- GDPR for Sole Traders – Brief Summary
- GDPR for Sole Traders – Contacts and Communications
- GDPR for Sole Traders – Contract Lawful Basis
- GDPR for Sole Traders – Controllers, Processors and ICO Registration
- GDPR for Sole Traders – A Summary Presentation
I’ve had variations of this question on contacts a few times since the first post, and I can understand the confusion around it. I’ve been asked by a few people whether lists you have of friends, family, or similar fall under GDPR (technically, yes, which is where the magic word ‘reasonable’ keeps coming in to play), and a lot of questions seem to be around the use of personal details for everyday business purposes.
Now, there’s various advice about legitimate interests as a basis for processing, notifications to send out to your address book and so on. When you are not collecting and processing personal data beyond contact details for clients, what needs to be done to be compliant?
The bad news, from one point of view, is that this is still personal data, it still falls under the act and therefore you need to think about what you are doing with it.
The good news is that it is extremely unlikely you need to do anything particularly special about it. The reason for this is that GDPR recognises two categories of data – personal data, and sensitive personal data. Sensitive personal data is personal data that relates to a protected characteristic. Normal personal data is personally identifying data which does not relate to a protected characteristic – an e-mail address or phone number would be personal data, but would not fall under sensitive personal data.
Unambiguous consent
The obvious question then is why it matters – and the answer is simple. Sensitive personal data requires explicit consent for any form of collection or processing – in other words to collect it or do anything with it, the data subject must be asked the question ‘do you agree to us collecting and holding this data for these purposes’, and a very definite yes is required from them for usage to be allowed.
Non-sensitive personal data (for want of a better term) requires only unambiguous consent. This means that they must have taken an affirmative action indicating their consent, but some aspects can be implied rather than having to be spelled out. So in the case of contact details, let’s say someone gives you a business card and says to get in touch. In that moment they have provided you with their personal data, and given you unambiguous consent to use it for the purposes of contacting them. The same would apply if they sent you an e-mail asking to start a business relationship, or picked up the phone.
However here’s where the whole purpose thing comes in again – while it is reasonable to say that someone who has given you their contact details and asked you to get in touch has given unambiguous consent for contact (or if you’re a larger company, and if you are we can talk consultancy fees or you can talk to your own GDPR experts, for one of your sales/relationship team to get in contact), they have not given consent to be signed up to your automated mailing list. If you think they might be interested in it, and want them to sign up, then get in touch and ask for their consent to use their data that way – then make sure you keep a record of that consent (saving an e-mail would count).
When someone makes personal data public it’s a slightly different matter. By having some of my contact details publicly available I am providing unambiguous consent to being contacted using them – although signing them up to an automated mailing list would be a different matter.
Please note that in this particular article, I am looking only at personal data used in an everyday business way, and what is reasonable to do with it. In terms of contacts and communications a sole trader is likely already compliant, unless they are carrying out some sort of automated marketing rather than handling things directly.
To sum this all up in some simple answers (and I still believe the GDPR can be summed up in a few sentences for the vast majority of cases, but that’ll come later):
- someone giving you their contact details is providing all the consent you need to contact them, but nothing else such as subscribing them to an automated list
- if you want to do anything other than contact them, then to be compliant you need to very clearly inform them of what you want to do and confirm that they consent to it
- you need to be very clear with people you contact on how they can ask for their data to be removed, and do so promptly if they ask
- take reasonable security precautions with these contact details (I would hope that most sole traders would consider them valuable enough to protect from disclosure in any case)
I’ve put together a quick and dirty tutorial on how to use one of the better encryption tools out there. I’ll go more into depth once I’m back at a real computer and have a little more time, maybe with a full video exploration and explanation of the different options. I’ll also be looking to do an evaluation of cloud storage options and how they play in to the situation. As always, if there are particular questions or particular urgent areas then drop me a line either here or on twitter (@coffee_fueled).
Hello and thank you very much for this post.
I am a freelance translator and teacher and I use only a very simple excel sheet with names, e-mail addresses and phone numbers of my clients. If I understand what you wrote correctly, my clients gave me the consent to have their contact details so I could provide them my services. How long can I store such data and is it enough to protect it by encrypting the file? I do not use the data for marketing purposes. Also, I synchonize my contacts with my gmail (but I don’t use gmail for professional communication of course), is there something I should worry about? Unfortunately, the more I try to understand it, the more confused I get.
Hi Katerina,
It’s a little more flexible than that – when your clients are contacting you, and you’re working on a contract for them, then you can keep their details for the duration of the contract (a verbal agreement can count, or a simple exchange of e-mails, you don’t need a 50-page lawyer-prepared contract for it to count as a contract). You’d be holding and processing their data under the contract lawful basis, which means they have a right to object, do not have a right to ask you to erase the data (while the lawful basis applies – with certain accounting rules this may involve a length of time after the contract as well), and do not have the right to portability (i.e. can’t ask you for a copy of their data).
So essentially GDPR recognises the fact that when you are in a contract with someone, certain data has to be held and processed – and contact details can fall under this. A notification on your e-mail saying that you are holding data under this lawful basis should cover this off. Encrypting that spreadsheet would probably be a good idea, but if it’s purely contact details it’s not sensitive information in the same way as health details.
If you wanted to then use those contact details for any purpose other than fulfilling the contract, you’d need to get appropriate consent (i.e. for a marketing e-mail), but if you’re not doing that you don’t need to worry.
Hope this clears it up a little – a lot of the reason the focus is on consent is because that’s the easiest lawful basis to understand, and the clearest to justify. It isn’t the only one however, and in your case using contract is more appropriate.
Just for some background – the lawful bases are the legally justifiable reasons to hold and process data. Consent is one, contract is another, and there are four others which apply with different rights available to the data subjects for different bases.
Hope this helps, and please let me know if there’s anything I can clear up.
Thank you for this – succinct and easy to understand the logic.
A great help.