Many chimney sweeps still need to take action and are exposed to complaints and serious fines simply because they have not addressed GDPR as yet. It is essential you address GDPR as soon as possible if you have not done so yet, and to help out we have put together this comprehensive guide.
Firstly, please note that none of the information on this page is legal advice, none of it has been overseen by a lawyer or any law specialist. This is just information we have gathered from our research and own dealings with GDPR. You are advised to check this info agaisnt other sources and ensure it suits your needs.
General info and ICO Registration:
https://ico.org.uk/for-organisations/business/?medium=email&source=govdelivery
Within that site this one is a good link. Note that you may need to contact your current customers and ask them permission to keep contacting them. https://ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf
Basically at our level of business it is not so bad but we do need to make sure a policy is in place. Particularly how we store details about employees, customers and info about people. Registration process is here: https://ico.org.uk/for-organisations/register/
Your Website Compliance:
1/ Security:
Make sure your website is fully up to date on security (For example: WordPress and its plugins are fully up to date to latest version)
2/ Compliance / Data > SSL Certificate:
All websites now should run a Secure Server Certificate (for encryption of data). It is a requirement for Google, GDPR, WordPress latest version. It is strongly advised to have your website running on https and hot http.
SSL certificates (usually around £50 per annum) and can be purchased directly form your webhost.
3/ Compliance / Data: Your Privacy policy
If you have not done so yet, your privacy policy needs updating / adding to be in line with GDRP regulations. This is also crucial.
While we are not lawyers and would not in any way be able to advise on the content of this document from a legal stand point, we have found a free document that we are happy using ourselves, and could be use for your website should you find it adequate after careful review from your team: http://jamieking.co.uk/blog/cyber-security/policies/download-free-sample-privacy-policy.php
So, make sure you contact your web designer or do this work if you manage your website.
(Vinny and his web agency Codastar can help you with the practicalities of this if you need)
Data Storage
This is difficult to cover as you will have multiple sources of accessing data on your computer, mobile and tablets. However here are some guidelines.
1/ Store your main database on an encrypted folder or hard drive.
Do not leave your clients database on an unsecured folder on your computer, like your desktop or your downloads folder.
Instead, here are some tools you can use:
Folder Lock : Create password protected / encrypted folders on your computer. You can create a customer folder for example and store all your database files in it.
Encrypted USB Key: You can store your backups on an encrypted USB key. Even if you keep it with you on your key ring for example and you loose it, noone will be able to access the content without your password.
(Disclosure: The 2 links above include affiliate code, which means Sweep Safe LTD would receive a commission on sales from the vendors at no additional cost to you. If you do not wish for this to be the case, simply Google these 2 products instead.)
These simple 2 things can safe you a lot of trouble. Just make sure you do not keep data copies on other folders and drives.
2/ The Cloud
So, what about Dropbox and Google Drive?
Well, this is a little tricky. Technically they meet all GDPR compliance requirements and in our opinion it is quite safe to store data on Dropbox for example as all data is encrypted. The weak point comes from your own computer mostly. Your Dropbox folder is simply a folder on your computer hard drive, unprotected and while it is difficult for someone to hack Dropbox, it is much easier to hack your computer via some malware of some sort.
The solution? Use a cloud protection tool that will password protect your Cloud folders while still allowing them to function as intended and sync as needed.
Cloud Secure: This is the solution we use and is a good way to keep your data on dropbox folders safe.
(Disclosure: The link above include affiliate code, which means Sweep Safe LTD would receive a commission on sales from the vendors at no additional cost to you. If you do not wish for this to be the case, simply Google this product instead.)
So, here is a good round up of what you need to do, from a technical perspective. Make sure you also get your customers to opt-in to receive your different types of communications, that they are made aware of a clear way to request their data deleted or amended and that you have in place a solution to do so. (This is why getting your data centralised on a protected folder and backed up on an external hard drive is quite useful and it gives you 2 simple place to manage data.)