 chats if you would like to. And I think we can probably get started. So today, it's all about data security and GDPR. We have the brilliant experts in her field, Joe Branty, with us today to share all things GDPR with you. So there will be an opportunity to ask questions, et cetera, and pick her brains about that. And her company, JLB Business Consulting, which I'll introduce there as well. So I'm here if you need anything to pop in the chat, and I will hand over to Joe. Thank you very much. First things first, I'm going to launch this little poll to ask you what your current level of confidence and knowledge experience of data protection in GDPR is. And then we'll repeat that at the end and hopefully you've learnt something at the end of the session. So I'll give you all a couple of minutes to do that before we get started. Okay, so we've got 13 of the 15. Anybody else got an answer? One more to answer. Okay. Right, let's have a look at the results. Have you are very confident in your knowledge? And 11 of you feel like it could do a little bit more. So that's cool. Hopefully at the end of this presentation, you'll have a clearer or be more confident about what you need to do. Okay. So, Rachel, are you going to cover those first couple of slides? Yeah, that's fine. Do you want to move your slides on Joe? Oh, yeah, sorry. That's right. Also, as you know, this is series two of Recover and Rise. And it's all about customers and marketing. So we're getting towards the end of it. We've got a few more left. And then we'll be moving on to series three and four, which are about systems and productivity and growth and expansion, not delivered by us, but delivered by the other and partners in the series. Okay, Joe. So we are on number five today. And then coming up, we've got measuring marks in ROI. Stu, who said today as well. And we've got visitor economy, specialist masterclass. And we are lucky to have a special guest of that one. We're going to have the Artisan Bakehouse owner come along and talk to us about how they adopted digital during lockdown and share a real life story. So I think that's going to be a brilliant session. And then at the end, there's an opportunity to network with other business owners with the Digital Champions, ask any of the speakers questions on a panel event on the second of November. Okay, so over to me. In this session, I'll just outline some of the objectives. I'm going to give you a brief overview of the data protection regulations that you need to consider for your business. I'm going to clarify what exactly constitutes data from a regulation point of view. We're going to look at the key principles and the key roles and responsibilities that GDPR introduces. We're going to look at the rights. We're going to look at some data protection best practice. And then I'm going to talk to you about two important areas, which is data breach and subject access request. So first off, who am I? I'm aware that many of you haven't met me before. I've got 30-ish and the ish hides many years of commercial experience in a range of roles in project, program and portfolio management, very diverse background from Jaguar cars to two e travel to TFL and the medical research council. So quite broad. I've got IT and compliance and data background. And I am now a qualified data protection officer. So quick facts. And this is just background so that you understand the landscape of where you fit in. 107 countries now have privacy legislation. 66 of those are considered to be developing nations. So privacy is not something just for us. 524 organizations in 17 countries experienced the data breach in 2020 while half the world was locked down due to COVID. So that gives you some sort of background that it is a global situation. Global fines under GDPR as at when I took this stat was 123 million with the smallest being 28 euro and the largest being 50,000 euros. 721 complaints were upheld or partly upheld in the last 12 months to the ICO and that was out of 1300 and something and that is complaints around how business owners are managing data. So first question. Is this relevant to my business? Well the short answer is yes. It doesn't matter how small you are. It doesn't matter whether you are early stage startup or more established. You hold personal data so therefore this is relevant. Some of your businesses will also hold and manage special category data which we will look at later and they have even more issues and management processes. Data protection in the UK is managed by the information commissioner. I have put the website address there. You will get a copy of the slides later. Don't worry about writing that down. As business owners you should be registered with the information commissioner's office. It costs you £40 in the first year and if you agree to pay by direct debit you get a £5 discount and they just send you a little reminder a month before they are going to take the time at debit. I have put the link there. You will get that in the slides later. First things first. What are the key data protection regulations in the UK? Everybody refers to GDPR and GDPR is an EU regulation and when we were part of the EU we had one version of GDPR. Post Brexit we have two versions. We have the EU GDPR and we have the UK GDPR. If your clients are only UK based and you never work with anybody outside the UK you don't need to worry about the EU regulation because you are not targeting EU clients and you are not working with them. You can then look at just the UK GDPR. At the moment as at the moment I am stood here there is no difference between the two but there will be changes because I am already looking at changes that are possibly coming down the line later on. The Data Protection Act 2018 is the UK name that we gave to EU GDPR on the 25th of May 2018 when we were all going crazy about GDPR. That is the name of GDPR on the UK statute books. Eventually UK GDPR will disappear. Now sitting alongside of that you have the privacy and electronic communication regulations. Big chunks of that are not relevant to small businesses. However the section in there on email marketing and cookies which we will talk about is relevant. But everything else is more to do with ISPs and those kinds of things. So first off what is personal data? It is your name, your address, telephone number, email address or a combination of those. So as an example if you are a company where there are four people called John Smith the name John Smith does not identify a particular individual because on its own you cannot identify which one of those four people it is. If there is only one person called John Smith in your business it is identifiable. It is also the description. So that old man that lives at number 15 that clearly identifies an individual and therefore that can be classed as personal data. The email address if the email address uses the name joe.brianziat then that clearly identifies me so that is personal data. Now that is really important for you to understand because there is a lot of discussion around email marketing about whether you can do B2B marketing or using somebody's personal email address and we will talk a bit more about that as we go through but it is important that you remember that section. Special category data. This data requires a lot of extra looking after. We have got religious beliefs, sexual orientation or questions about the sex life, health information, political opinions, criminal record, biometric and genetic data and trade union membership. Some or all of those may not be relevant in your business but in other businesses it will be very relevant. The next thing is what is processing