So you’ve had a busy weekend reviewing the data you hold and working out if you’re a data controller or data processor.
Now I’ve reviewed mine and everyone works differently within their counselling business, so I’m going to take a wild stab in the dark at some of the options of how you all work - let’s see how I do I bet I miss some
Client contact information and notes
Basic contact information sheet paper based, completed manually in session
Client notes – anonymous paper based
· Do you store these securely in a locked item within your locked house or your sole use room?
· Under GDPR anonymous notes are classed as personal data and should be treated with the same respect, as they are linked to the client’s basic details by code/letter/number. This may be really obvious but I’m just going to say it anyway – this is a different locked item to the one you use for the basic information sheets.
Basic contact information sheet, sent and collected by email then printed off for paper storage.
· Do you delete the email from your inbox then from your trash once you have printed off and stored as above?
Basic contact information sheet stored on your computer.
Client notes stored on your computer
· Is your computer password protected? Is it used just for work – do the kids etc have access to it? Either way the files should always be protected on it – password as minimum. Encypted would be the gold star protection – check out winzip to password and encrypt.
· Instead of a computer do you keep all files on an encrypted memory stick anyway?
· Do you securely store your encrypted memory stick – more so you know where on earth you put it.
· Do you move your notes and slimmed down basic information onto an encrypted memory stick for the x yrs you keep it all as a business continuity back up while still following data protection. A lot can happen in x yrs to your laptop. There’s a lot of cups of teas that could be spilled
Basic contact information collected by email and stored online in online filing system
Client notes stored online in online filing system.
· Do you know the online system is a potentially a data processor for you , since they are doing something for you with the data, even if it is just store it.
· Have you checked the website or app package you use is GDPR compliant? All the good ones will have a statement for you on their compliance on GDPR. It’s your responsibility to be clear on the compliance of the processors you choose to use.
· Do you know if the company that runs the website /app is based outside of the EEU? Remember the 8 principles of data protection from blogg part 2b?
The code document that details which client is number 1801 that helps you link client and notes.
· Clearly it’s separate from the basic info or the notes. its securely locked away or electronically password protected.
Emails from clients there’s no need to generally keep these but you you deleted from your email system
Text from clients there’s no need to generally keep these but have you deleted them from msg history
Personal data from people other than clients
For those of you branching out do you or may you
Collect my email address for mailing out your blogs
Collect my email address for sending me business emails
Collect my email or address for sending me training/workshop information
Collect my email or address as I’m booked onto your training.
Remember just because I’m not a client, you’ve still collected information that can identify a living person.
However me just emailing you to ask you a question Is me just emailing you to ask you a question. You haven’t actively collected it, but what you could get up to with my email address is the next BIG QUESTION.
Next step in your GDPR journey. Are you honest and transparent about what you plan to do with my personal data you have collected?
see you Friday for privacy statements.