Personal information is of high value in today’s data-driven world. Ensuring your business collects, stores and uses that information in accordance with data protection laws is critical to gaining and keeping customers’ trust.
Data Protection Act 2018 requirements apply to all businesses, no matter how big or small.Your approach to compliance should be proportionate to the nature and volume of personal data you use.
To protect your business, consider:
- Customer rights.Your customers will be aware of their rights, and care about what happens with their personal data. You should understand what those rights are and have processes in place to deal with them, such as the right of access (you may have come across customers exercising this right through Subject Access Requests).
- Legal basis.You must know the legal basis for processing your customers’ data. This will depend on what is most appropriate for the type of data you are processing and what you are doing with it. Getting this right the first time is essential. Speak to us if you need any help.
- Privacy notice.Be proactive and tell customers what you do with their data and why. This is usually done by having a privacy notice on your website. A privacy notice tells your customers the types of personal data collected, where it’s sourced from, data subject’s rights, contact details for your business, details of the Data Protection Officer (DPO) if you have one, and details on how your customers can complain to the Information Commissioner’s Office (ICO), should they need to.
- Protect customers’ data.Security measures should be implemented. Which and how many security measures will depend on the type of personal data you are holding. Some examples include keeping an up-to-date asset register which lists what data you hold and where, ensuring all documents are clearly named and labelled to ensure they are not accidentally sent to the wrong person, and other security measures such as a clear desk policy.
- Review compliance regularly. It is not a ‘done and dusted’ approach and is a continual process. To avoid breaches of the legislation and the associated problems and costs, , regularly review your data protection policies and procedures, keeping them up to date with any subsequent changes.
- Data protection policies.Give yourself a competitive edge by demonstrating what data protection policies you have in place. If properly implemented, this can reduce the risk of personal data getting lost, stolen or used in ways customers wouldn’t expect. Putting the policies in place now can save you time and money in the future.
- IT security is essential. You’ll need to consider the risks that you are likely to face and implement security as appropriate (for example anti-virus software, strong passwords).
- Act fast. Know what to do if something goes wrong. Certain personal data breaches need to be reported to the ICO within 72 hours of you becoming aware of them.
- Is it personal data?Some types of data are exempt from data protection laws (for example, data relating to people who have died). Not all data is personal data, for example information about companies or public authorities as opposed to individuals who work there.
- Staff training.Staff need to understand their role in ensuring the business complies with data protection laws. Provide training during staff inductions and refreshers regularly. All staff should be aware of the policies and procedures in place, understand their responsibilities in keeping data safe and secure, and appreciate the implications of getting it wrong.
- Data protection fees.Check whether the business needs to pay a data protection fee to the Information Commissioner’s Office here.
- Seek advice.The ICO website contains a lot of useful help and guidance for businesses: ico.org.uk, but sometimes you need straightforward advice from a professional – we are here for you, get in touch with our commercial team
Take our free data protection compliance survey. It only takes a couple of minutes and you’ll receive a report highlighting any areas for improvement and guidance on how to remain complaint.
For any questions on this article please contact Karen Crutchley, Partner at Schofield Sweeney: [email protected]