and this is in the context of the law. What is processing? It is filling in forms. It is writing client notes. It is recording a video. So the video that we have got here we can all see each other's faces. There is personal data there because your face is unique to you. Taking photos, email to named individuals, automated decision making so you are thinking here of things like the Tesco club card where you swipe and they collect data about your shop and they make automated decisions to send you money off vouchers. Anything that operates like that comes into that. If you are adding, editing or deleting database records from your CRM system, your email marketing system, if you are transferring data between technical systems, if you are sharing data between business locations, if you have more than one office, all of these things are classed as processing from a GDPR and data protection point of view. We are going to start now talking about some of the rules and the first thing to understand is what are the key principles within the regulation for processing data. First off, you must process it lawfully, fairly and in a transparent manner. You must limit the uses of that data and it must be limited to the explicit legitimate purpose for which you have gathered it. What that means is if you collect data from a customer for providing service A, you cannot automatically mark it to them for service B without requesting permission because that is outside of the rules. You should minimize wherever possible the amount of data you collect. So look at the data collection forms you have. Do you actually need every single question on there? Is it pertinent at that point? You are required to keep the data that you hold about customers past and present up to date and accurate. So you need to have a mechanism to check people's addresses are up to date, their email addresses are up to date, all of those things. You should not keep the data for longer than necessary. So you have to think about what is your data retention policy. Now some of your data retention rules will be specified by another piece of legislation. For example, you are thinking about HMRC records. You have to keep your finance records for seven years. So that is the length of time. Some codes of conduct, some trade bodies might specify something different. So you are governed by those rules. But you need to think and assess what they are particularly, I should say, to your business. You also have the principle of ensuring appropriate security of the personal data. So have you got a backup? Have you got antivirus? Have you got malware protection? Have you got user access restrictions? And various other things around securing your data. And the new one that was introduced as part of GDPR is accountability. There is a requirement on you as business owners to demonstrate how you actively manage the data in your business. So in the past people have collected data. They've sat it in their CRM system. They've not done a data cleanse. They've not updated it. And there's been no accountability for that. Now you are required to show that you monitor, manage and actively manage the processing of data within your business. So now we know what data we're collecting. We know what the principles are. Then you have to consider one of these legal basis for processing the data within your business. The first one, consent. Have you had permission from your customer to collect that data? Now, that is most often used as a marketing and within marketing, I should say. So in theory, if there's a customer, they're going to give you data happily in order for you to deliver the service. But that has a different meaning in marketing and we'll look at that later. You collect the data to deliver a contract. You have a legal obligation. So this is where you're complying with the law. So it's things like again, HMRC, HR regulations, those kinds of things. Vital interests is where you are collecting data, where it is essential to protect somebody's life. So an employee, you might ask them about health conditions so that if they become ill at work, you know how to deal with that, or you can share that with a paramedic if something happened. Public task is something that small businesses will not ever come across. This is only relevant for local authorities, NHS, those types of organization. Legitimate interest. Now, this one is most commonly used in marketing and it's always the one that is abused the most. The legitimate interest is not yours as a business owner, it is the legitimate interest of the data subject or the individual. And when we talk about the email marketing section later, you will see how that comes into it. There are three roles and responsibilities within GDPR and data protection regulation. There is the data controller, which every business owner becomes a data controller because you determine the purpose and the means of processing the data within your business. So you say how you collect it, you say when you collect it, where you collect it from, how long it's kept for and all of those things. The data processor would be your staff, would be your subcontractors, your outsourced team, if that's relevant. And they process or do things to the data on behalf of you, the controller, based on what you tell them to do. So the controller decides the processor does. And then there's the data protection officer. Public authorities, local authorities, NHS, etc., they must have a data protection officer. Small businesses, dependent upon the size, may not need a data protection officer. However, if you are doing large-scale systematic online tracking of behaviour, i.e. you run something like the Tesco Club Card scheme, or you are an organisation that does large-scale processing of special categories of data. So if you are an organisation running a health clinic, and you have a number of therapists or counsellors working for you, where they are all collecting health, wealth, well-being information, you should think about whether you need a virtual data protection officer or an on-call data protection officer to support you, because you will have additional requirements then. I've put here that it's unclear on a definitive position for the SME community. And the reason for that is that they have made some statements about whether slightly bigger companies are going to have to have a DPO based on the number of employees. There's a question mark around that, but I wanted to put that out there, because it will come up at some point. The DPO must be a senior person, or if you're using a virtual person, they must have a direct report to the senior team, and they must have the authority in order to say to the senior team that what they're doing is not right, and that we must make this decision to comply with the law. So, individual rights, this is relevant to every single person on this call, not just as a business owner looking after the rights of their customers, but to all of you as individuals, as customers of other organisations too. We all have the right to be informed. So, here it's important that you have the right to be informed, here it's about transparency, it's about privacy notices, it's about understanding what is happening with the data that we provide or that your clients provide. We all have the right of access. So, we have the right to ask any of the companies that we are customers of to have a look at all the data that they collect and process about us, and at any point you could have a request from one of your customers to see what data you have collected about them. We all have the right to rectification. So, this and the right to erasure are