This page contains the transcript of a web chat we had with a member of the ICO team.
The team members have been really helpful and very gracious in allowing us to publish these transcripts. We are duty bound to point out that the information included will be the view of the agent and could of course be subject to the misunderstandings that can arise from a purely written conversation. The actual General Data Protection Regulation should always be regarded as the ultimate source of truth.
Initial question: Does GDPR apply to small businesses?
You are now chatting with ico_aidenc
ico_aidenc: Good afternoon. If the business processed personal data then they will be subject to GDPR>
Tom: That's what I thought!
Tom: The top 10 search results on Google about this say it doesn't apply to small companies
Tom: There appears to be a massive misunderstanding about this
Tom: Am I correct in saying the only difference for small businesses is a relaxation on some of the record keeping requirements?
ico_aidenc: Hello - thanks for your patience
Tom: no worries, wasn't sure if we were cut off!
ico_aidenc: Yes, you are right, the GDPR applies to all organisations processing personal data. There are certain provisions that are engaged by different kinds of processing / scales of processing, but no exemptions based on organisation size
Tom: Does this apply in a Business to Business environment too
? So, can an employee of a company I do business with call and ask to be deleted from my records?
ico_aidenc: Certain B2B interactions will involve personal data. But rights like the right to erasure aren't absolute - they can be refused if there's a clear reason why the data needs to be retained: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-to-erasure/
Tom: And things like first name and last name would be considered personal data in that context, is that right?
ico_aidenc: Yes, they're likely to meet the definition of personal data as per Article 4 (1) of the GDPR
Tom: That's how i understood it. Crikey. Can I market to an employee of a company by name without their consent, or does the specific opt in requirement apply there too?
ico_aidenc: That is likely to be covered by the ePrivacy directive, which we don't have yet, so I can't advise on that at this stage, but if you send an email to email@example.com we can have a closer look and dedicate more time to a response
Tom: Fair enough. I write bespoke business software, so I'd be considered a 'data processor'. Am I obliged to report clients if their software could lead to a breach?
ico_aidenc: The controller is obliged to report if a breach occurs. Processors should "assist" controllers in meeting the requirements of the GDPR, but I don't think that would extend to an obligation to report concerns which could lead to a breach.
Tom: OK, thank you. Do we have to be proactive in that assistance, I.e. should we be calling them and saying "hey, you're legacy system is probably not GDPR compliant" or is the onus on them to contact us?
ico_aidenc: We don't have specific guidance on that yet. I'd say - and it's my interpretation - that it would be best practice for you to do that, but the act is unlikely to require it of you in a way which could lead to repercussions under the act. However, the terms of the processing contract between DP and DC might have a clause which requires it, for example, so there could be situations where not informing them could lead to repercussions.
Tom: Do small businesses have any dispensations from the ICO here, i.e. will the ICO be taking a softer hand with them at the beginning? It's potentially a huge amount of work for them? It seems like everyone needs to do a full audit for a start?
Tom: (sorry, and thank you for the previous response, that's a really good point)
ico_aidenc: We're not a punitive organisation, and just like under the current DPA, not every breach will lead to a fine, and our focus will be on supporting organisations to meet the requirements of the law, and then looking strategically at areas of concern where we think there are systematic issues across industry. Again, that's my view and I can't guarantee what our position will be because I'm not in a position to do so.
ico_aidenc: It is a lot of work, yes - we're increasing our published guidance as quickly as we can.
Tom: I can't believe how little there is in the press about this, it's nothing less than a fundamental re-think of how to handle data
Tom: (a very good one, but still...!)
Did I read somewhere that it's possible to request the ICO audit you to check your GDPR compliance?
Tom: or is that just for big businesses
ico_aidenc: We will be offering audits under GDPR, and they'll be open to everyone, but we can't guarantee everyone who requests will receive them due to resource - we have to focus where we think the problems are going to be, if you see what I mean. Current Audit page is here: https://ico.org.uk/for-organisations/resources-and-support/audits/ current audits are all under DPA, but with an eye towards GDPR as far as I know.
Tom: That's great, thanks. Coming back to the B2B point about marketing to employees of my customers, am I right in saying the personal data doesn't have to include any of the special categories (medical, ethnicity, race etc.), first name and last name alone say would be enough to mean that GDPR applies?
ico_aidenc: Yes. The definition of Personal Data is in Article 4(1) of GDPR - you can see an electronic copy of the GDPR here: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Tom: That's what I thought, I'm just reading so much absolute rubbish on the internet that contridicts how I read those regs
Tom: I think the ICO should seriously consider putting someone on adding official comments on a lot of these blogs and web articles. They are flat our wrong.
Tom: E.g. "In fact, Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR" from http://smallbusiness.co.uk/dealing-with-cyber-attacks-2538554/
ico_aidenc: Sorry, I can't click links provided thru livechat. But in general I can say that there is some confusion, unfortunately. I think people are very eager to be seen to have answers to problems, and that means they're not reading the regs closely.
Tom: Or at all...! We have clients telling us GDPR doesn't apply to them. Is there an ICO page that says clearly and unambiguously "this applies t
o small businesses"?
ico_aidenc: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ has "Who does the GDPR apply to?"
ico_aidenc: inc 'If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. '
Tom: That assumes small businesses know the DPA applies to them though, which in my experience they don't. In fact, "DPA" tends to draw a blank stare. I think you need something even more beginner level than that
ico_aidenc: There's a lot more detail on that page - it's pretty clear. But I can certainly forward that feedback, we're always looking for new and better ways of communicating
Tom: It just has to be so brief and plain english for a lot of the companies we deal with. To be honest, you could just have a page that says "Does this apply to my business" "If you're in the EU or deal with it, yes."!
Tom: Thanks so much for all your help, it's been absolutely invaluable
ico_aidenc: Thanks for using our livechat service, and please come back to us with further questions. And enjoy the weekend!
Tom: And you! Bye for now
Tom: Sorry, one last question, is it OK to quote you by your chat name in communications with our clients about this? I'd like to include a transcript of excerpts of this conversation.
ico_aidenc: You can do, yes. I'd just ask that you leave intact the bits where I've said that it's my view etc, as we have to be careful as staff of the regulator not to be seen to be making official decisions/statement when we aren't (I'm sure you understand that).
We can email you a copy of this chat. Once the chat is over, you will be asked to enter your email address if you want a copy of it. Click into the email box and enter your email address. You will receive a transcript soon after from the email address ICO OperationsServiceDelivery@ico.org.uk.
Tom: that's great thank you. Yes I absolutely will, I will make it clear that this was just an informal chat, but the applicability bit is totally unambiguous and that's a message I'm worried hasn't got through
Tom: Thanks again.