I have been getting mail from a few ADI's over the last two or three months asking about GDPR asking about what it is and whether/how they will be affected.
GDPR - The General Data Protection Regulation – comes into force on May 25th and will replace the current Data protection Act (1998).
The new regulation is designed to give more protection for individuals by ensuring that any information that is either volunteered by you when subscribing to a service, buying goods, joining associations, etc., or that is required by organisations is held securely and used responsibly.
For example, as an ADI MasterClass Member you have provided me with your name, email address and post-code – this is important information that could be used to identify you or, in conjunction with other information to commit crime, for example identity theft. I have a duty to ensure that the information I hold is secure. Some companies hold much more information, for example, an ADI association could request your name, address, phone number, ADI number and more.
Information (personal data) is any detail about a living individual that can be used on its own, or with other data, to identify an individual.
Data is ‘processed' whenever you use it. The regulations describe processing as:
“any operation which is performed on personal data, whether or not by automations, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use or disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
This covers just about everything – for example accessing a customer's phone number on your phone and sending a text reminder about a lesson would constitute processing data.
The GDPR is a robust piece of legislation, comprising 11 chapters, 99 articles, and 173 recitals. The good news is that you don't need to know every detail (unless you are offering legal advice in your spare time!).
Although the regulation states the organisations with fewer than 250 employees are not bound by it, the advice that I have received from the Information Commissioners Office is that anyone who collects personal information from customers should be registered (this was in response to a specific request about ADI's submitted with an example of the typical customer data that you might collect and store).
Any data you collect must be for a specified, explicit and legitimate purpose.
For example, it would be reasonable to hold information about a learner's driving licence details (in case of insurance issues), phone number (for contact), address (for contact) and so on, but it would be unreasonable and needless to hold information about their race, religion, diet, shoe size, marital status or anything else that is not directly related to the needs of teaching them to drive.
The information you hold must be accurate and up-to-date and the customer has a right to know what data you hold and request amendment or deletion. With this in mind after someone passes the test you should ensure that they are aware that you will continue to hold their data (if that is the case) for use in marketing and to offer further services.
The regulations state: “Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
These days most instructors keep customer data on their phones and/or on a computer or tablet. The data must be secure and you must take reasonable steps to protect this data from theft, loss or damage. The easiest way to do this is by ensuring that your devices are secured with a password.
If you use a shared device, for example a family computer, you should have a separately pass-worded account on the computer, or a secure pass-worded folder.
Some instructors still keep paper based records or scribble notes on a paper diary. These are subject to the same rules. Because it's difficult to protect physical diaries and address books from loss or theft I would suggest that it's time to stop using them to store customer information.
For example: Years ago I used to keep all my customer information in a notebook, name, address etc. If I did this now it would be:
Totally unsatisfactory – especially if there was sensitive information about disability, emotional condition, learning issues (autism, dyspraxia, etc.), and so on.
If you must use ‘paper based' I suggest that you keep separate customer information and progress records for each customer contained in plastic sleeves (or similar filing device). These can be secured in a lockable file box at your home or office – taken out only for lesson or contact purposes.
In reality, as long as you take a little care and follow the suggestions above there is very little risk associated with keeping pupil records and contact data and the data will not normally be ‘highly sensitive'.
However, there is always a risk that data can be lost. When registered you must inform the authorities within 72 hours if there is a data breach. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
My recommendation is that you consider using a cloud platform like Google Drive for reasonably secure storage – this way you are protected against losing your phone or other device and the data will be protected on a secure server. By doing this you will not have to keep copies of data on different devices and will always be able to access the info online.
Important advice: NEVER store credit/debit card details of your clients – the loss or theft of this information can result in serious problems. Never write down these details and never, ever, transmit them via email or text.
Use a third party to process any electronic transactions (Pay-Pal, World Pay, etc.) Do this to take payments online or in-car with a card reader.
Your customers need to know what data you keep. The easiest way to do this is to include a privacy statement in your terms and conditions.
Whether you are a one-person business or larger organisation and whether or not you need to register, now is a good time do an ‘information audit' on your business.
Good business depends on good record keeping and storing information in a well organised way. My guess is that probably 20% of instructors reading this will have, at some time in the past, lost a phone number of a customer and been unable to contact them for a critical reason, for example a lesson cancellation.
Scribbled notes in diaries that leave you thinking “Where did I put her number?” are not really a good way to operate the business that pays your rent/mortgage and feeds your family!
At this point it's worth doing a written audit based on the points above. Write (and date) a brief document addressing each point and how you are/will be complying. Keep the document of a record that you have taken steps towards data compliance. This will be useful in the unlikely event of any GDPR issues later on, demonstrating that you have clear procedures in place.
Out of interest: As mentioned above for ADI MasterClass Membership – which is operated as a separate company to SmartDriving – I keep information about your title (Mr., Mrs. Ms., etc.), first and last names, email address and postcode (postcode is as a unique identifier in my database and may be used for specific area based mailing). The system also, obviously, stores your user name and password. The information is stored on a secure server.
You can see and change your data and/or change your password at:
https://www.adimasterclass.co.uk/amember/profile.php (Linked under “Your Membership Info” on the main menu).
Because all payments are processed outside the ADI MasterClass system (99.7% by Pay-Pal) I do not see or collect/store credit card or similar payment information.
The stuff above should give you a good starting point and understanding and might be all you need to know, however, it's easy to find more information if you need it…
Click here for a full breakdown of the requirements on the Information Commissioner's Office website (Split into easily navigable categories)
The 10 minute video below gives a simple explanation of GDPR – if you want more detail search youtube where you will find some full information seminars.
Have a secure week