New Data Protection Regulations

Agencies and other headaches, keys and cleaners, running costs and contracts...in short, all the things we spend so much of our time doing behind the scenes.<br>
Jenster
Posts: 454
Joined: Tue Mar 08, 2016 8:24 am
Location: Cornwall
Contact:

Post by Jenster »

Using the pmp template and other guidelines I have come up with this:

http://www.seashellsporthtowan.co.uk/up ... policy.pdf

Comments welcome, I really hope there are not too many errors or omissions as I really don’t want to re-do it!

One area I was a bit unsure of - records of bookings are needed for 6 years for accounting purposes - but do these really need guests addresses etc?
akwe-xavante
Posts: 306
Joined: Wed Jul 01, 2015 3:19 pm
Location: East Yorkshire

Post by akwe-xavante »

You may want to think about who has access to the data when your ill or on holliday.

Do you live away and share information with visiting cleaners, keyholders, gardeners, tradesmen, or a neighbour at any time?

If you get a telephone call from a utility service meter reader requiring access to a meter will you be giving them your guests name?

If the gas, water or electricity company want to access the property for any other reason you may have to disclose your guests name.

There may be other situations where you have to disclose the name of your guests not yet thought of!

If you read the meters on changeover do we have to let them know and why we do this and what the information is used for etc.

It might be worth considering adding something like this.....

"Your name may be verbally shared with anybody that has a legitimate reason to visit the property whilst being occupied by you such as and not limited to the cleaner, keyholder, gardener, neighbour, tradesmen and utility service meter readers, the police and other emergency services."

and..

"(My Name), the data controller and owner of (Business or property Name) may at his discretion in certain circumstances including illness and holidays temporarily grant a third party access to data collected about you to ensure the business continues in his absence. In the event of sudden illness a family member or close trusted friend may access data about you to ensure the business continues in his absence without his knowledge but with his consent."

Thoughts!
zebedee
Posts: 1270
Joined: Fri Sep 12, 2014 2:57 pm
Location: yorkshire dales

Post by zebedee »

Hi Jenster,
I think what you have written is fine. I would add something about the security of your computer system though, eg password protected, use of firewalls.

Akwe, I don’t think all of your suggestions would apply to everyone. We do our own readings and submit to utility company on line.
I have been on “holiday” with real time differences and still answered enquiries and dealt with bookings. I’ve also been really ill and done the same. The question is, do we need to get into the realm of “what if”. I think on consideration I would be wary of saying data can be shared with a trusted friend - rather change the policy if it is necessary.

Which then raises another question. There is no need for any version control, so what I put in a policy today, can be amended next week without the need to warn guests. I think I have just realised a major flaw in this whole process.
Drax
Posts: 185
Joined: Thu Jul 21, 2016 4:36 pm
Location: Yorkshire Dales

Post by Drax »

Jenster,
Other things to consider are:
1/ Have you registered with the ICO? If so publish with your registration number.
2/ What privacy safeguards are in place to protect your customers privacy in regard to names and addresses in your Guests Comments Book?
3/ If after an enquiry results in a non-booking what do you do with that persons details. i.e. do you permanently delete their details?
4/ Do you analyse data to see how effective your advertising/rental listing sites are? If so perhaps this should be displayed in your policy statement.
Keep your powder dry.
akwe-xavante
Posts: 306
Joined: Wed Jul 01, 2015 3:19 pm
Location: East Yorkshire

Post by akwe-xavante »

What if you don't have any living family and you live alone and become ill to the point that youre hospitalised suddenly.... Stroke, Heart attack, a road traffic accident. You may not have the time or the ability to make changes or apoint someone trusted to take over things whilst you recover.

Just a thought, it's bound to happen to somebody.

When i go on Holiday i quite literally disapear and become uncontactable. This years holiday is a three week canoe camping trip in Russia. I'll be more than 450 miles away from the nearest moblie phone mast and loo!

Not everybody works whilst on holiday and not everybody is capable of running a business whilst under the surgeons knife or pumped full of morphne.

