If you are feeling good, it is because you are thinking good thoughts
Rhonda Byrne, Author of ‘The Secret’
This page outlines the policy and practice followed by Donncha Hughes, Business Advisor, Mentor & Trainer in relation to Privacy and Data within the context of Europe’s General Data Protection Regulation (GDPR) which became law on May 25th, 2018.
There are two types of personal data that emerge in my business. The first category is data provided by startup promoters and company representatives to assist in the provision of services. This includes direct enquiries to the business. It is where I am the data controller.
Point 1 – Requests for Personal Data from Potential Clients on my Website
I do not request personal data from potential clients on my website or offer a facility to leave an email address. Why? Because I do not use email marketing. I do not engage in any mass business client ‘retargetting’ activity. There is a contact form whereby emails arrive in my email inbox. I use Outlook. I respond to those individually and follow up* as needed on an individual basis. My email mailbox fills up and every three months I delete the majority of dated emails.
*In 2023, I started using task management platform, ClickUp to manage reminders so I do securely store client contact details in that system. It is a superb solution.
CALENDLY & ZAPIER
I use an online Calendar service called Calendly. This allows clients to book time to meet me in person or using Zoom at a time that suits them. If meeting in person, you will have to complete a short form letting me know where you want to meet, and I also ask for a phone number so that i can contact you on the day. It doesn’t ask for a residential address. Calendly is great as it connects with my gmail calendar which syncs with my phone.
I use Gmail contacts on my phone. I have used Zapier to set up a Zap to automatically copy the Name and Phone Number of every new person who books to meet me in person to this online address book and again it syncs to the phone.
Point 2 – Secure storage of Data for Startup and SME Clients
In addition to personal data, I hold a certain amount of confidential business sensitive information on client businesses. This information is kept in specific Dropbox folders for easy access. My understanding is that Dropbox is fully GDPR compliant. I use Dropbox (and also Google Drive to a lesser extent) as it provides a mechanism to continuoulsy sync my two laptops, iPad and mobile phone. It also allows files to be shared with clients without using email. I don’t keep any paper files. I am happy to sign NDAs.
The laptops and mobile are password protected and I don’t use USBs except for temporarily copying my own copyright training materials if I am not using my own laptop during workshops.
Point 3 – Online Training System is compliant with GDPR
In 2018, I created a Thinkific powered online training website. I have created TEN online courses to date generally aimed at startups in Ireland. One of the advantages of Thinkific is that it is fully GDPR compliant to include management of consent.
PAYMENTS
I accept payments online via Calendly using both Stripe and PayPal and my online Thinkific website also accepts payments using both Stripe and PayPal. I only get the funds transferred to me after fees are subtracted, I don’t get any details of the actual payment.
As I said above, there are two types of personal data that emerge in my business. The second is personal data that is sent to me by Enterprise Agencies – where I would be processing data that they have collected and have permission to pass to me in hard or soft copy.
Point 4 – Fully comply with GDPR as a Data Processor
My responsibility is to comply with the GDPR policies and data processing arrangements stiplulated by the data controller who is my customer. In advance of May 2018, I have signed fairly standard documents from customers to include: Enterprise Ireland, InterTrade Ireland and LEO Galway in relation to GDPR as a data processor.
In processing personal data that we provide you, you warrant and represent that you are, and shall be for as long as your process any data, fully compliant with GDPR and any national implementing legislation and you agree:
- To only process personal data on our documented instructions, unless you are required to do so by EU or Irish law.
- Not to transfer the personal data to a recipient outside the EEA, without our prior written consent ….
- To impose a duty of confidentiality on any staff and subcontractors, where applicable, with access to personal data.
- To implement technical and organisational security measures appropriate to the risks of processing of personal data, …. the ability to ensure the ongoing confidentiality … and a process for regular testing, assessing and evaluating the effectiveness of security measures.
- To require any sub-contractor that you engage to process the personal data on our behalf, to adhere to the same obligations ….
- Insofar as possible, and taking into account the nature of processing, assist us by appropriate technical and organisation measures to fulfil our obligations to respond to individuals’ requests to exercise their rights to transparent information, access, rectification, erasure, restriction of processing, objection and portability under Data Protection Law.
- …. assist us in ensuring compliance with our obligations under Data Protection Law in regard to data security, data breach notification to the supervisory authority and to individuals; carrying out Data Protection Impact assessments and related consultations with supervisory authorities.
- At our request, delete or return all the personal data to us after the end of the provision of your services, and delete existing copies unless EU or member state law requires storage of that personal data
My ‘modus operandi’ has always been that this data of my customers is treated with total confidentiality. It is processed as requested and then deleted from my system. No soft copy or physicial records are kept beyond the duration of any contract. I do not contact any of the people listed beyond the scope of the project.