GDPR - Are business details classed as personal information?

quickstepqueen74

As a one man band (ltd company) we only hold contact names, addresses, phone number of businesses we deal with. And this information is given to us from the firm that buys our services. We keep these details as a) often they are repeat visits, b) invoicing purposes and c) in case of any arbitration cases. Does this mean we need to write our own privacy policy? This is all new to me and I want to ensure we are GDPR compliant but despite googling and looking on the ICO website I am bamboozled. Can anyone offer some advice that I can clearly understand please? (Sadly my menopausal memory doesn't help when taking in information!)

Billxx

Compliance is quite a large subject, but for a small business a starting point would be to write a document that:
a) Details the personal information that is kept.
b) Where is this information held/stored.
c) The security around the information.
d) The purpose of holding the information.  i.e. What use is it put too?
e) Who has access to the information.
f) How long the information will be kept, i.e. if there is no activity for a client/customer after 5 years, delete it.
g) What will you do if you get a Subject Access Request.
h) What will you do if someone asks for their data to be deleted.

This sounds a bit onerous, but you don't need to write a book.  So long as you give it your best endeavour the ICO will not come down on you.  They have bigger fish to fry.

I hope that helps.  Apologies if I have missed anything.

gm0

As a small business to business provider.   Business records of what you do, proposals, contracts, closure memos, invoices. 7 years after the event tax man can ask to see what supports the claimed accounting entry.  So legitimate business purpose to keep it. Can keep it.  If you don't the discussion with the tax man could become more tense. You don't need policy to say that.  Can just do it.   The incidental buyer/accounts payable contact info does not mean you cannot meet the above requirement.  If you got into publishing the stuff then personal info / redaction etc. would become relevant again.  But as securely stored, legitimate purpose commercial business records. It's basically fine.

On the other hand - if you go around claiming to be ISO9000 accredited as provider with a jazzy quality system. Or one of the many process maturity standards you can be asked to commit to.    Then need lots of policies on many things. Including this.  GDPR, Information retention, archiving and destruction.

Doing it pragmatically matters.  The quality document saying you are going to - less so

Clearly harvesting old records for contact info and going spamming gets you back into marketing consent and personal data issues quite quickly. So don't.  Not a legitimate purpose.

Marcon

quickstepqueen74 said:

As a one man band (ltd company) we only hold contact names, addresses, phone number of businesses we deal with. And this information is given to us from the firm that buys our services. We keep these details as a) often they are repeat visits, b) invoicing purposes and c) in case of any arbitration cases. Does this mean we need to write our own privacy policy? This is all new to me and I want to ensure we are GDPR compliant but despite googling and looking on the ICO website I am bamboozled. Can anyone offer some advice that I can clearly understand please? (Sadly my menopausal memory doesn't help when taking in information!)

The ICO template should give you all you need (and more): https://ico.org.uk/for-organisations/advice-for-small-organisations/how-to-write-a-privacy-notice-and-what-goes-in-it/ and scroll down to the link to the template.

If you work through it, being practical and using simple everyday language, it should do the trick nicely without doing your head in!

Andy_L

"

• Personal data only includes information relating to natural persons who:
• can be identified or who are identifiable, directly from the information in question; or
• who can be indirectly identified from that information in combination with other information."

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-information-a-guide/

Ie not a business 

quickstepqueen74

Andy_L said:

"

• Personal data only includes information relating to natural persons who:
• can be identified or who are identifiable, directly from the information in question; or
• who can be indirectly identified from that information in combination with other information."

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-information-a-guide/

Ie not a business 

So, GDPR wouldn't apply to us then? My partner essentially visits a lot of farms, collecting samples. Some farms are large companies, so have seperate phone numbers for any business calls we make with them, whilst others are small so, I assume, use 1 mobile for both private and business calls. We obviously have their name and business address. To me, the information we are given by the firm employing us, is business information not personal information. However, some of that data might be the same as the farmers own private info. Am I overthinking this?

tizerbelle

quickstepqueen74 said:

Andy_L said:

"

• Personal data only includes information relating to natural persons who:
• can be identified or who are identifiable, directly from the information in question; or
• who can be indirectly identified from that information in combination with other information."

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-information-a-guide/

Ie not a business 

So, GDPR wouldn't apply to us then? My partner essentially visits a lot of farms, collecting samples. Some farms are large companies, so have seperate phone numbers for any business calls we make with them, whilst others are small so, I assume, use 1 mobile for both private and business calls. We obviously have their name and business address. To me, the information we are given by the firm employing us, is business information not personal information. However, some of that data might be the same as the farmers own private info. Am I overthinking this?

GDPR will apply to you.  While business details aren't included, details of any people who work at that business are covered and don't forget data relating to your own company employees are covered as well.

Just work through the ICO guides for small businesses and think about why you have data, where you store it, what you will use it for, who you will share it with and how long you will keep it for - https://ico.org.uk/for-organisations/advice-for-small-organisations/

DullGreyGuy

Personally... would speak to the ICO. 

They do an exercise occasionally to identify registered companies that aren't paying them the registration fee and we got the inevitable letter a few years ago. In our case all our customers are corporates, we dont maintain any form of CRM etc, dont have a website but inevitably do have emails from members of staff from clients which will have their name, business email address and business phone number. Their advice to us was that we didnt need to register but naturally optionally could. 

quickstepqueen74

Thankyou all for your help. I really do appreciate each and every one of you who has commented. Naturally I don't want to waste time wading through writing a Privacy Policy unless it's necessary, but I don't want to go against the law either. Will try and get my head clear and try again to look at it. There's certainly a difference of opinion as to whether we come under GDPR. If only my other half had retired when he turned 66!