Health and Safety for Beginners Forums

I know this isn't really a health and safety issue but is anyone dealing with this? its been dumped in my lap and honestly, its simply too big for me to deal with just using the internet. The company wont spend money on any courses or outside help.

I read somewhere, and now i cant find where, that it doesn't apply to companies with less that 250 employees.
I've also read it depends on how much data you hold (in our case on customers) and it does apply if you have 'large amounts' large amounts being a vague news term with absolutely zero definition.

There is tons of information out there, but its all aimed at big business not small business. Its also very bad at explaining relevance. To much lawyer speak.

3 months to go and I dont want to waste time on this.

I have absolutely no idea but those who do might be able to help

I don't think this is a H&S function though

"The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes the UK Data Protection Act 1998"
...

"Brexit and the GDPR

UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. The GDPR will come into force before the UK leaves the EU, and the government has confirmed that the Regulation will apply, a position that has been stated by the Information Commissioner’s Office (ICO)."

https://www.itgovernance.co.uk/data-pro ... regulation

https://www.eugdpr.org/gdpr-faqs.html


Article 30, last paragraph : http://eur-lex.europa.eu/legal-content/ ... 79&from=EN

"5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing
fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of
data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in
Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10. "

WB

Stephen,

I haven't heard anything about an employee threshold.

Have you read the guidance issue by the ICO?

https://ico.org.uk/for-organisations/gu ... tion-gdpr/

Still a lot to wade through but at least it's straight from the horse's mouth, as it were.

Mrs P

GDPR Customer Toolkit Guidance

"Guidance for CCS customers on the changes to CCS commercial agreements and the actions customers need to take on call-off contracts to comply with GDPR"

Published 13 April 2018
From: Crown Commercial Service

https://www.gov.uk/government/publicati ... t-guidance

WB

I've been working on this quite a bit due to the data captured here on HSfB. It's a bit of a chunky project, but I'd rather that than any of our visitors feel uncomfortable about the data they give to HSfB just by being here. Now that I've been looking into it, there's quite a bit to think about. I'm going to publish how we comply with GDPR this week all being well.

I have read in more than one place that companies not complying or at least attempting to comply by the deadline will not be looked at favourably. It doesn't need to be perfect.

Yup I got the joyful task at looking at ours too, the more you read up on it the more you realise just how much work is involved. The general consensus is that updating your website policies is the first step as this is the only area clearly visible in the public domain. As ever when it comes to legal forms and compliance, nothing is ever as straight forward as you first hope lol.

From the perspective of companies that sell products online, it is hard to accept we will be wiping all of the valuable sales history data that we've built up over the years, unless customers re-submit their acceptance to opt-in to our holding their details etc.

But at least we have a good cleanse of our database and ensure we aren't emailing people that don't want to be emailed etc.

Feel free to have a look at our updated policy here which I think covers everything we need to: https://www.goodtogosafety.co.uk/Privacy-Policy in terms of the website.

I've had many an email request to update my subscription agreement in recent weeks and I suspect the volume of requests will only increase as we near the May deadline. It's amazing how many of them (including large corporate blue-chips) are not following the requirements of GDPR though and some saying that by not replying they'll see that as acceptance to stay in touch. I think a lot of companies will be in for a shock (depending how hard the legal firms decide to chase).

grim72 wrote: ↑Tue Apr 24, 2018 3:36 pm From the perspective of companies that sell products online, it is hard to accept we will be wiping all of the valuable sales history data that we've built up over the years

Not necessarily Grim. From what I have understood if you can demonstrate the data you hold has been processed under at least one of the 'lawful bases' then you can maintain that data for 'no longer than is necessary'. If it's necessary for you to maintain a contractual obligation, i.e. guarantees, maintenance contracts etc, then you can justify keeping the info. If you want to keep the data but you don't need the personally identifiable data, you can anonymise the data and keep it for your own analysis. This then gives you a legitimate interest to improve your business and services to your customers.

I think

Lawful basis for processing...

https://ico.org.uk/for-organisations/gu ... rocessing/

Thanks for that Jack, I might need to do some extra homework. Sounds good if we can keep the data in some format or other.

Yes Jack's right on that one, there's plenty of 'legitimate' reasons to keep data.
For example, if someone passes you a business card with their details, they have given you implied consent to contact them. You don't hand out you details unless you expect to be contacted.
The ones who are really getting it wrong are all the online companies or services, including online supermarkets etc, who are simply sending out emails asking you to agree to continue receiving their daily/weekly advert email.