Plain & Simple GDPR Updates

The data protection act is being updated. This update is known as GDPR, and impacts the way you treat data in your business. We'd love to send you updates as they come through so that your business is compliant. Add your details here, and we'll send you email updates about GDPR

We won't add your details to any other list or share them. You can unsubscribe at any time. For more information see our Data Privacy Policy  

Proving your identity and GDPR

One of the many points of the whole GDPR (General Data Protection Regulations) is to improve security on how data on individuals is collected and to reduce the amount of unnecessary information stored on us all. 

 

Many organisations require proof of identity (ID) in order to provide you with a service.  From banks to bookkeepers, from IFAs, to accountants and solicitors, from landlords to building societies, there are a whole raft of people who want to see your ID. It’s not because they are nosey or nervous, it is because there are an increasing number of laws that mean they have to have proof of who you are (and sometimes even your immigration status) before they can offer you service. 

 

Do you need to share your passport? 

The Information Commissioner’s advice to individuals is that ‘less is more’ and it is not wise to share information about yourself in order to reduce the risk of identity theft. (https://ico.org.uk/your-data-matters/identity-theft/).   Sending your passport or driving license to an organisation can put you at risk if you (and they) don’t know what you are doing.  You can be putting a lot at risk. 

We still hear of people sending copies of their ID documents through the post, or just attaching it to emails. 

We have heard tales of passports being photocopied and left in unlocked filing cabinets. 

 

Before you share your ID 

Before you hand over documents to confirm your identity ask for a copy of the organisation’s data privacy policy and ask for: 

  • confirmation of why they need this information (legal basis for processing) 
  • a copy of their data privacy policy 

The data privacy policy should let you know how they intend to store it, secure it and when it will be deleted.    It is really important that ID confirmation data is kept within a small group of people who really need to see it.  Many organisations share this information too widely and the risk of loss increases with the number of people who have access. 

  • Ask for a secure method of transmitting this documentation to them 

Ordinary post or email is not secure and anyone who asks you to use them has not made a proper assessment of the risks to you involved. 

 

If you can’t get any clarity on this, you may want to think long and hard before sharing your ID with an organisation that has no idea how to proceed.   You may be able to find service from someone who is more on the ball for data security. 

 

If you are holding ID information 

If you are holding ID confirmation data, it should be securely locked away and access restricted to only those people who need to sign off that the identity has been confirmed or to report to a regulator that this has been done.   There is no need for people providing the day to day service to have access to these documents. 

You would be wise to encrypt the data, so that even if someone without permission gains access to your systems they cannot read the files. 

If you need to send this data on to another organisation you should make sure you have permission to do so before you transmit it and make sure you have a secure method of transmission. 

Set up a secure email or online portal for receiving documents.  You may have to educate some of your clients on how to use them, but it will be worth it in the long run.   Clients can be the biggest hazard to their own data security – but that does not mean you don’t have to set things up properly in the first place. 

 

Is big brother watching you? 

You should be extremely careful about storing ID related data in other countries.   Not all countries have appropriate data security standards, and even the USA is under fire from the EU over the level of government snooping permitted without a warrant. 

If you are a frequent global traveller the chances are your data is already stored in the USA but if you have not travelled recently with an airline you can ask to see what personal data they hold on you and for your ID to be removed. 

 

Identity is valuable 

While we all like to imagine nothing will ever happen to us, anyone who has ever suffered from identity theft will tell you how difficult it can be to set things right.  People steal ID related documents for a reason – and that reason is to access your money or to set up fake accounts in your name and profit from doing so.   If you treat your ID documents as if they were a thousand pounds in cash you would never just put them in the post or email an open to email to a friend saying where they could pick up the cash.   If you start to think of ID data in the same way it will set you on the right path.

If you are holding ID data for your customers (because you have to) remember to think of it as them lending you a thousand pounds in cash.  Don’t leave it lying around when team members who have no business with it can see it and pick it up.  Don’t post it on to other organisations in unsecured mail.  Keep it secure and don’t keep it longer than you need to.

Annabel Kaye

The perfect business contract protects more than just your boundaries. The perfect business contract protects your clients in relation to things like Copyright, IP, GDPR, scope-creep and all the other things that eat away at your profitability. Book me to speak at your event or ask about becoming an affiliate. Check out our contract shop and GDPR support today and start earning what you should in your business.

Click Here to Leave a Comment Below

Leave a Comment: