If you are feeling good, it is because you are thinking good thoughts

Rhonda Byrne, Author of ‘The Secret’

This page outlines the policy and practice followed by Donncha Hughes, Business Advisor, Mentor & Trainer in relation to Privacy and Data within the context of Europe’s General Data Protection Regulation (GDPR) which became law on May 25th, 2018.

GDPR May 2018
Source: Pixabay.com

There are two types of personal data that emerge in my business. The first category is data provided by startup promoters and company representatives to assist in the provision of services. This includes direct enquiries to the business. It is where I am the data controller.

Point 1 – No requests for Personal Data from Potential Clients on my Website

I do not request any personal data on my website or offer a facility to leave an email address. Why? Because I do not have a CRM system. I do not use email marketing. I do not engage in any business client ‘retargetting’ activity. There is a contact form whereby emails arrive in my email inbox. I use Outlook. I respond to those individually and follow up as needed. My email mailbox fills up and every three months I delete the majority of dated emails. I have an online address book which serves as the contact list for my android phone. But the vast majority of people’s contact details do not get added to my phonebook – I would have a lot of people who I would not be contacting again. I generally use LinkedIn to connect with people if I intend to stay in contact.

Point 2 – Secure storage of Data for Startup and SME Clients

In addition to personal data, I hold a certain amount of confidential business sensitive information on client businesses. This information is kept in specific Dropbox folders for easy access. My understanding is that Dropbox is fully GDPR compliant. I use Dropbox (and also Google Drive to a lesser extent) as it provides a mechanism to continuoulsy sync my two laptops, IPad and mobile phone. It also allows files to be shared with clients without using email. I don’t keep any paper files. I am happy to sign NDAs.

The laptops and mobile are password protected and I don’t use USBs except for copying my own copyright training materials if I am not using my own laptop at workshops.

Point 3 – Online Training System is compliant with GDPR

In 2018, I created a Thinkific powered online training website. I have created two online courses to date both aimed at startups in Ireland. One of the advantages of Thinkific is that it is fully GDPR compliant to include management of consent.

Launching Commpetitive Start Fund Masterclass Online Thinkific 2018

As I said above, there are two types of personal data that emerge in my business. The second is personal data that is sent to me by Enterprise Agencies – where I would be processing data that they have collected and have permission to pass to me in hard or soft copy.

Point 4 – Fully comply with GDPR as a Data Processor

My responsibility is to comply with the GDPR policies and data processing arrangements stiplulated by the data controller who is my customer. In advance of May 2018, I have signed fairly standard documents from customers to include: Enterprise Ireland, InterTrade Ireland and LEO Galway in relation to GDPR as a data processor.

In processing personal data that we provide you, you warrant and represent that you are, and shall be for as long as your process any data, fully compliant with GDPR and any national implementing legislation and you agree:

  • To only process personal data on our documented instructions, unless you are required to do so by EU or Irish law.
  • Not to transfer the personal data to a recipient outside the EEA, without our prior written consent ….
  • To impose a duty of confidentiality on any staff and subcontractors, where applicable, with access to personal data.
  • To implement technical and organisational security measures appropriate to the risks of processing of personal data, …. the ability to ensure the ongoing confidentiality … and a process for regular testing, assessing and evaluating the effectiveness of security measures.
  • To require any sub-contractor that you engage to process the personal data on our behalf, to adhere to the same obligations ….
  • Insofar as possible, and taking into account the nature of processing, assist us by appropriate technical and organisation measures to fulfil our obligations to respond to individuals’ requests to exercise their rights to transparent information, access, rectification, erasure, restriction of processing, objection and portability under Data Protection Law.
  • …. assist us in ensuring compliance with our obligations under Data Protection Law in regard to data security, data breach notification to the supervisory authority and to individuals; carrying out Data Protection Impact assessments and related consultations with supervisory authorities.
  • At our request, delete or return all the personal data to us after the end of the provision of your services, and delete existing copies unless EU or member state law requires storage of that personal data

My ‘modus operandi’ has always been that this data of my customers is treated with total confidentiality. It is processed as requested and then deleted from my system. No soft copy or physicial records are kept beyond the duration of any contract. I do not contact any of the people listed beyond the scope of the project.

Point 5 – Startup Digest Galway – Co-curator

I am neither a controller or processor of data for Startup Digest an initiative of TechStars , who are fully compliant with GDPR. As one of the curators of the Galway Digest, I draft up the newsletter and submit to admin for circulation – i have no idea who has subscribed to receive our newsletter except if I get an out of office email by return. I can find out how many people read each issue if I want to.

Anyone who has previously signed up for the Digest can opt out of receiving the regular ezine – you can do this online and you don’t need to directly email me like someone did this week in a threatening fashion (I simply forwarded to my Digest supervisor who then deleted their account without any direct response to the person).

Some References:

GDPR for US Startups

Business Achievers.com Email to Subscribers ‘Do you need to get re-consent for GDPR?

This Privacy, Data and GDPR Policy was created by Donncha Hughes, Business Advisor & Trainer in May 2018.