often linked to the right of access, because what will happen is, and what you can do is you can ask for all of the data that a company holds about you, you look at it and you say, I want you to rectify these errors and or I want, I'm withdrawing my consent and I want you to erase the data that you hold on me. Now, the caveat there is that you can erase some of the data, but you would never be able to erase the data relating to HMRC or where you have to comply with some other regulation that is classified as more important. You have the right to restrict processing, so you can block or suppress processing. So, here you're thinking about the telephone preference service. You can register your email, you can register your telephone number with these opt-out lists, as can your clients, and they can say to you, I do not want to be a part of this anymore. The right to data portability, your client can request that you transfer all the data that you hold on them to somebody else who is going to deliver the same service. They have that right and you have to comply. You have the right to object as to your clients. Here you're thinking about, you can object to being part of a public interest research. The obvious one is the COVID scenario. There have been quite a few people who have objected and been allowed to restrict processing and linking it to that, their data relating to information around COVID. And you have rights and said to your clients in relation to automated decision making and I've linked that here to things like loyalty cards, automation in your marketing or your processing systems. I don't know why that's happened, because it's bringing it slowly. Sorry, that's an error on my slide. I have no idea why it's suddenly bringing all those in like that. So the data inventory. When you start to think about assessing your data protection status, the first task is to create a data inventory. This identifies what data you collect and process. It identifies what software you're using to collect the data you process. It enables you to conduct due diligence on the software being used to process the data. And it evaluates where your data is being hosted. And it records who has access to your data. Okay. Apologies. So the data inventory, now that I've got all that on there, I can put it all into one picture. The data inventory allows you to assess what software you're using, what data you are storing and processing in each piece of software, who has access to it, and it enables you to look at all of the privacy policies and you record all the privacy policies and your assessment of those. And the reason that you do this is, one, you need to know that information for transparency purposes, so that you can put this into your privacy policy. And you also need to know this, because when you get subject access record, if you don't know where to start with collating all the data that you hold on an individual, you could spend an awful lot of time running around like a headless chicken to collate it all into one place. When quickly looking at data inventory, it will tell you, okay? So now we're going to start to look at how we apply some of these things in your business. Now, the first thing we're going to talk about is consent, because consent is really very important, particularly from a marketing point of view. If you are signing people up to a mailing list, then you know it yourself, you signed up to mailing lists, you should be asked to consent to receive ongoing marketing materials. And in a moment, I'll show you a checkbox and we'll talk around that. But consent establishes a very high standard as a lawful basis for processing. And the control of access and consent must sit firmly with the individual. They must opt in to show consent. They cannot be presented with a pre-populated form or checklist and be asked to opt out. And assumed consent is not acceptable either under consent must be explicit. So your clients and your contacts must give an affirmative action to prove that they have consented. And blanket consent is not enough. If you are asking them to consent to marketing activities, you've got to be clear about what those marketing activities are. So as an example, and I'll show you a sign up form in a moment. If you want to market to somebody via email marketing, text marketing and direct mail, they have to agree to receive each of those formats. If the consent is only for email, you only need one checkbox and they should consent to that one item. And as I'm sure you all know, within email marketing, you must offer the right to withdraw consent using something like the unsubscribed button at the bottom of your email. So what does this look like from an email marketing perspective? So this is one that I've collected here. So you can see here that this is to access a free download. We're asking for the first name, the email. And with this particular organisation have given a statement that says, I want to receive more resources and you can unsubscribe at any time. So we're complying with the options there. And there is an unfilled checkbox that they can fill in. So it's an active consent there. Additionally, which I always recommend, and this feeds into the transparency requirement, there's a link there, obviously it doesn't show here, but that is a hyperlink direct to the privacy policy of the organisation. Okay. And the next step of linking into consent is cookies because cookies need to be cookies sit within PECA, Privacy and Electronic Communications Regulations. And you need to advise people visiting, excuse me, sorry, advise people visiting your website that you are using cookies. And I'm thinking here of things like Facebook Pixel, which you might use in the background of the website to help you target people for advertising. Google Analytics for tracking people's movements on the website where they come from and all those kinds of things. They all sit into the cookie banner. So for those of you who don't know what cookie is, it is a small text file that will identify your computer to a network, i.e. the internet. Cookies can improve your browsing experience and these will often be described as functional or essential. And those types of cookies help you to render an image or a video or they do something that helps your website perform well, load quickly. Cookies can personalise your experience of the web. And this is where you start to get into some of those tracking cookies. But cookies can also be malicious. There are some types of cookies called zombie cookies. And if one of those land up on your laptop, it's very difficult to get rid of them. They, as fast as you delete them, they'll come back. And they can also they can also put in nasties and create problems with Trojans and viruses and things like that. So this is an example of the cookie banner. And this is used, there's two different types here. The top one is created with a plugin on WordPress called Cookiebot. And this is perfectly compliant with legislation, because on here I've got the option of allowing or disallowing cookies. So I'm able to give my consent. Okay. So the green ticks here can be unchecked. And I've got the option to look at what cookies are there. And I can use necessary cookies only necessary being those functional and essential cookies that make the website work properly. This here at the bottom, this is an example of a different type of cookie banner. And this was actually on a Squarespace website. And yes, this is okay. But there's nowhere here, even when you click on read more, when I can say I don't want to accept these cookies. So I'm unable to give full consent in this instance. Okay. So next