Are you handling your data properly? No matter what size your UK-based business is, you are likely to be processing lots of personal information about prospects, customers, employees and suppliers every week, so you need to make sure you are looking after it in the right way and adhering to data protection laws. If you don’t you could face hefty fines, and perhaps worse, loss of reputation, trust in your business and increasing levels of legal action.
Data protection matters – so are you doing it right?
Here are some pointers to help you check you’re doing it right:
#1 – Understand the background to the legislation
The GDPR regulations were introduced in 2018 to provide people with more control over the personal data they give to businesses, by setting out clear rules about how companies receive, store, use, protect and erase that data.
The new regulations saw changes in two key areas: they require businesses to be far more transparent and fairer about their processing, and to have a far greater level of governance and control for those processes. GDPR was originally introduced as EU legislation but when the UK left the EU the regulations were incorporated into the UK’s Data Protection Act as UK GDPR.
#2 – Understand what personal data is
The key purpose of the regulations is to protect people’s personal data and prevent it being misused. Personal data is any data that is related to an identifiable individual, such as name, phone number, address, email address, credit card, bank account details, comments made by your staff, photos or IP address.
Businesses tend to collect a lot of it, for example when they keep customers’ contact details on file or keep a record of how many hours their employees work.
All these details could be used to harm individuals’ privacy or security, which is why it is so important that it is managed appropriately.
Personal data can also include special categories of information such as religious beliefs, medical records, ethnicity and gender, which require additional controls.
#3 – Get to grips with principles behind data protection legislation
The legislation is based on seven key principles that set out how you and your business should approach processing personal data:
- Personal data is processed lawfully, fully and with transparency
- It is collected for specified, explicit and legitimate purposes
- It is limited to what is necessary
- Data is accurate and where necessary kept up to date
- Stored only for as long as is necessary
- Processed in a secure way
- That you as the data controller can formally evidence that you are accountable for the protection of the data
You also have a legal obligation to appropriately respond to individuals’ requests relating to their data, such as telling them what data you’re processing and why, and their requests to amend, delete or cease processing of their data.
Data protection is overseen in the UK by the Information Commissioner’s Office (ICO) which was set up to ensure organisations handle and protect data properly – you can access its guide to data protection for businesses here.
#4 – Register with the ICO
All businesses, organisations and sole traders that process personal data must register with the ICO and pay a data protection fee, typically £40-60 a year, unless they are exempt. You can use the ICO’s online checker tool to see if your business needs to pay the fee or whether it is exempt. Even if you’re exempt from paying a fee, you still need to comply with other data protection obligations.
#5 – Take charge
As the business owner or leader, the responsibility to get this right lies with you. So start by checking what personal data you currently collect, how you store it and what you use it for. Then begin looking at whether your actions currently meet the requirements of the regulations. The ICO has created a free online self-assessment checklist for small business owners and sole traders to check how well they comply with data protection law, and what else they should be doing. You can access it here.
#6 – Check your storage systems
However you collect, store and process data, whether that is on a computer, on a smartphone, or in the cloud, you must make sure your systems are secure, by conducting adequate risk assessments, and if need be, install greater security measures such as stronger firewalls. Many organisations also use industry standards for security, such as Cyber Essentials or ISO 27001.
If you are sharing data with third parties, or they are processing data on your behalf, the adequacy of contracts and the quality of their security controls also needs consideration, along with safeguards for data that is processed (transferred, viewed, stored etc) outside of the UK or EU.
#7 – Report any data breaches promptly
Data breaches can occur both deliberately and by accident. A breach might be caused by a criminal hacker attacking your systems, but it could also be caused by an employee accidentally sending personal information to the wrong person, perhaps by copying in everyone in a mailing list, by someone accidently leaving a laptop in a taxi which contains personal data, or by the business storing data on a database which has not been protected with sufficiently robust security controls.
Whichever way the breach happens, you are required to notify the ICO within 72 hours of becoming aware of it, if the individuals might be at risk.
#8 – See this is as an ongoing responsibility
Adhering to data protection legislation is not just a one-off action – you need to ensure that you are staying on top of this at all times. Everyone in the organisation, from the top down, is responsible for data protection, so ensure they understand their role and provide regular data protection training for your staff.
Christian Nellemann is founder of small business telecoms supplier XLN.
Christian’s book Raw Business: A straight-talking account of what it means to be a successful entrepreneur is available to buy here
Further reading
Cyber security and data protection for SMEs – a podcast with the experts