Our Most Recent Client GDPR Small Business Case Studies
In each case, the small businesses concerned had heard of GDPR but were uncertain as to what was actually required of them. Most had not commenced a GDPR compliance program but understood that compliance is mandatory and so needed a fast-start method of implementing the absolute minimum requirements to be aligned by the 25th May 2018 (and with subsequent development and implementation to the full extent of GDPR stipulations).
Quantar was approached to provide a detailed analysis of the operational aspects of each business in order to determine what each entity would be required to undertake. Some had reviewed documentation but were unable to find how it was to be fitted within their organization.
Others were unaware of the extent to which their day-to-day operations impacted upon what GDPR requires of them. In all cases, an understanding by us of their work, people, processes and data was an essential part of delivering the means to comply and how to apply it within their businesses.
This encompasses the main issue for small businesses, insomuch as that awareness and reading the new law documentation, receiving information on an ad hoc basis does not translate into the objectives of the GDPR, which is contained within the recitals underpinning each GDPR Principle nor how to operationalise them into business activities.
Quantar seeks to assist U.K. small businesses in a manner that impinges as little as possible upon them, taking as little time and effort away from running a busy small business – we understand!!
Multi-Location Physiotherapy Clinic – London & Boroughs
The company has expanded and with a basic understanding that the GDPR would require an initial concerted effort, had appointed a manager within the practice to act as the Data Protection Officer for all locations.
Their GDPR program consisted of the commencement of writing a list of the mandatory documentation.
Quantar reviewed activities and provided insight into what was being missed in terms of daily operations, ranging from website content, website contractors and suppliers of I.T. services, to providing all necessary documentation in both hard copy and digital versions for the company to gain a head start to GDPR compliance.
The company utilises a third party for the provision of appointment taking online and this is a common area to be addressed for this type of business (healthcare, dental, hairdressers and those businesses where a time slot can be blocked to provide a service to a customer).
The initial batch of tasks to complete the mandatory documentation for company policies and procedures has now been completed, along with small but crucial tasks, such as physical security and user access controls.
Ongoing advice via email on an as-and-when required basis has been provided by Quantar. As a result, we have been recommended to other businesses who have also engaged us for the same GDPR compliance process.
Fitness and Health Clinic – Central London
A London-based company had subsidiary companies and brands that provided complementary fitness and general health services to the same clientele. This meant that personal client data was being used across the range of services for cross and upselling.
Payments taken within one company resulted in detailed personal, health and payment data being held within the over-arching company and re-used for multiple sales purposes.
Quantar assessed how the company functioned in reality and how the data flowed inbound and outbound from the entirety of the operation. By identifying data ownership and control, the company was able to amalgamate the company into a single entity in order to continue to legally use client data for cross and upselling (with the explicit consent of clients).
Additional complexity here was the frequency of customers leaving for a period to work abroad, meaning payments taken varied by country and provider. This required the company to seek the means through its payments system supplier to handle cross-border payments without falling foul of the GDPR law covering data transfers outside of the E.U.
Graphic and Web Design – South Midlands
The company was confused as to what was expected of them under GDPR and how they could comply with the new law. There was a misunderstanding as to what documents were needed and a misguided belief that since they did not use online marketing apart from e-brochures being mailed out, that GDPR was not applicable to them.
Quantar analysed the operations management of the company and discovered that they were in fact using marketing in a number of ways. They had a focus upon B2B business, however the reality is that they were transacting with self-employed businesses, whereby the company data was actually personally identifiable data under GDPR.
The company has commenced documenting policies and procedures, provide by Quantar in a standard ISO format, but is still developing a full understanding of all aspects of GDPR requirements, resulting in ongoing support by Quantar and a further series of explanations of how the company needs to address documentation, operational and recording requirements for a long-term GDPR compliance program, as opposed to the mistaken view of it being a single-shot documentation exercise.
Cloud-Hosted Application Company – Midlands
What appeared initially to be a simple case, turned out to involve several data strands with a number of players involved in the creation, deployment and use of a cloud-hosted B2B application. On the face of it, being a B2B facing application, the initial review presented a simple case of the company’s employee data being the most crucial to manage under GDPR strictures.
However, after a walk-thru of the application in detail, it became apparent that the final end users were both businesses and individuals. This change in data profile and flow meant addressing the detail of the data, where it flowed to, how and when it was stored and deleted and how it fed into a third- party payments system.
The company mistakenly believed that because the application was hosted by a third-party along with other suppliers who were within the process chain, they they were only data processors and not controllers. However, the customer data flowed into the company’s database and as such they were acting as controllers as well as processors since the data also flowed external to the company to provide billing and delivery details of the end user (individual persons).
The company is currently in the midst of addressing the realization provided by Quantar that they will be acting under the obligations imposed upon data CONTROLLERS from the 25th may 2018. Quantar provided a full set of documentation (in digital form only, since the company operates a paperless policy) that is in excess of current requirements, but on a “just in case” basis for them.
Additional advice is being provided over the forthcoming period.
Single Entity Sports and Soft Tissue Physiotherapy Practice – London
A small physiotherapy practice was confused by what documentation was required having searched Google and reading other companies Privacy Notices and associated documentation.
