Small Businesses and Personal Data
What’s classed as ‘personal data’?
- The obvious ones such as name, surname, initial(s), alias, home address, phone numbers, date of birth or place of birth. ID card number, credit card number and e-mail address
- Sensitive data such as genetic and biometric data e.g. health data, face, fingerprints, retina, DNA, etc.
- Online identifiers such as IP addresses and cookie identifiers
- Location data such as device location history
- Metadata related to Internet activity i.e browsing and search history. Also information regarding a data subject’s social media accounts and posts.
Note: if you process debit or credit card information, you may also be subject to PCI DSS Regulations.
And whilst we’re on the subject of Data Protection…
I want a copy of my personal data and I want it now
As a small business owner you know what personal data rights are under GDPR don’t you, and what a data subject is?
And if one of your customer’s asks you to provide them with a copy of their personal data you know exactly what to do and the timescale for doing it in, correct?
..‘data subject’ refers to any living individual whose personal data is collected, held or processed by an organisation. Personal data is any data that can be used to identify an individual, such as a name, home address or credit card number .
(Luke Irwin, Author for IT Governance 15/11/2018)
People are becoming more aware of what their rights are regarding the data protection rules and are exercising these rights more frequently. They can object to advertising communications, deny access , or ask for a copy of the personal data that’s held on them.
Because individuals are becoming more aware this is also having an impact on businesses. As a business owner, even if you’re a one-man band, it’s your responsibility to understand how GDPR affects you.
So, let’s go back to my original question.
Q. One of your customers has asked you for a copy of all the personal data you hold on them. What do you do and how long have you got to respond?
A. You have one month from the date of receiving the request to provide a copy of all their personal data. Continually asking you for a copy of their data records would be an exception, but otherwise you’re legally obliged to complete their request.