Gas, water and electric meter readings...... even if you do submit meter readings yourself online these companies will on occasions require access to read them themselfs as we are not to be trusted and a gas safety inspection of the meter is required every 2yrs i think it is and my experience is that you never get warned in advance, they just turn up and demand inspection.
Last edited by akwe-xavante on Tue May 22, 2018 8:13 pm, edited 1 time in total.
zebedee
Posts: 1270
Joined: Fri Sep 12, 2014 2:57 pm
Location: yorkshire dales

Post by zebedee »

But if you are sick or away and not working, isn’t your privacy policy a business policy? Ie everyone working to the same rules?

I haven’t seen any privacy policy that gets into the business continuity strategy.
If you regularly use someone to help you, then by all means include them as someone who manages the data, but I would be careful with wording as it can give a wrong impression.
akwe-xavante
Posts: 306
Joined: Wed Jul 01, 2015 3:19 pm
Location: East Yorkshire

Post by akwe-xavante »

Just feel that some peoples Policies may be flawed if they specifically name a person as data controller for example.

In theory if that person is absent by design or by accident or death then nobody is then authorised to access information and therefore legally cannot do so.

A technicality i know but i'm simply sugesting that it should be considered and given some thought by some people.

If i specifically name myself as data controller do i need to change this when on holiday or just before i have that stroke. Just thinking outloud.
COYS
Posts: 795
Joined: Sat Jun 06, 2015 1:24 pm
Location: Greek Islands

Post by COYS »

Wow!
This thread has finally confirmed that I made the right decision in bailing out. How on earth is a micro business supposed to cover every 'what if or maybe'?
I still have a battered old address book & pencil (remember those?) with hundreds & hundreds of previous customers, suppliers, contacts, notes etc in various detail from many years back to last month. Most are from my building ventures, some are from rentals & there are plenty that I have no idea of origin. Should I burn it just in case the data police come knocking?
Only part in jest & I don't envy those working hard on trying to comply but aren't we just overplaying it a wee bit? Rules are rules, I understand that but unless you're a mass marketing guru, frequent newsletter sender or spammer was it really aimed at you/me? for taking a few basic details for a short term holiday let?I have my doubts that one man/woman & his/her Mac are likely to be viewed in quite the same category as FaceBook or other data traders.

Jenster, for what it's worth I think you've more than covered the basics in a language that your client base can understand.
This time next year Rodney, we'll be millionaires.
GillianF
Posts: 826
Joined: Mon Aug 20, 2012 12:06 pm
Location: Dordogne

Post by GillianF »

I like Jenster's clear statement of policy here and thought it rather covered everything. There are a couple of nice phrases I hadn't thought of for my own, very simple and brief, policy statement.

But, I agree with COYS.

I have an old-fashioned address book. I have old printed booking forms in a filing cabinet. These rules are really not aimed at us but designed to catch the big boys. Of course, that doesn't mean we shouldn't make an effort to comply to the best of our ability.

I repeat my remark above though that I have had a fair few of these in my in box now from all sorts of companies/organisations and every single one has been different. Some have been almost incomprehensible and/or long which, as I understand it, defeats the object of the exercise which is supposed to make it easier for us to know who has what and let us see it, accept it or object to it without having a degree in legalese or gobbledygook!
newtimber
Posts: 1945
Joined: Sat Nov 24, 2012 5:57 pm
Location: Brighton
Contact:

Post by newtimber »

akwe-xavante wrote:Just feel that some peoples Policies may be flawed if they specifically name a person as data controller for example.

In theory if that person is absent by design or by accident or death then nobody is then authorised to access information and therefore legally cannot do so.
This is not right.

From the ICO website:-
A data controller must be a “person” recognised in law, that is to say:

individuals;
organisations; and
other corporate and unincorporated bodies of persons.

Data controllers will usually be organisations, but can be individuals, for example self-employed consultants. Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller.
If you are a sole trader, your organisation (ie you) are the Data Controller whether you like it or not. But you give authority to someone to act on your organisation's behalf (ie you) when you are away, but you will be ultimately responsible for any data breaches.
Ian H
Posts: 6
Joined: Wed Mar 21, 2018 1:01 pm
Location: North Wales, UK
Contact:

Data controller and using processors

Post by Ian H »

One thing to be aware of, and I am coming at this from someone who takes bookings direct. But a lot of this will apply if you use an agent.