thing, I just wanted to show you a little bit about the compliance around your website. And I wanted to show you this, it's not very clear here. But on the bottom of the website, I have listed the ICO registration number for my business. And I recommend there's not a regulation that says that you must do that. But I highly recommend it as part of your transparency and communicating that you are sort of working towards your compliance. It is however important to have these. And this is the other thing I wanted to show you. It's a privacy policy and the cookie policy. Now my cookie policy is generated by cookie bot as part of that installation of the plugin. There will be lots and lots of different ways that you can do that. That's just the way I choose to do it. And I also make sure here that the written address where people can write to me, and I'm thinking here from the subject access request, which we'll look at later, there is an office address where people can write to me. I just want to put out there some best practice activities that I recommend you look at thinking about in your organization. Sharing data securely using SharePoint OneDrive, Google Drive, instead of emailing a file that has personal data in it, put it into a secure folder and share access to that folder, even if it's on a temporary basis. Now the reason for that is that email can be intercepted anywhere between point A and B. So an email going from where I am in West London to where Rachel is in Worthy might go all the way around the world bouncing from server to server along through the internet before it lands with her. And at any point that can be intercepted. So you are, it is more secure if you put your file in a folder, send an email to somebody say the fault that the file is in our shared folder and they can access it from there. Strong passwords. Very interesting range of passwords I've seen over the years, including the word password, which is the most common password used. And that takes about 3.2 seconds for a hacker to get into your system if that's the type of password that you use. So there's a variety of things that you can do to make a strong password. Make sure that you've got a mix of uppercase, lowcase, numbers, special characters, and also think about applying those to pass phrases. So as an example, I often use 3 random words one after the other. So I might put cat, webinar, mug. And within those words, I've changed some into ampersands. So it might be cat, webinar, ampersand, mug. And I've broken that up so that it's more complicated for somebody to try and break that. Additionally, I use a password manager because I know how difficult it is to try and remember the password because you've got your banking password. You've got your personal email, you've got your work email, you've got your account system, you've got your email marketing system, your Facebook, your Twitter, your LinkedIn. Very quickly, you've got 20 or 30 passwords and it really is difficult to remember all of them. Don't use the same one for all of them. Get yourself a password manager. I choose to use last pass. Other options could be Dashlane, one password keykeeper is another one I've heard of. And the last thing I would say on passwords is when you go on to Google and Google on being offered to store passwords for you, always say never. Do not ever just store your password in the cloud. Always put it in a password manager. Never write your passwords down and don't leave the line around where people can find them because that's the easiest way for somebody to just break into your systems and take personal data. How many of you are using Home Broadband? Got the router out of the box when they sent it to you and you plugged it in, got it all working and you're still using exactly the same password on that router today that it was when you took it out of the box whenever that was. That's a default password. You should always change the password on your Home Broadband router. If you don't know how to do it, make sure that you speak to your ISP, whether that's Virgin, whether it's Sky, Tesco, BT, whoever. If you don't know how to do that change, call them. They will help you to do that. The other thing to mention around Home Broadband is to consider setting up within your router guest access. You'll have your access where you use all of your business data and then you have a guest access so anybody visiting is still using your Wi-Fi but they're not using the same Wi-Fi channel that you are using for your business data. So you then have a little bit of security, additional layer of security. How many of you work in a cafe or you work at the gym or you work wherever but you work away from your home base or your office? How many of you thought about whether the Wi-Fi you're using is secure? I would advise that you don't work on unsecured Wi-Fi in the cafe or anywhere else. You either look at getting a VPA. As a bare minimum, you should be asking the cafe owner if there's a password. If the Wi-Fi is not password protected, it's totally insecure so you should be very, very careful about using that. Never open odd looking emails. I had a couple last week supposedly from Microsoft requesting that I change my admin password on my system. All looked fairly kosher until you looked at the from email address and it was gobbledygookfromgmail.com and it was a spam email. They were phishing. The minute I clicked on that link it would have taken me through to a website that looked very accurate. I would have entered my password and they'd have been in and taken my data. Those are phishing emails. Be very careful. If in doubt, delete them and then ring the person and say, I've had a random email. Was that correct? I've deleted it. If you're a Windows user, you will know what I mean when I say that software updates can be the bane of your life. They start at the most inconvenient moment and they will take what feels like forever. You think, I'll just go make a cup of tea, come back? No, and they're still going. It is annoying but do run those software updates. They are very important. They are there to block errors that have been found in the code that could prevent, present a risk to your system. So always run them. It is possible on Windows to specify times when the updates can auto-run. I normally run mine now. I change the settings so that mine run overnight on a Friday and on a Friday I leave my laptop on overnight and then they run and it's all done. Always do the due diligence on your subcontractors and your outsource team members do they have a privacy policy? Do they understand GDPR? What processes do they have in place? Don't forget that if these people are accessing the personal data in your business, you need to know that they are going to be as responsible with it as you are because ultimately as the business owner, if something goes wrong, you will be the one who has to have the conversation with the ICO not your subcontractor. So it's really important to look at the due diligence around what people are doing with your data. If a lot of that sounds really complex, scary and just not the kind of thing that you want to get involved in, consider hiring an IT support company. It's a really worthwhile investment to protect your data. I do it, I pay, personally I pay, I think about 40 quid a month and it's peace of mind for me. I don't have to worry about any of that stuff. It's all done for me and they advise and guide me on how to do the different things. Thinking about what we've talked about, we've talked about some preventative measures that we can take to protect the data in our business. The reality is that data breaches do happen