March 6, 2020 | VL | Blog

A Locksmith’s Guide to GDPR

Share

Discover more
Computer with GDPR vectors surrounding

What is GDPR?

General Data Protection Regulation otherwise known as GDPR, is the core of Europe’s digital privacy legislation that sits alongside the Data Protection Act 2018 within the UK. It essentially outlines data protection principles, rights and obligations.

Brief overview:

  • If you collect information about individuals for any reasons other than your own personal, family or household purposes, you need to comply with the outlines of GDPR.
  • Every individual that gives over their personal information must be clearly told what that information is being used for, and must give consent for it to be used.
  • There are no specific rules that you have to take but rather comply with the basic guidelines of transparency, consent and justification.

GDPR Key Terms

What is a data subject? When a piece of data relates to a specific individual, which then enables the identification of said individual.

What is personal data? Any information about a particular living individual. This can include name, address, email, location, IP address or Cookie ID.

What is ‘processing’? Any actions that include; collecting, recording, storing, using, analysing, combining, disclosing and/or deleting data.

What is consent? Freely given, specific, informed indication of a data subject’s wishes in which through a clear affirmative action they signify agreement to the processing of their own personal data.

What is a data breach? An infringement of security which leads to accidental and/or unlawful destruction, loss, alternation, access and processing of personal data.

What is the right to be forgotten? It is the right that every individual has the ability to request the deletion or removal of their personal data.

 

GDPR Key Terms

If you process information with any individual’s personal data for any non-household purpose, not matter the scale, you must take into consideration the GDPR guidelines.

How does GDPR apply to Locksmiths?

In the Locksmithing industry, the collection of personal information is required to legally complete a job, such as name and addresses for a VAT invoice. This would be classed as processing personal data and therefore must conform to the GDPR guidelines. However, don’t panic, this only means that when you collect that data you must only use it in the way that you have stated to the customer you will use it (like in financial statements).

What if I collect data for another reason?

Whenever you collect an individual’s data you must gain their consent. This can be them freely giving you the information once they understand what their data is being used for, them ticking a box to agree or written consent such as a signature.

What do I have to do for GDPR?

As GDPR is a set of guidelines, it can be hard to know what applies and what doesn’t. But there are some basic things to keep in mind that will help to better understand the core values and how you can comply.

  • Communication

Be honest and open about the information you are collecting. Within Locksmithing, if you are mobile you will need a customer’s address to complete the job; this is something that is mutually understood. However, collecting data such as an email address you must clearly state your intention for collecting it; for example, whether it is for an electronic receipt or for marketing purposes.

  • Access

Any individual has the right to access what data you have on them at any time, and can also request that that data is moved to another company or is deleted.

  • Warning

You must notify people if you have a data breach. In a large company this can happen many different ways but the most likely form of a data breach you as a Locksmith would encounter would be the loss of your phone or electronic device. If you store personal details for business purposes on your devices, such as addresses and names, and that device gets stolen you need to notify any parties involved as this would be a breach of data protection. This does not however apply to information stored for personal use such as family and friends phone numbers etc…

  • Reporting to the ICO

If you have a data breach you must also report it to The Information Commissioner’s Office in less than 72 hours. You must explain what has happened, what was the procedure in place to avoid the issue and what back up you have of the lost data.

How do I protect the data I collect?

  1. Secure paper records in a locked cabinet that can only be accessible to staff members
  2. Secure digital records with a password or an encryption
  3. Create a back up of the data you hold; which must also be protected

Run a Data Audit

If you are still unsure of what data you would be processing and/or storing and if you are complying with the GDPR guidelines, the best course of action would be to run a data audit on yourself. The steps for a data audit are:

  1. What data do you collect?
  2. Why do you collect data?
  3. How do you store data and for how long?
  4. Have you gained consent from customers to process their data? Do you have proof of this?
  5. How do you protect against breaches?
  6. What back-up data do you have?

Once you have answered all these questions, create a folder with all these points in and any action plans you have for changes in data, such as deleting, so that you have a detailed plan of everything. This means that if you are ever unsure if you are complying you can refer back and make changes to your process if need be.

References:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/711097/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf

https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018