Lawyer, notary signs the documents from our office
More will writers GDPR questions answered
Recently Astrid and partner, the Society of Will Writers (SoWW) held a webinar for will writers. The Chair of the SoWW West London & Middlesex Group, Shandip Shah interviewed Astrid’s MD and GDPR Practitioner Gerrard Fisher to address will writers unanswered questions around the General Data Protection Regulations (GDPR). We address some of the more prominent questions in our latest blog…
What must will archives do to be GDPR compliant?
Archiving wills is a vital will writers’ role that ensures an original will is available as and when required. There are three main principles that need to be considered when archiving wills:
Confidentiality – will writers must ensure that nobody who doesn’t need to see a will should be able to see it
Integrity – wills need to be kept safe and error-free. In terms of hard copies, that means being kept dry and safe from vermin, fire and other hazards
Availability – those that need to be able to access the wills must be able to do so as and when required
Do privacy notices need to be physically sent to people in hard copy?
Most business post their privacy notices on their website and reference people to it in their documentation. The key though is that this information must be provided to people in a way that suits them – it comes back to the importance of transparency, a key tenet of GDPR. If your clients are not comfortable using the Internet, then it would be appropriate to send them a hard copy of your privacy notice.
The ICO is very clear that privacy notices should be written in wording that people understand, rather than legal-speak. It should explain simply and clearly why you hold people’s information, what you hold and how you use it. Every time you collect new data from people, you should explain to them why you are collecting that data and how it will be used.
Astrid provides clear and simple assistance to prepare a privacy notice. Register today to access this and other tools and guidance for small businesses.
Do I need consent to send out a customer newsletter?
There are two pieces of legislation that address consent in communications, GDPR and PECR (the Privacy and Electronic Communications Regulations). PECR aims to protect individuals from nuisance emails and requires that consent is obtained to email householders (businesses are different). GDPR is the more recent legislation and has changed what consent means – with the need for individuals to actively opt in.
The ICO believes that newsletters are direct marketing as there is always a selling message in there somewhere. But if you are dealing with people who have bought your services in the past or engaged with in sales conversations then you can argue you have legitimate interest to follow up on discussions with other areas of service. You must always give an option to opt out though and you can’t suddenly start sending individuals lots of emails. If you haven’t got consent then there are other ways to deliver content for example a Facebook page. Hard copy communications, that is those sent by post, are not covered by the legislation.
Find out more on consent on the ICO website.
Can I contact a referral from an existing client?
Will writers regularly win business through referrals so it’s obviously vital that you can continue to do so. People read about the huge fines associated with unsolicited emails going out but there’s a very big difference between that and emailing one person on the back of a referral from a friend or relative.
I believe it’s very legitimate to email that individual but I would advise that you state clearly in the first line who you were given their contacts by and that the individual had asked you to contact them. Make it really clear why you are communicating with them and give them the opportunity to opt out of further communications with you.
What do I need to do if I use a personal assistant for administrator support?
A personal assistant may handle client information on your behalf for example if arranging meetings or filing documents. They are therefore a data processor on your behalf and as such you need to have a contractual agreement in place with them containing specific terms that they will only handle data in the way that you have asked them to do so for you.
The risks are of the individual sharing data with the wrong people or using the data to sell other services. To protect against this, you need to have measures in place that ensure you have legal control over what they do with data and that they act accordingly.
You can hear the other questions and answers addressed by registering and replaying the webinar available from our website.
Do you want to check how GDPR compliant you are?
Register for free on Astrid’s App and take the quick GDPR compliance check – it will help you to identify what you can do to improve data protection in your business.
Protect your business - become and remain GDPR compliant with Astrid