even to the most careful of organisations they do happen. So these are some of the types of data breaches that you could experience and then we'll talk in a minute about what we do about it. So the one that we all know about and think about when we talk about a data breach is accessed by an unauthorised third party. Realistically that's not always that creepy guy that's hacking you from somewhere in deepest Mongolia or something like that. That could be an authorised access by a subcontractor or an outsourced team member who's looking at data they shouldn't be looking at. Okay. Sending personal data to an incorrect recipient. How many of us have pressed reply all instead of reply and sent something that we shouldn't have done to 20 people instead of just two people? It happens. We're human. We make mistakes. It's just how you manage that. Computing devices containing personal data getting lost or stolen. Something I should have put on the previous slide but I'll talk about it now is my IT provider has encrypted my laptop and I also have a piece of software on there. I haven't got clue what it's called so I just refer to it as wipe. If I ever lost my laptop, if ever my laptop was stolen I could just ring my IT provider tell him you press the button and my entire laptop is wiped completely remotely by him at any time of the day or night. So first of all it's encrypted and if they are able to get past that the data's gone and it matches the hard drive so the laptop becomes worthless to them. Alteration of personal data without permission. So here you're thinking about if you've got a subcontractor or an outsourced team member who makes changes to data without the permission of either you or your customer. That can be a data breach. It is a data breach. Loss of availability of personal data. So if you have a situation where your ISP collapses a prime example would be Facebook. When Facebook, Twitter, not Facebook, Twitter, Instagram, all of those blacked out and there was a mass outage that is actually a data breach and if your email systems are compromised via phishing scams that's also a data breach. So the worst thing has happened you've discovered you've got a data breach. What do you do then? Well the first thing is don't panic. The first thing you have to think about is do I need to report it to the ICO and the simple answer is maybe not. What you need to think about is how severe is the data breach? So is it just that I've pressed reply all instead of reply? What's the impact of that? Not a great deal. Perhaps a little bit of embarrassment on your part but nothing significant. How many people are affected? Maybe one or two? Or is it thousands? What type of data is it? Is it just name and addresses or is it somebody's entire health details file? And what's the impact of the breach on individuals? So here what you're thinking about is if you've had a breach of your finance records and all of a sudden all the credit card details and banking details of all your customers are out there in the wild that's a significant breach because the impact on potentially on your clients and customers is huge. There's a risk to their financial stability. If people are able to access that that's a reporting a reply all on an email. No it isn't okay. If you do find that you have to notify the ICO you have 72 hours from identifying and discovering the breach to undertake your initial analysis about severity and how many people are affected in which to notify them okay. And as I say you do not have to notify them of every single breach that you have but you must log them. So you put them on a log every single one and I know that sounds random but just fill it in on your log and it shows that you are accountable and you are managing things. If your analysis of the data breach is that it is very high risk and it is very high impact then you must also notify the individuals whose data has been breached right. So you if your credit card details have gone you must notify individuals. If somebody's health information has been breached you must notify them. If you've done a reply all and you have breached somebody's name and address you don't need to notify the ICO and you don't need to notify the individual okay. So subject access requests we mentioned earlier that these can be combined with the right to rectification and or erasure. They can be made in any format some people might email raise a request via your contact form on your website they might telephone you they might have a conversation with you in the course of a meeting and ask or they might email you direct. If you're unsure what they're asking for clarify and make sure that what they're asking is actually a subject access request. The next thing to do is to validate the requester before proceeding depending on the type of business or organisation you are you may have requests for somebody's data by a third party as an example somebody who has power of attorney you might have a request from a parent about their child's data before you take time to gather all of this data together validate that the requester has the right to have that data. If you don't and you give them the data you're risking creating a data breach so it's important and don't be afraid to go back to them and say I'm sorry I can't give you the data until you evidence that you have the right to this so it's a power of attorney document possibly it's evidence that they're a parent you know your customers and your business is better so think about how you would validate that. Subject access requests are time bound you have 30 days from the initial request and or initial validation to gather together all the data that you have to give them redact the data so that you are only sharing data that's relevant to the individual and get it back to them in the format that they requested. You have to record the SAR in your log and then you respond to them after you've collected reviewed and redacted the records okay penalties there's been a lot of talk certainly back in 2018 about the size of fines that are issued under GDPR however don't automatically think that you know you are going to be a business that's going to be facing 20 million euro fines there's a tiered approach the maximum could be 20 million euros but if you're if your revenue in your business is 20,000 a year 30,000 40,000 whatever a year you are not going to have that kind of fine. The assessment of the level of fine will be based upon whether you've adhered to codes of conduct number of people affected risk to data subjects have you been negligent is this an accident what action have you taken to mitigate and minimize risks in your business have you notified and contacted and spoken and dealt with the ICA within the time frame and being a willing participant in sorting out whatever the problem is all of these factors determine the size of your penalty but it is better to try and be as prepared and mitigate and show your accountability before you get to the point of penalty and that's it so I'll open the floor to questions thoughts thank you Joe thank you so much I'm very comprehensive so we've got quite a few questions that came in during the session I'll just take a few days if that's okay yeah um so the first one was let me just go back um so yeah could you expand a little bit more on services contacting where is the line with that services contacting on a b2b basis so are we talking here about the email marketing yeah so it was my question Joe all right yeah so you know so I run digital marketing agency and so if someone contacts me maybe an SEO uh services inquiry yeah and I've got the consent right we are we may we may contact you about uh you know similar services and products I can think I'm I'm I then able to contact them say about okay so some of the kind of digital training it's not quite the same service but it is under my umbrella limited sorry get my teeth back in if I contact you and I say I'm interested in your SEO services right and we have this conversation about the possibility of working together you give me a quote or we're having discussions about that using legitimate interest you can contact me rely uh regarding um SEO training or another strand of your business the legitimate interest there is that I'm already interested in buying your services because we're talking about possibility of a contract and a quote right so there is a legitimate interest and you could include me into your email marketing list but you have to be transparent about that in all of your conversations your privacy policy and those kinds of things it's just about maybe tweaking the wording so that people are aware and it's the transparency yeah gotcha thanks yeah that's really helpful thank you okay now let's ask a follow-on from that before we go on to a different question Josie of course similarly um if you if you weren't already interacting with students keep your examples do yeah um when can you say there's a legitimate interest to contact someone so it's there's never unless someone's giving you bad details legitimate interest and and yes I'm aware that out there there are people using legitimate interest in a very different way and some people are stretching legitimate interest to it being about the business is legitimate interest but it really isn't about your interest as a business legitimate interest is if I bought a service from you and I've paid recently in the last let's say three months or so you can go on to my newsletter list okay if I've you've provided a quote for me if we've been having discussions about working together there's a legitimate interest because I've been expressing interest in your organization in the services that you provide if I have requested if I've made an inquiry and we've had discussions there is a legitimate interest because I'm interested in you if I have visited your website and you have tracked my visit to your website um but I've made no direct contact with you um I have not expressed anything more than a fleeting visit to your website there is no legitimate interest so you meet people let's say on social media in a networking organization you might think well there might be legitimate interest because I met them at a meeting we had a chat no that's not legitimate interest either what I advise people to do is to start the conversation to generate the interest and then invite those people to consent to be on your newsletter list okay because legitimate interest is when there is either a formal relationship between the business and the individual or in the context of preparing for a formal relationship okay does that help thank you yeah I think it's a minefield for small businesses isn't it in terms of how do you ever generate the clients if you can't ever go and tell someone who doesn't already work with you yeah you can but you you know we've got all of these options you know we there are ways and and I I'm quite a stickler about it myself and I won't you know people have sort of said to me well you should be putting these people on your list no you shouldn't because you know it's about building relationships because people buy from people you know and I know I've had conversations with coaches in the past who I work a lot with and they said I've got to have thousands on my list no you don't you know better to have a list of 400 people who are regularly engaging regularly interested in your material rather than lists where you're gambling on a percentage opening them and and you know that sort of thing a marketing group but yeah so Jo in terms of prospecting yes um you do get companies out they're like needs you know generating companies where they say that if the email is out in the public domain then it's basically up for grabs and you can email that that company where you know I presume that that's not correct and is there any kind of prospects in that we can do so what I say to people is let's just say that and I've had this conversation recently with a client or a prospective client who came to me and said I've got this fab way of building an email marketing list so I said okay let's talk about it he said I'm going to scrape 10 000 names and addresses off LinkedIn he said and I'm going to put them in my active campaign and then I'm going to send them and I said really and he said yeah he said because it's going to be great marketing I'm going to get hundreds of sales I said okay so no you're not really I said I'm not I put it out there I'm not a marketing expert I'm not a marketing specialist what I'm saying now is a combination of kind of GDPR business and what I've learned along the way legally if you're doing a data scrape or if you're buying a list you have no legitimate interest because you have no prior relationship with that person you have no consent because people have not actively ticked a box or said yes I want to receive an email from you so you can't data scrape and then suddenly start marketing to them now if you are going to buy a list first things first buy from a reputable organization and then within the first 30 days of having that list you send them one email one email and in that email you say to them your name and address was provided to me on a list and because you may be interested in my product or service so then you say to them I'd like to send you marketing material I send a monthly newsletter I send occasional offers etc etc would you like to continue receiving these emails and then you put a button in there that says yes and if they positively press that they have consented you can continue to email them if they do not press that button or if they unsubscribe using the the relevant sort of button below you cannot market to them now this is the risk with buying lists because you can buy a list of 10 000 people you don't know whether they have been matched to your business and service you don't know where they've come from so you don't know whether it's a compliant list I've recently spoke to somebody else who asked a similar question about lists and I said well where's that list coming from and they said to me well just from them and they've told me it's duty PR compliant I said how do you know how are they evidencing to you that they've got consent so I think um Steve might have a follow-up question yeah okay yeah I've got my hand up yeah I don't think most small businesses will buy lists so here's an example okay imagine I've developed a bit of software that's been useful for a university to calculate their carbon footprint for example okay I don't know where that example came from but there it is and it's been successfully deployed by ports of university it's really great it's really helped them you know reduce their carbon footprint okay I could really do with telling this to some of the universities okay um I then have a look at the University of Chichester's website I then find the sustainability manager's contact details which is probably available on the website I would like to send them an email to say hello University of Chichester sustainability manager we've just developed this for Portsmouth but would you be interested in having a chat about it where does that fall because that's what I think about prospecting I think that's what a lot of small businesses will do to try and this is sales not marketing and I'm not talking about