back to article Small businesses: GDPR affects you, too

The EU’s General Data Protection Regulation (GDPR) comes into force on May 25 2018, enforcing a strict set of new rules concerning privacy and data security and imposing strict penalties on violators. Enterprises are having a tough enough time coping with it. How will small businesses with fewer in-house IT and legal resources …

COMMENTS

This topic is closed for new posts.
  1. Tezfair
    Facepalm

    Backups

    I still have not yet come across a clear, black and white statement regarding 'right to be forgotten' and backups. I have read many forums and it's sort of a grey area.

    For example, if a person wishes to no longer be on the system of a client, in most cases thats easy, you delete them, but what is there a system image where that information is unable to be extracted without destroying the image. Or in terms of holding 6+ years of backups, what happens if I have the ability to delete a record and then the HMRC does an audit and find gaps in my invoicing.

    From what I can gather an option is to encrypt the backup and keep the key safe, but surely that still doesn't comply because all your doing is restricting access, not actually deleting.

    Or what if a person comes and buys a PC, then a week later demands I remove all information about him/her? How does that work in terms of sales, invoices, warranties?

    1. Doctor Syntax Silver badge

      Re: Backups

      These questions have been posed in the comments of just about every GDPR article.

      As regards backup, there is wording about technical feasibility (this is an off the top of the head rely so you'll have to go and check it if you want the exact words). The upshot of this would appear to be, no, if it;s not feasible you don't have to go and edit your backups. OTOH, if you were to restore one of those backups you'd need to have a means of re-doing the deletes that happened between the taking and restoring of the backup.

      There's also wording about not having to remove data relevant to performance of transactions. So you'd be able to justify holding onto warranty data until the expiry of the warranty.

      But as with any legislation, the ultimate way to decide what to do is to read it to find out how it affects yourself.

      1. big_D Silver badge

        Re: Backups

        Exactly Doctor Syntax.

        Financially regulated information, for example payroll, invoices, bank statements etc. cannot be deleted, because there is a legal requirement to keep them that supersedes the GDPR. You can delete their personnel record, for example, but not remove them from payroll.

        And, as you say, backups are backups and usually cannot be edited to remove individual files, let alone records within a database image. The goes beyond feasible and you just need to ensure you have a record of deletes that need to be made, if the image is restored.

        Going through 10 years worth of offsite backups and removing 1 or 2 rows from a database image from every tape just isn't feasible. Even worse if it is a WORM type storage media.

  2. Steve G UK

    My business is a (very) small consultancy and the only client data I hold is name & contact details (email/phone), usually with business address. My understanding is that any business holding such data has to individually ask every contact for permission to continue to hold that data, to record that permission and to ask again after some unknown (to me) period has elapsed. That in itself would surely create a huge amount of traffic and admin, from every company holding any sort of PPI on every contact. Do I misunderstand?

    1. big_D Silver badge

      It depends on the size of the company. Basically, read the law and try and interpret it, probably best to consult your lawyer if you have any doubts.

      I'm not sure how the UK implements it, but in Germany there are minimum sizes for organizations - 25 employees or more than 8 or 12 who do data processing.

      There are special rules, if the company only exists to process personal information, in which case they have to have a DPO, regardless of size.

      Post Brexit you will also have to ensure that any information store on EU citizens or entities (businesses, for example) are held in conformity with EU DP regulations. That means that the UK will have to agree and EU data will have to be exempt from RIPA etc.

    2. P_Jamez

      It depends why you have that data

      There are 6 options under Lawful Basis that you can Process data (storing data counts as processing). If you only have that data for marketing purposes you will need retrospective consent. If you need it for performance of a contract or you have a legitimate interest you should be fine.

      I am not a lawyer and this is not legal advice etc.

This topic is closed for new posts.

Other stories you might like