Remember GDPR is concerned with storage and use of data that can be used to identify a person like names, emails, address etc.

Most people are focusing on privacy policies etc. But there is a potentially much bigger thing to consider. Coming at this having spent the last two months working on GDPR compliance for our company so have finally wrapped my head around this legislation.


1. If we collect personal info / decide how it is processed we are Data Controllers.

2. Under the GDPR, to process can also mean to store (including electronically).

Article 28 of GDPR

"Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject."

So in plain speak, "if we use a 3rd party to process (including store) personal data we can only use processors who meet GDPR regs"

There are a few key implications feeding off this:

(a) as controllers we can only use processors who meet the GDPR regulation (down to us to check).

(b) if processors are NOT based in the EU, they will not necessarily comply with GDPR (whereas processors in the EU will have to comply or face legal sanctions).

Think about the processors you are possibly using that will store personal data of your customers / people booking / enquiring / visiting your website.

- Google (analytics, Gmail, google drive for storing info)
- Credit card processing (stripe etc)
- Web site hosting
- etc etc

Where are they based - mostly US I bet. Even if they are based in the UK, where do they store there data (see below).

Are they GDPR compliant?


Yes the big players will be, google etc. But what about smaller service providers you use?


(c) international data transfer


Again from GDPR

"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. 2 All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined."

In plain speak "This means we can only transfer data out of the EU to countries that meet the level of protection in the GDPR."

This is a real problematic area.

If you export data to a processor not in the EU (i.e. I save personal data to google drive and that data is stored in the US) then the processor (in this case google) needs to provide the same level of protection.

The way most of them are dealing with this is via signing up to the US Privacy Shield. Check they are certified. For example here is googles certification.

https://www.privacyshield.gov/participa ... tus=Active


You need to think about all the systems you are storing personal data in and ask them (or look on their websites)


(1) Are they GRPR compliant?

(2) Do they store there data in the EU and if not where. It will probably be the US. If so are they privacy shield certified and if not, how do they meet the GDPR regs for international transfer or data.
newtimber
Posts: 1945
Joined: Sat Nov 24, 2012 5:57 pm
Location: Brighton
Contact:

Re: Data controller and using processors

Post by newtimber »

Ian H wrote: (2) Do they store there data in the EU and if not where. It will probably be the US. If so are they privacy shield certified and if not, how do they meet the GDPR regs for international transfer or data.
Unfortunately Apple currently isn't listed. This effects iPhone, iPad, Mac computers that use iCloud. I cannot envisage everyone ditching their iPhones...
Ian H
Posts: 6
Joined: Wed Mar 21, 2018 1:01 pm
Location: North Wales, UK
Contact:

gdpr - apple

Post by Ian H »

Agreed, people will not ditch there iphones / icloud come Friday. However apple will have to be compliant at some point.

Note, the onus is on the data controller to use processors that are compliant. It is the data controller that will be fined, not apple. It matters not to them if you store personal data on apple services in the US.

It is a crazy situation. However my understanding is that apple have committed to be GDPR compliant by the 25th i.e. 2 days away!

There are other ways they can be compliant with (international) data transfers even if not privacy shield certified.

1. They may store it in the EU, I don't know I don't use apple products so have no sight of their terms of service.

2. They can use things called standard contractual clauses.

The regulators won't start fining people on day one, it will be soft enforcement as people work there way through the legislation I am sure.

In reality though, if we as holiday let owners get investigated by the ICO due to a failure of our GDPR compliance, they will probably just tell us to sort a few areas out to get compliant and that will be the end of it.

But I am ticking all the boxes I can just in case to get compliant.
User avatar
apexblue
Posts: 2249
Joined: Wed Sep 10, 2008 6:58 pm
Location: UK

Post by apexblue »

Do we have to email existing clients before Friday?
It is better to remain quiet and have one think you are stupid, than to open your mouth and remove all doubt....

The biggest mistake we make in life is thinking we have time.
newtimber
Posts: 1945
Joined: Sat Nov 24, 2012 5:57 pm
Location: Brighton
Contact:

Post by newtimber »

apexblue wrote:Do we have to email existing clients before Friday?
I hope not, if I'm not sending them marketing emails that require "opting in"
Post Reply