putting her in my email list I'm not talking about showing her unsolicited this is a business trying to sell to another business that type of one-off email where you have gone to a website and you have been able to say you know you can justify and validate why there might be a legitimate interest for that individual to be aware of your product and service now you do that from your outlook or your G-suite you don't do it from absolutely yeah personalized email it's a personalized it's a one-off email and you can do that but you've got to do it in a very sort of relationship building position rather than going straight in for sales and marketing absolutely that's that's that's really answered a lot of my questions that really does yeah because that felt like a gray line but that's you've really cleared that up and that was yeah I think quite an important point there's a difference in email marketing and kind of that thing versus sales and sales and relationship building and if you're ever in any doubt about this think about how you would feel about receiving what we very often classes spam from people who've got no relationship with this no and out of the blue they're just suddenly but personalize the email and say in going on the example you've given you know I've been working with this university this department it could be of interest to you let's chat yeah and take it at that level rather than blanket marketing and Lisa's got her hand up lupin has got her hand yeah I've got a couple of questions if you can just hold are they related to that are they related to joe's question guys lupin is yours yes it is okay you go sorry to keep pushing the same point but I was told I can get a list of businesses from the bi pc I don't know who bi pc are they are they're the bright and hope ip centre part of the british library oh right okay yeah yeah so they have lots of databases some in the UK some global and so I'm just really unsure whether an email you know a list of people so on a beat on a b2b basis that's very much what we've just said about stew so if you took that list and you did individual emails them it's time consuming but as part of that email you can invite them to be in your email marketing software and regular marketing but you should not be emailing a bulk email to a list yeah right campaign so if you got this list you first of all you have to say where you've got the list from why you know it's considered appropriate for you to send it to them and you know then to start building that relationship and and say let's talk about my product or service rather than going in and and trying to you know go in with that and and not look at the consent and not look at the legitimate interest it's got to be an interest in the person receiving that even that b2b email yeah clear it up for you yeah so so if I did do it in a bulk email and it was literally telling them about my product you're saying that I could be uh reported for that well it's again it's kind of it's kind of a what if because are these are these is it personal data is it joe dot briante at is it info at admin at right if the email address is on your list our info at company name that's not personal data and you can use those but from I guess from a marketing perspective those kinds of in those kinds of email boxes are maybe managed by a receptionist a pa and they might not get in front of the decision maker that's a marketing sort of question and I think also you'd have to be cc so you're not sharing data between the recipients as well yeah all right thank you very much okay um so we had a question earlier from uh vicki who was asking is why is it with certain we won't name entities that they require information that they do not need to know don't know if it's not so well probably been taken um if people are asking for um data that you don't feel comfortable giving and that you feel is of no relevance to the situation as an individual then you don't have to give that as a business owner as we said in the in the presentation one of the things that you need to think about is how you minimize the amount of data you collect so one of the things I do with people that I work with is I get their data collection input points and their questionnaires and all of those things and we go through them step by step what does that do for you why do you need that do we need to have that question in there and you minimize the amount of data now as an individual if you are on the receiving end of a questionnaire or a form and you don't feel it's appropriate don't put it in there and if you get part way through a form and it won't let you proceed unless you fill it in then I would go back to the organization and I would say to them why why do you need this piece of data about me why why is that relevant and and challenge them feel free to challenge them it's your right as an individual because some of what we've talked about here is relevant to you as individuals not just as business owners yeah I think sometimes it's to help them with their targeting you know later on but if you as Joe said if you don't feel comfortable with it then then challenge it yeah um so we had another question earlier from Moona if you use third party websites to manage all your data and it is all held on their server is it the responsibility lying with you or the platform that you're using so oh this is a very big one so I'll try and make it as simple as possible as a business owner you have an obligation to do due diligence on the systems that you use to process personal data in your organization right so let's just put that statement out there the second statement is as a small business owner the reality of the world is that you have very little control over certain things e.g google the majority of the data that you store in google will be stored in the united states unless you're paying for an account and you've specifically requested for it to be stored in the uk or the EU so therefore you are in a way as a small business owner at the mercy of the big tech companies that you are using to store and process and manage your data okay the best that you can do and there are the words adequate and appropriate are used a lot in GDPR legislation okay so all you can do is undertake adequate due diligence and what I mean by that is google or a big firm have I checked their security pros you know documentation on google's website they will tell you what they do about security somebody like me reads those things and I can tell you that google are very safe and very secure in their data practices they have achieved certain standards they are safe to store your data with right if you went to billy bob's IT firm you don't know where billy bob are based you don't know what billy bob's doing with the data he's got no data security policy he's a bit vague about what he does then due diligence to tell you to avoid billy bob and if you go and work with billy bob then you're putting yourself at risk so as a small business owner it is about adequate appropriate provision that you can reasonably manage and control does that help does that answer the question I think so thank you yes great so how do you we did talk about cookies but earlier and I did share a link to a guide to different types of cookies but what it doesn't say in there is actually how do you know when you've got some zombie cookie do you know that no however if you are using a good firewall if you are using good antivirus if you are using good malware if you are regularly updating and all of those things and you are again you are doing appropriate um and as much as you can do understand a thought then you minimize the