GDPR, T&Cs and Your Customers
Regardless of the size of your business, the GDPR (General Data Protection Regulation) will affect you. In order to comply with the new, more stringent data protection and privacy rules you are likely to need to:
- review and maybe change some of your business processes
- update your website
- update documentation you provide to customers when selling face-to-face.
In a previous blog article we discussed how website privacy notices will need to change. In this article we're going to look at how small businesses (and sole traders) who enter into written contracts with their customers might need to change the information they provide with their T&Cs.
Much of what is in the GDPR is already law in the UK as part of the Data Protection Act (DPA). The GDPR, however, does go further in providing additional and stronger legal protections for personal data. So, even though much of what you need to do is already law, compliance is likely to become more important due to greater public awareness of the issue and the potential cost of getting it wrong. If you want to do some background reading on what the GDPR means for your business then the ICO website is the place to start.
What is Personal Data?
Personal data is any form of information that can be related to an individual person. The obvious examples are name, email address and phone numbers. Less obvious examples, but also covered by the GDPR, include: photographs, IP addresses, location data and ID numbers. You can probably think of more. Even data that is 'pseudonymised' might be classed as personal data depending on how easy it is to attribute to an individual.
This concept of personal data applies to both B2C and B2B situations. If you are dealing with a customer on a B2B basis then you still might be collecting personal data such as a personal email address e.g. email@example.com.
Greater protections already apply to sensitive personal data (called "special categories of personal data" in the GDPR). The GDPR, however, extends the scope to include additional types of personal data such as genetic and biometric data. To put it simply, if you collect personal data that falls into any of these categories, then you have additional responsibilities as a data controller (which we don't cover here):
- ethic origin
- trade union membership
- sex life
- sexual orientation.
Am I a Data Controller?
A data controller is any entity (business, sole trader, charity etc) who " determines the purposes and means of processing personal data". If you, as a business or sole trader collect and use personal data from individuals then you are a data controller. The GDPR also recognises the role of a data processor - who processes data on behalf of a controller. The controller is the one who decides what data to process and how to process it.
If you process personal data electronically then it is possible that you also need to register with the ICO. The ICO website has a self-assessment quiz that can help you determine if you need to register or not.
Collecting Personal Data From Your Customers
At the point that you collect personal data you must tell the data subject (your customer):
- why you are collecting their data
- how going to use it, and
- who you are going to share it with.
This applies whether you're collecting data from a website or on a paper form. You should make sure that you really do need the data you collect. Change your forms and processes now if you find that you are collecting data you don't need and can't justify under the GDPR.
You need to be able to identify what lawful basis you have for processing the personal data you collect (see our earlier GDPR blog article for an overview of what 'lawful basis' means). Carrying out a review of what personal data you use and documenting the results (as an internal document), will also help you demonstrate your compliance with GDPR requirements.
If you engage with your customers by providing a printed quote (or similar) alongside your T&Cs then the natural place to provide this information is as part of your quotation form. Such a section should be easy to understand, concise and (of course) accurate. Being clear and concise is not always easy and it certainly will require you to understand how and why you process personal data.
Clickdocs T&Cs Templates Have Been Updated for GDPR
We've updated our range of standard T&Cs templates to help you meet your GDPR obligations. All of our templates that include a quotation, application or registration form have been amended to include a 'How We Use Your Personal Data' section. Guidance notes have been included to help you provide appropriate information to your customers.