Jayesh Naranbhai and Matthew Hulatt, joint owners of Dunstone News in Plymouth, got in touch wondering if I had any advice or guidance about the General Data Protection Regulations. They wrote: “We’re probably in the same position as many other retailers in that we run a home-delivery service. We do keep customers’ details, but this is only to deliver to them and we do not use it for any other marketing purposes.”
The new EU reg comes into force on 25 May, causing customary confusion for one and all. Cue a rash of events and advisors and experts. There is no official certification or accreditation for GDPR so don’t go handing over any money to anyone.
Well, except for the Information Commissioner’s Office (ICO). Registration with them costs about £35 a year. The ICO is overseeing the changes. I rang them and put Jay and Matthew’s question to them. This wasn’t as easy as it sounds. On the first two tries I hung on for 25 minutes each time. I got through on the third attempt after just 15 minutes.
I was reminded that, if you store the data electronically, you should be registered. If you just keep the name and address in a notebook you do not necessarily have to register. But you need to take the three-step test on the website concerning “purpose of contract, legitimate interest and legal obligation”, said the helpful bloke I got through to. But as the ICO man pointed out, (and as I pointed out in our last issue) if you have CCTV you should be registered anyway.
The fines for falling foul of these new regs are mega scary: up to £17.4m or 4% of turnover, whichever is greater, although I doubt any newsagent will suffer that. The ICO has far bigger fish to fry.
You might also want to check out your insurance policy to see if there is coverage should any data protection mishap occur.