risk of getting them but you can scan your website the cookie bot which is the plugin that I use and I'm not an affiliate or anything so I'm not promoting it because there's anything in it for me it's just the one I use that will do a scan of your website when you sign up for an account with them and it will tell you every single cookie that you've got on your website and it will tell you what those cookies do okay now you will be surprised you may have a website where you've not put any pixels you've not put any stuff on there but plugins automatically create cookies and that that will tell you what you've got and then you need that information for the cookie policy does that help there thank you so um if a user decides not to accept a cookie can you deny access to the website is there any legal issue with doing that no not at all if you you you can and I know of a number of websites that refuse access to the content on the website once you refuse the cookies because ultimately if you're using the cookies to track somebody's behavior for then retargeting purposes or you know ads all of that stuff I don't understand that but you know you use the cookies to target and track so that you can create your facebook ads your google ads and all of that sort of thing um there's no reason why you can't reject but would you really I mean it may be and again I'm playing devil's advocate here right because I'm not a marketer so the law says you must tell people and you must give people the the option to opt out I personally feel that if somebody's come to my website and they want to opt out of cookies they're still interested possibly in my services and things that I offer so if I say to them don't stay on my website am I possibly losing somebody who's just yeah I think that's the only stage of interest I think this is related so the person has an alcohol website it's an alcohol and they have to have an age gate system on it so you have to say that in the UK to go on the website you're 18 or over and he's asking whether you you could have a combined one button to accept the terms of use of the website the user agreement as well as the cookies and the data policy could you do it all in one and there might be something you can answer today for that I'm going to make a note of that and I will go away because I've not I've never linked I would never have thought to link those two together okay because I think there's two different pieces of legislation there the age gate is very different to the cookies yeah I'm gonna make a note of that if that's okay and then I'll come back to you Rachel that's fine I can let him know so if you send a link to a secure folder but you send that link via email yeah how would you recommend that they don't get intercepted so if it's a secure link when you send the link and I can talk about OneDrive I'm not as familiar with other things but on OneDrive I create a link to the folder and I set the security settings that only um it's only valid for a certain time or it's you know or there's some other security step that has to be taken before it can be accessed by that person again it's not 100 secure yeah and I can't ever tell you that something is 100 secure all right it it's just it minimizes risk yeah and it could be that if you're working with a client as part of your business process right at the beginning of the relationship you set up an empty folder share that link to the empty folder and future emails say I've uploaded the file to our folder because that's a very anonymous sentence there's no link so nobody can see it it could be that that's the way you do it that's the way I do it yeah okay um so there are a couple of questions but just because we're losing people I'm just going to run the poll again if that's okay guys so okay you can just tell us you know your your confidence level now now that Joe's been through everything that would be great thank you okay I think you've definitely improved people's confidence so uh yeah well done on that that's great so I'll just field um the last couple of questions to you are we uh yeah so some people aren't sure whether password manager what do you think they're referring to the google one is actually secure enough would you would you say it is which which password manager so they must mean the google password manager I don't know anything about password manager but if you are if you are in let's say google chrome and google chrome offers to store the password don't use that because that is that is not the secureest way of doing it okay like yeah that does go into google password manager so yeah it's not it's not the security you've got no you've got no security if you use a specific password manager as I say I use last pass I have to log in to that password vault and I have to do a password I use dual authentication and then I can access them okay thank you uh right um I'm very skeptical of where the data on the cloud is secure or not is there any check that we can do on certain cloud companies so when you're doing that again it's looking at their security statement it's looking at their privacy policy um it is looking at um their background are they well known um companies are obliged to put out on their website and tell you where their data is stored how they're protecting it so it's about looking at that documentation they're in the due diligence it's the due diligence around you know are you using a renowned firm like google or are you using billy bob in the back street yeah okay great thank you um now I think hopefully um Ludmy your question has been answered now about emailing customers and hopefully Samantha as well because I know you said you've got some some business cards whether you can email those people if it hasn't then just just raise your hand that's fine um other than that I think really it's time to to wrap up the last very last question would just be would you recommend a particular firewall what's the best firewall to use is there a plug-in on where to press for it um I don't recommend any specific firewall if you are using home broadband a firewall is automatically built into your router but do change your your initial password yeah um because I pay an IT provider to support me um I leave all of that kind of stuff to him so it's kind of I know it needs to be done but I pay an expert for that it's not my area of expertise okay no worries right so if you wouldn't mind just moving the slides on and I'll just quickly remind people about the support that is available following these webinars which is the digital champion support from Costa Capital you can access eight hours of free support and you just need to contact Costa Capital to be able to get that they will assign the right person for you we've got a couple of them here today I'm one and Lisa's still around um she's one as well so depending on what you need support with then you will get assigned to somebody and you can have that whole day free of charge so it's a brilliant um service to take advantage of if you would like to help implement anything that you've learned on this webinar or another another webinar as well we've got a couple of webinars coming up um left in this series that I did mention at the beginning but as it's half past one I will let you all leave and get on with your day and just thank you so much to Joe for a brilliant session um on something which is a really complex area and can be really dry sometimes as well thank you for coming along and thank you to everyone today for coming as well thanks Joe really informative and yeah some important questions answered uh good good I'm glad thank you thank you take care thanks bye bye Joe