitive data. In most cases, this will be all you need. If you really want to be secure then you can have different stores for different clients or categories of data, and mount them as you need them rather than having everything in one place.

I’ll put together a full video exploration of VeraCrypt options once I’m back at a proper computer, but I’m meant to be on holiday now and my desktop is quite far away. Instead you get a quick walkthrough of creating an encrypted store, which covers most use cases anyway.

First, after you’ve downloaded and installed VeraCrypt (it can work on Windows, Mac and Linux – no excuses), run it. You don’t have any encrypted volumes yet so there’s not much to see, but this is where we can create one.

This slideshow requires JavaScript.

Once you have your encrypted area, go back to the main window and choose Select File. Navigate to wherever you stored it and select it. Then click Mount. You’ll be asked for your password, and when you enter it successfully your new encrypted volume will appear as if it’s an external disk. Save anything you want to it, or open anything previously saved from it, and Unmount it when you’re done.

GDPR for Sole Traders – Brief Summary

This entry is part 1 of 4 in the series GDPR for Sole Traders

There is a lot of advice floating around about the GDPR – for everyone from large enterprises to small business. What I haven’t seen much of (though I have seen some) is an attempt to relate it to self-employed or freelance individuals, sole traders, and small partnerships. Recently my wife came across some questions about it on one of her social media translator groups where there were concerns about how it will impact these groups.

The advice for SMEs and larger is generally very official, designed for consumption by the legal and technical teams of a company. That’s great for a company which has those, but doesn’t apply so much to a sole trader who doesn’t specialise in law and IT. So I offered to summarise as best I could, and translate things a little. Before I do that I need to make a couple of things clear:

  1. This post is aimed to make the GDPR understandable for sole traders and other small businesses, I do not aim to present or suggest solutions here, simply try and help to ensure that the responsibilities and duties are understood appropriately.
  2. This is not official advice from a lawyer or similar and you should not lean on it if you have a particularly complex situation, instead consult a professional who is willing to put official advice in writing and has liability insurance.
  3. This first post is a brief summary – I will be skimming over the legislation, as I don’t know which are the most pertinent questions to go into depth. If you have any questions please get in touch, or post a comment, and I’ll happy elaborate on any areas of confusion or concern.

Principles of the GDPR

The GDPR is based around a number of principles, largely building and elaborating on existing principles in data protection legislation.

  • Lawfulness, fairness and transparency: treat personal data according to the law, fairly, and be open and transparent about your usage of it with the subjects of the data
  • Purpose limitation: only collect and use data for clearly defined purposes, do not use it for anything outside of those purposes (transparency applies here, as the data subjects must be informed of the purposes)
  • Data minimisation: you should only keep the most limited data you can which is adequate and relevant to your purposes in processing
  • Accuracy: personal data you hold must be accurate, and where necessary kept up to date
  • Storage limitation: this is more an extension from data minimisation – you must not hold data in a form that allows identification of subjects longer than necessary for your stated purposes, note that this permits anonymisation of data for further storage and processing
  • Integrity and confidentiality: make sure that the data is secure, using (and this is the key word) appropriate technical or organisational measures
  • Accountability: the data controller (different from the data processor, we’ll get to that) is responsible for and must be able to demonstrate compliance with the GDPR legislation

GDPR Data Subjects, Processors and Controllers

The other three key terms that come up in the GDPR are about who it applies to. Here we have data subjectsprocessors, and controllers. Subjects is fairly clear, it refers to the subjects of the data being gathered and their rights to control that data. Specifically their right to be informed of any data held on request, and their right to have it shown to them or removed on request. Processors and controllers are where some confusion comes in, but are quite simple. The controller is the one who decides what the data is to be used for, while the processor is the one who carries out those uses. For sole traders and other small businesses these are almost certain to be the same people – although there will be cases where they are not (where your business is about providing analytical resource and expertise to third parties, for example).

Contractual Basis for Processing

I’m going to end with this section, for now, as it is the area which seems to raise the most concern. As mentioned if anyone has questions around other areas, please get in touch or comment and I’ll happily expand this series to address them, but this I really wanted to cover.

One of the most common questions I have heard is whether the GDPR will interfere with normal business, in particular starting a new business relationship with someone. Do you need to e-mail them to get informed consent, keep them notified that you’ll be storing their contact details in your address book/CRM, and so on? Marketing is a bigger, separate subject, so if it’s asked about I’ll go into it in a separate post.

Essentially if you are holding and processing someone’s personal data for the purposes of fulfilling an agreed contract and/or agreeing a contract then you have a lawful basis for processing. Contract here refers to any agreement that meets the terms of contract law (not necessarily written down, but means that terms have been offered and accepted, you both intend for the terms to be binding, and there is an element of exchange).

The good news is that this will apply if you are establishing a relationship and contract with a new client. It will also apply if, as part of the contract, they are asking you to process their personal data (i.e. getting a personal document translated to another language). What is important is that when you obtain the data you ensure the client/customer/third party is informed on how you will be using it, why you will be using it, what you will be using it for and how long you intend to keep hold of it.

Basically a lot of the GDPR boils down to being transparent with people about what you are doing with their data, taking responsibility and accountability for data you hold, and acting in a reasonable manner. If you are clear and open with customers about what you will do with their data (and remember, GDPR is opt-in, not opt-out, so the consent must be informed and documented), and keep track of data assets you hold then you should be fine. There’s a lot of use in the legislation about ‘reasonable’ measures, views, expectations and so on. Essentially – if someone contacts you in order to set up a contract and do business with you, particularly if the only personal data you obtain are contact details, you will need to take reasonable security measures to secure those contact details, and not misuse them to send out marketing e-mails without the explicit consent of the data subject.

Treat other’s data as you’d expect a responsible business to treat yours, and you should be fine. If you have questions either around other aspects, or around more practical security matters for a sole trader or small business (encryption, systems to use, what counts as ‘secure’) then please do leave a comment or get in touch directly.

I’ve been advised to add a small note around some specific scenarios:

  • if you are working with a document with a signature, even if there is no other personal data, then once you are finished with the document you should destroy it and/or ensure that the signature is unreadable (there may be reasons to keep the document, in which case it should be fully anonymised if you have no need of the data)
  • if you keep contact details (you do) then you should ensure that people are informed you are keeping them, and make sure they have a way to ask for the data you hold on them, ask for changes, ask for it to be erased, ask you to restrict the purposes you use it for (with contact details this essentially maps to asking for it to be erased I imagine), ask for an electronic copy, and object to you holding it – this is a large area, and I suspect will involve a separate post to cover fully
  • having a password on your computer is not a way to protect your data from theft unless you have also set up encryption, or are storing all data on the cloud rather than the local machine, or other circumstances which may apply – if I get some questions on this then I’ll go into more detail, but it’s fair to say that whole-disk encryption along with a password is a reasonable option, while an unencrypted disk is not