Do you know what 8 things you should be doing right now for GDPR? Use this checklist to find out
Counselling in Notts with Karen Emery
Blog Post
GDPR made easy for counsellors: Part 4
- By Karen Emery
- •
- 02 Feb, 2018
- •
Privacy statements
So hands up who has had that annoying call about their recent car accident that apparently they’re due some compensation from? Who’s been rung by a company that you wonder how they got hold of your data? It’s just plain annoying isn’t it?
Often you may have inadvertently completed the tick box incorrectly.
· Are we ticking √ to say yes share my data.
· Crossing X to say yes share my data
GDPR asks for transparency in what we are planning to do with people’s data and that we are honest and tell people what will happen to their data.
Consent is about real choice and control over how we use peoples data.
Privacy statements checklist
What to include
· Controllers name ( This is your business name)
· What personal data are you asking for?
· What is the reason you are collecting the data, eg what are you going to use it for?
· Is there a chance you may share their data?
· Who might you share it with and for what lawful purpose?https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-bas...
· How will you store their data?
· How long will you store their data?(be clear the time frame is from when counselling ends, and for children from when they turn 18)
· Disposal - How will you dispose of the stored data?
· April update: what are their rights as an individual https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual...
· April clarity this is IF consent was your lawful basisMake it as easy to withdraw consent as it was to give it.
KEY IMPORTANT POINT when using consent explicit consent must be confirmed by positive action. So people must positively opt-in and GDPR specifically bans pre ticked boxes.
ICO says ‘Keep consent separate from your terms and conditions’
The consent question therefore must be on the form you are collecting their personal data on and at the point you collect data. Having it separately on the contract form isn’t suitable as this is a statement of fact not data collection.
ICO says ‘Keep clear evidence of consent
– who, when, how, and what you told people.
We keep the basic client contact sheet anyway and we will have a signed copy of the client information/contract
You could simply include a question at the end of your privacy statement.
Do you consent to me using your data in this way ……….
The gap allows them to type yes and then ask them to sign in your session. If you work online or electronically, consider how do you already obtain your clients agreement to your contract.
April clarity your privacy notice is a the point of collecting data anyway as you're being open and honest of what you plan to do with their data
Children’s consent -
Parts of GDPR guidance are still in production so there is currently a consultation running until 28th February
https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/children-and-the-gdpr-guidance/
and finally give them details of the ICO should they have any concerns how you have used their data.
Privacy statement example
A tongue in cheek sample that demonstrates the application of the principles required.
Counselling in notts is collecting your phone number for the purpose of inviting you to a party. It may become necessary to share your data for the lawful reason of taxi sharing. I will only share your number with the 5 other people invited to the party. I will store your number in my secure locked storage and will store it for 2 weeks for the purpose of planning another party. If after 2 weeks we have decided not to organise another party I will dispose of your number as confidential waste.
April update: Under gdpr you have rights as an individual which you can exercise in relation to the information I hold about you. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual...
April clarity IF you're using consent as your lawful basis: Do you agree to me using your data I this way? Decision ……….. Signature……………… Date............................
If wish to remove your agreement to my use of your data at any point please let me know by phone………… or email……………..
If you have any concerns about how I have handled your data, you can complain to the Information commissioners office ICO@.........
April clarity: If you're collecting data for marketing stuff, eg email distribution list for future cpd events there aren't many lawful reasons other then consent. ( tenuous - legitimate interest)
April update: Updating your websites privacy notice
Don’t forget your website privacy notice will need a review in light of GDPR and an update.
Your website collects personal data, from IP address to email address from your contact forms.
If you want an example check out the ICO website, theirs clearly will be compliant .It too is getting an upgrade for gdpr https://ico.org.uk/global/privacy-notice/
It’s important to remember the website privacy notice is about what information your website collects and stores as well as your wider business GDPR information.
So it will be part techy bits, parts data collection ( the type you’re use to )
Give details of how your site uses ( if it does)
· Use of cookies
· Use of website analytics - eg shows number of website visits etc
· Google analytics
· any plugs in you have etc
· Links to third parties sites
Then review what you collect via the website in terms of personal data from contact forms/buttons and tell people in the notice
Site contact forms / contact me buttons
· What information do you collect? Is it relevant ,adequate and necessary?
· What do you do with this data How long do you keep it? In theory you may only keep their contact information gained from the website for say 2 weeks while you are in correspondence to arrange a counselling session. You’ll then be completing your new contact form with new gdpr privacy statement anyway.
· Do you share it with anyone?
· What are their 8 rights
· etc etc
***Double double check does your website provider store any information from the contact form, ( you’ll be amazed) if they do ask them what their lawful basis for doing that is? Big hint there isn’t one.
The privacy notice should be available on every page in case I only go to your blog page, so it's normally in the page footer.
If you have a marketing contact form eg blog udpate, newsletter, people should be prompted somehow to read the privacy notice so they are giving informed consent when completing the contact form. You’ll know how your site works, so maybe a hyperlink to the privacy notice on the contact form with a yes or no button to agree to the notice.
April update: Consent for distribution lists
For those of you that have 100’s on your distribution lists and are worried you will loose them.
Ask yourself has everyone on that list asked to go on it, were you totally clear what you would be using their email address for when they signed up.
Who has run a training workshop and since you had their emails casually popped them on your distribution list so you could send them details of all yours and your friends future training. Mmm perhaps they didn’t consent to that….
So ICO doesn’t say you have to get rid of these lists, dont panic it asks you to review the transparency and consent you used at sign up. It may comply. So ok who am I kidding quite a few probably won’t comply.
You’ll need to contact the list, give details of the list they are on what it’s used for and ask for their consent to opt in remain on that list. Remember GDPR is all about informed consent
Next step on your GDPR journey review your existing privacy statements and ensure explicit consent. If you're already in private practice and haven't been using privacy statements - lets gloss over that quickly while you hurriedly write one
See you Monday for 8 rights of the individual.
Privacy statement
Counselling in Notts - Colwick - Nottingham NG4. Contact 07925 318057 Email: counsellinginnotts@gmail.com
