How many of you are ready for the new data protection laws?

[BobSweden]

On the 25th May, the General Data Protection Regulations (GDPR) come into effect across Europe. These apply to how companies collect, use, secure, retain and delete personal data, and apply to all businesses. Failure to comply can lead to a financial penalty of 4% of ANNUAL turnover or 20M Euro, whichever is least.

Personal data is defined as anything that would allow the person to be identified, including name, address, phone number, email address (if not anonymous), photo, internet IP address, medical conditions (i.e. if they have allergies), birth date, etc, etc.

For example, nail salons may record name and phone number to make a booking in an appointment book, or they could use an online booking system - which must also be GDPR compliant.

It is likely that from the 25th May, national governments will run advertising campaigns to inform the public. So clients may start to ask if you are GDPR compliant. They also have the right to complain and report a company to the regulators, who may decide to perform an audit.

So how many of you are aware of GDPR and are already prepared?

 

[CFBS]

I'm currently doing the on line course with the guild of therapists.
Guild members get a good discount to do it.
Once signed up, you can download the course info and an example policy statement to use with your clients.
There are 4 modules to work your way through at your own pace.
Finding it clear and helpful.

Update: 19/04/18
I have now completed my online course, received a certificate and been able to produce a policy and consent form for my salon clients. Feel much happier about it all now.

 

[NailtechJoe]

Personal data is defined as anything that would allow the person to be identified, including name, address, phone number, email address (if not anonymous), photo, internet IP address, medical conditions (i.e. if they have allergies), birth date, etc, etc.

For example, nail salons may record name and phone number to make a booking in an appointment book, or they could use an online booking system - which must also be GDPR compliant.

It depends on the type of software they use - bespoke local software which you have more control over it or cloud services which I believe most would fit in the latter category such as SaaS providers who sell this type of software as a cloud service. The SaaS providers have a lot of work to do until May as they are the ones who collect this type of data and they should notify nail salon owners on how they adhere to GDPR regulations.

Also, credit card/debit card services should also notify nail salon owners how they conform to GDPR since they also take payments and client data such as names and bank card details.

IP addresses is a difficult one to really say if you can identify someone as many users use an ISP that has a pool of IP addresses and hand them out in a dynamic fashion. What if the person uses Tor or a VPN proxy? What I would be more concerned and people should be voicing their concerns is the harvesting of data by UK ISP's which the UK Government has legalised and forced every ISP to keep records of user's Internet activities for 12 months and ministers are exempt from this law. This is a gold mine for any hacker who would seek to blackmail someone. This is reminiscent of George Orwell's 1984 novel.

 

[AcidPerm]

What about Brexit?

 

[NailtechJoe]

What about Brexit?

All EU laws will be passed into UK law.

 

[blossom]

So do these new laws only affect computer records? I’m old fashioned and have old style handwritten record cards. Am I affected? [emoji848]

 

[ClaireEharris]

Also following this thread [emoji108]

 

[NailtechJoe]

So do these new laws only affect computer records? I’m old fashioned and have old style handwritten record cards. Am I affected? [emoji848]

The Data Protection Act 1998 would still apply to you even if you don't have your records in a computer format.

Used fairly and lawfully: You wouldn't sell this data to other companies. You would not use this data to make cold calls or spam them unless your clients agreed specifically to this. This would revolve around ethical use of personal data.

Used for limited purposes: You should only use the data for the purposes of insurance and perhaps for your own client research to know what is the most popular service.

Used in a way that is accurate, relevant and not excessive: You wouldn't record incorrect data, clients can move home address, change telephone number, etc. You wouldn't go to the extreme of getting next of kin details for example. You wouldn't record sexuality nor HIV status as they are excessive and you don't really need to know.

Accuracy: As above but I'd add Garbage in Garbage out. Keep records up to date.

Kept for no longer than absolutely necessary: I think some insurance providers say about 7 years. Check with your own insurance policy how long you should keep them.

Handled according to people's data protection rights: You don't strictly own the data and the owner of that data can request for amendment or deletion.

Kept safe and secure: Where do you store the data? Who has access to your data? Do you have backups of your data?

Not transferred outside the EEA without adequate protection: For e.g. using a cloud service such as drop box with out any form of encryption methods.

https://www.gov.uk/data-protection

 

[AcidPerm]

So do these new laws only affect computer records? I’m old fashioned and have old style handwritten record cards. Am I affected? [emoji848]

Data in this sense means client details that are recorded, whether hand written in a notebook, card files or on computer.
Also, do you use social media to advertise/book appointments?
Do you respond to clients online?
It’s not simply about record keeping.

 

[AcidPerm]

All EU laws will be passed into UK law.

The point of Brexit was to ditch EU laws and re-invent the wheel, so we can’t really predict what will happen as it’s unknown territory.

Sorry to derail topic. I back out of this thread now.

 

[blossom]

Data in this sense means client details that are recorded, whether hand written in a notebook, card files or on computer.
Also, do you use social media to advertise/book appointments?
Do you respond to clients online?
It’s not simply about record keeping.

That’s a good point, I’m not sure I understand what’s required of me though in regard to the social media ads. People respond but then the appt is usually made through private message and certainly no personal data is on the ad or responses. So should I be deleting old private messages once the appt is made?