Quantar was consulted on a number of occasions to clarify, by email in the main, what they actually needed in terms of the documents for Policies, Procedures and Records that Quantar had provided. Once examples were given as to how they should implement documentation, why, and how they needed to address certain operational issues, the path became clear and the business is nearly in compliance and shall be by the 25th May deadline (the ICO has indicated that they will provide a period of leeway for U.K. businesses to become compliant).
Small areas of the business, such as website cookies, domain locking, website SSL certification, and small items easily missed, were picked up by Quantar and are being addresses by the suppliers to the practice.
For all businesses, Quantar seeks to provide advice, guidance, documentation and the means by which operational issues may be addressed as simply and cheaply as possible. In most cases, operational omissions may be resolved utilising accepted products that are either free of charge or with a very low purchase cost. We understand that running a small business takes a huge amount of time and effort, as well as cost caps. For this reason, we also supply the means to match the requirements of GDPR through any suitable means to limit cost and time.
Vulnerable Children’s Housing Company – Bedfordshire
A company providing housing for vulnerable people with ages ranging from being minors to adult posed a complex case for Quantar since it had so many facets to its operational activities and personnel from overseas that a longer than usual recommendations report was necessary to simply cover the basics of their GDPR program development.
Where persons under the age of 16 are involved with personally identifiable data, the GDPR makes a distinction between them and older persons as being special category data subjects. When such persons are also under the care of a third party who has legal representation of the individual, then there are additional issues that need to be resolved.
In this case, the situation was far ore complex than for many other similar companies, since those under its charge could commence as minors, with consent being provided by the legal guardian, but later become adults, with or without holding legal authority themselves (this area has still not been fully addressed by Working Party 28 at the E.U.). Further, the housing units are manned by non-E.U. citizens who may become U.K. citizens during the course of their employment period. This means that background checks at the outset may become an issue when each employee has their original nationality subsumed by becoming a U.K. /E.U. citizen.
Each location was acting autonomously in many respects, with a consequent fragmentation of processes and uniformity throughout the organization. A turnover of staff at the head office location also impacted upon record retention and accuracy of data held within the company.
With a number of individuals housed having criminal and/or drugs issues, this presented a case that still has a long way towards GDPR compliance. The greatest benefit the organization has, however, is a dedicated employee who is acting as the overall Data Protection Officer and has the ability and tools (provided by Quantar) to develop a structured and methodical GDPR program.
In this instance, the focus was clearly going to be on training staff at the multiple locations, in order to create a uniformity of policy, procedure and operation. There was a major issue of physical security and access control to be addressed, coupled with the management of external suppliers of I.T. to the company.
The sheer volume of work that will be required by this organization means that attaining GDPR compliance in the short term will be limited by resource availability. Quantar has provided documentation to the company as a means of providing a set structure for development.
GDPR has to be viewed by small businesses as being akin to any other management system, typically ISO/BS types of standards. The new law is an effective mandate for all E.U. businesses or those dealing with E.U. nationals (regardless of where they live and work) to create, implement and operate a personal data management system within their business. Taking this viewpoint can assist businesses in understanding what is required of them in the same way that certifying for ISO/BS standards has a structured and documented approach that is then audited.
Quantar provides U.K. small businesses with a set of documents in a uniform structure based upon ISO27001 (the only globally accepted information security standard at this time), with content that can be used as-is where appropriate or for editing to fit each company’s requirements.
Having this approach minimises the time and cost required to develop a GDPR compliance and management program, as well as providing the means to record its ongoing operation to satisfy regulators.
B2B Software Company –Cambridgeshire
Where a small business operates solely on a B2B basis i.e. no self-employed/mixed legal structure such as husband and wife partnerships, then the burden of the GDPR is diminished to a minimal requirement.
However, where such companies operate a website, they can suddenly be categorised as controlling personally identifiable data. Innocuous-looking email newsletter functionality on a website, using Google Adwords, and other marketing tools (frequently outsourced to suppliers of such marketing activities as search rankings, keyword, search terms, geographies of site visitors) can shift a company from a B2B business to being a data controller.
In many cases, small businesses have functionality on their websites that they do not actually use but have been sold the idea by their web designer. In such cases, Quantar has advised companies to remove newsletter subscription functionality where they would otherwise have no data issue with their website.
The other area for B2B businesses to focus upon is employee data protection. Each company with employees potentially holds confidential data relating to name, address, telephone, date of birth, family members, bank account details, health background, pervious employment. All such data obviously is a source of risk to each individual should such data fall into the wrong hands.
Nowadays, it is the norm that such data is maintained on a computer that runs payroll, links with banking systems for payments and data travelling over a company network. In small businesses, I.T. is often provided by an external supplier. More often now is the use of cloud hosted applications, with the location of the servers of the supplier being uncertain.
So, what may initially appear a simple B2B case can turn into a case of a company actually being a data controller for personally identifiable data. It is in such instances that GDPR compliance increases a level in the amount of time and effort required to comply, albeit less than sales organizations, for example.
With several clients to date, Quantar has sat with the relevant person (often the owner) and only during the course of discussion has a throw-away line revealed a potential/actual GDPR issue. It is for this reason that we do not simply sell our documentation packs online, but rather, we sit and discuss your business in order to fully understand and identify what you really need to be compliant with the GDPR. Understanding your business and how it operates is key to a GDPR program that is suited to your company.
London & Greater London