📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

GDPR - Are business details classed as personal information?

Options
As a one man band (ltd company) we only hold contact names, addresses, phone number of businesses we deal with. And this information is given to us from the firm that buys our services. We keep these details as a) often they are repeat visits, b) invoicing purposes and c) in case of any arbitration cases. Does this mean we need to write our own privacy policy? This is all new to me and I want to ensure we are GDPR compliant but despite googling and looking on the ICO website I am bamboozled. Can anyone offer some advice that I can clearly understand please? (Sadly my menopausal memory doesn't help when taking in information!)

Comments

  • Billxx
    Billxx Posts: 296 Forumite
    Sixth Anniversary 100 Posts Name Dropper Photogenic
    edited 1 April 2024 at 8:56PM
    Compliance is quite a large subject, but for a small business a starting point would be to write a document that:
    a) Details the personal information that is kept.
    b) Where is this information held/stored.
    c) The security around the information.
    d) The purpose of holding the information.  i.e. What use is it put too?
    e) Who has access to the information.
    f) How long the information will be kept, i.e. if there is no activity for a client/customer after 5 years, delete it.
    g) What will you do if you get a Subject Access Request.
    h) What will you do if someone asks for their data to be deleted.

    This sounds a bit onerous, but you don't need to write a book.  So long as you give it your best endeavour the ICO will not come down on you.  They have bigger fish to fry.

    I hope that helps.  Apologies if I have missed anything.


    Kind Regards,

    Bill
  • gm0
    gm0 Posts: 1,171 Forumite
    Seventh Anniversary 1,000 Posts Name Dropper
    As a small business to business provider.   Business records of what you do, proposals, contracts, closure memos, invoices. 7 years after the event tax man can ask to see what supports the claimed accounting entry.  So legitimate business purpose to keep it. Can keep it.  If you don't the discussion with the tax man could become more tense. You don't need policy to say that.  Can just do it.   The incidental buyer/accounts payable contact info does not mean you cannot meet the above requirement.  If you got into publishing the stuff then personal info / redaction etc. would become relevant again.  But as securely stored, legitimate purpose commercial business records. It's basically fine.

    On the other hand - if you go around claiming to be ISO9000 accredited as provider with a jazzy quality system. Or one of the many process maturity standards you can be asked to commit to.    Then need lots of policies on many things. Including this.  GDPR, Information retention, archiving and destruction.

    Doing it pragmatically matters.  The quality document saying you are going to - less so

    Clearly harvesting old records for contact info and going spamming gets you back into marketing consent and personal data issues quite quickly. So don't.  Not a legitimate purpose.
  • Marcon
    Marcon Posts: 14,471 Forumite
    Ninth Anniversary 10,000 Posts Name Dropper Combo Breaker
    edited 1 April 2024 at 10:43PM
    As a one man band (ltd company) we only hold contact names, addresses, phone number of businesses we deal with. And this information is given to us from the firm that buys our services. We keep these details as a) often they are repeat visits, b) invoicing purposes and c) in case of any arbitration cases. Does this mean we need to write our own privacy policy? This is all new to me and I want to ensure we are GDPR compliant but despite googling and looking on the ICO website I am bamboozled. Can anyone offer some advice that I can clearly understand please? (Sadly my menopausal memory doesn't help when taking in information!)
    The ICO template should give you all you need (and more): https://ico.org.uk/for-organisations/advice-for-small-organisations/how-to-write-a-privacy-notice-and-what-goes-in-it/ and scroll down to the link to the template.

    If you work through it, being practical and using simple everyday language, it should do the trick nicely without doing your head in!
    Googling on your question might have been both quicker and easier, if you're only after simple facts rather than opinions!  
  • Andy_L
    Andy_L Posts: 13,026 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    "
    • Personal data only includes information relating to natural persons who:
      • can be identified or who are identifiable, directly from the information in question; or
      • who can be indirectly identified from that information in combination with other information."
    https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-information-a-guide/

    Ie not a business 
  • Andy_L said:
    "
    • Personal data only includes information relating to natural persons who:
      • can be identified or who are identifiable, directly from the information in question; or
      • who can be indirectly identified from that information in combination with other information."
    https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-information-a-guide/

    Ie not a business 
    So, GDPR wouldn't apply to us then? My partner essentially visits a lot of farms, collecting samples. Some farms are large companies, so have seperate phone numbers for any business calls we make with them, whilst others are small so, I assume, use 1 mobile for both private and business calls. We obviously have their name and business address. To me, the information we are given by the firm employing us, is business information not personal information. However, some of that data might be the same as the farmers own private info. Am I overthinking this?
  • tizerbelle
    tizerbelle Posts: 1,921 Forumite
    Part of the Furniture 1,000 Posts Photogenic Name Dropper
    Andy_L said:
    "
    • Personal data only includes information relating to natural persons who:
      • can be identified or who are identifiable, directly from the information in question; or
      • who can be indirectly identified from that information in combination with other information."
    https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-information-a-guide/

    Ie not a business 
    So, GDPR wouldn't apply to us then? My partner essentially visits a lot of farms, collecting samples. Some farms are large companies, so have seperate phone numbers for any business calls we make with them, whilst others are small so, I assume, use 1 mobile for both private and business calls. We obviously have their name and business address. To me, the information we are given by the firm employing us, is business information not personal information. However, some of that data might be the same as the farmers own private info. Am I overthinking this?
    GDPR will apply to you.  While business details aren't included, details of any people who work at that business are covered and don't forget data relating to your own company employees are covered as well.

    Just work through the ICO guides for small businesses and think about why you have data, where you store it, what you will use it for, who you will share it with and how long you will keep it for - https://ico.org.uk/for-organisations/advice-for-small-organisations/
  • DullGreyGuy
    DullGreyGuy Posts: 18,613 Forumite
    10,000 Posts Second Anniversary Name Dropper
    Personally... would speak to the ICO. 

    They do an exercise occasionally to identify registered companies that aren't paying them the registration fee and we got the inevitable letter a few years ago. In our case all our customers are corporates, we dont maintain any form of CRM etc, dont have a website but inevitably do have emails from members of staff from clients which will have their name, business email address and business phone number. Their advice to us was that we didnt need to register but naturally optionally could. 
  • Thankyou all for your help. I really do appreciate each and every one of you who has commented. Naturally I don't want to waste time wading through writing a Privacy Policy unless it's necessary, but I don't want to go against the law either. Will try and get my head clear and try again to look at it. There's certainly a difference of opinion as to whether we come under GDPR. If only my other half had retired when he turned 66!
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351K Banking & Borrowing
  • 253.1K Reduce Debt & Boost Income
  • 453.6K Spending & Discounts
  • 244.1K Work, Benefits & Business
  • 599K Mortgages, Homes & Bills
  • 177K Life & Family
  • 257.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.