There might be something I’m missing? I’ve done a lot of online research and it’s very tricky to pinpoint what changes should be made. Or perhaps that’s just me

 

[NailtechJoe]

The point of Brexit was to ditch EU laws and re-invent the wheel, so we can’t really predict what will happen as it’s unknown territory.

Sorry to derail topic. I back out of this thread now.

That’s a good point, I’m not sure I understand what’s required of me though in regard to the social media ads. People respond but then the appt is usually made through private message and certainly no personal data is on the ad or responses. So should I be deleting old private messages once the appt is made?

There might be something I’m missing? I’ve done a lot of online research and it’s very tricky to pinpoint what changes should be made. Or perhaps that’s just me

If you do appointments through facebook for example, all data centres are in the US so you would need to delete them. Although you never know if facebook actually "deletes" your appointments if that makes sense.

 

[NailtechJoe]

The point of Brexit was to ditch EU laws and re-invent the wheel, so we can’t really predict what will happen as it’s unknown territory.

Sorry to derail topic. I back out of this thread now.

"As its informal name suggests, the repeal bill will repeal the 1972 European Communities Act, which took Britain into the EU and meant that European law took precedence over laws passed in the UK Parliament. It will also end the power of the European Court of Justice in the UK.

All existing EU legislation will be copied across into domestic UK law to ensure a smooth transition on the day after Brexit.

The government says it wants to avoid a "black hole in our statute book" and avoid disruption to businesses and individual citizens as the UK leaves the EU.

The UK Parliament can then "amend, repeal and improve" individual laws as necessary.

Ensuring the continuity of EU rules and regulations is also meant to aid trade negotiations with the EU because the UK will already meet all of its product stands"

http://www.bbc.co.uk/news/uk-politics-39266723

 

[blossom]

If you do appointments through facebook for example, all data centres are in the US so you would need to delete them. Although you never know if facebook actually "deletes" your appointments if that makes sense.

So would messenger count, and the Facebook pages messages linked to my business page? I suppose appt times are on there and they give me their phone numbers. So I should be deleting those then.

 

[NailtechJoe]

So would messenger count, and the Facebook pages messages linked to my business page? I suppose appt times are on there and they give me their phone numbers. So I should be deleting those then.

Messenger, whatsapp and instagram are all part of facebook and personally, I don't do bookings on facebook, or on any paid cloud service that don't clearly explain important facts because it is not fully clear to me how they store (in terms of transmission, methods and encryption used) and how they use that data (could be used for further analytics and advertisement for you and your client). What I do know is that their servers are located in the US and are not within EU jurisdiction meaning that EU laws on data regulation does not apply to the data stored in the US. Like I said in the previous thread, if you "delete" it, you won't know if facebook has fully deleted the thread as they may use it for other reasons which mere mortals outside of facebook will never know. Once it's on facebook or on any other platform, you never know what happens to your posts or how they are used.

If you don't know enough about the company, don't use it. In my case, what I have done is build my own tools to make appointments, but not everyone has the knowledge or the capital to hire a developer to do these things hence why cloud SaaS services are lucrative, but can be a double edged sword.

As an example, I use google calendar API in my bookings but I do know that Google has data centres in Europe, so they are legally binded to EU data regulations. Another option is to just obfuscate your persona (in legalese a person) in omitting certain pieces of data that identifies someone, but unfortunately facebook wants everyone to use their real names so it is not possible. A cod example I can think of right now, storing just first name and just the year born would not fully identify a person if someone stole or used the data in an unlawful way, but it would be meaningful to someone such as the owner about those small pieces of data that makes up information that identifies an individual client (i.e. pieces of data that carries meaning).

A bit about me
===========
I have three degrees in computer science and industry experience in software development, radio communications and cyber physical systems development and research for the water utility sector and taught computer science modules in the higher education sector. This topic is usually covered under laws and ethics in software engineering University modules which I feel I can make a contribution. I am also a nail technician, I love art and I am a Research Associate in a computer science related project

PS: I am still looking for hard gel alternative brands lol

 

[BobSweden]

As an engineer to a scientist - drop me PM and I will sort your hard gel question with a free sample of our unique gels

 

[NailtechJoe]

As an engineer to a scientist - drop me PM and I will sort your hard gel question with a free sample of our unique gels

Sent a PM

 

[NailtechJoe]

So would messenger count, and the Facebook pages messages linked to my business page? I suppose appt times are on there and they give me their phone numbers. So I should be deleting those then.

This was in the news today - worth a read

Wetherspoon pub chain shuts its social media accounts

http://www.bbc.co.uk/news/business-43781281

 

[littlekate]

I’m so confused by all of this! I’ve recently come back to working from being on maternity leave so am concerned I have missed all this! I work part time from home, what do I need to do?? I use client record cards, emails, facebook and texts for bookings. I used to use an online booking system when I worked full time but I can’t justify the cost now that I am only working part time. Help!

 

[NailtechJoe]

I’m so confused by all of this! I’ve recently come back to working from being on maternity leave so am concerned I have missed all this! I work part time from home, what do I need to do?? I use client record cards, emails, facebook and texts for bookings. I used to use an online booking system when I worked full time but I can’t justify the cost now that I am only working part time. Help!

This is a good video to explain what GDPR is. Like I have said before, it is mainly going to affect large organisations such as cloud services to smaller businesses like you; e.g. the IT service you use to make online bookings for example. But it will affect all organisations and businesses.

Having a DPO is overkill for such small businesses

On the matter of enforceability, that's just another topic for discussion.



and Q&A