Data protection is a serious business. How companies receive, store, protect and erase data, especially the personal information of their customers, clients, suppliers and staff, is governed by strict legislation. And while the Information Commissioner’s Office (which handles all of the UK’s data protection cases) has often been derided for the seemingly paltry fines slapped on large corporations for major transgressions, if a small business is caught on the wrong side of the law the financial and reputational consequences could be devastating.
Electronic storage makes data easier to collect, organise, store and back up, but it also makes it more vulnerable than ever. Not only is it at risk from electronic, as well as physical, theft but the adoption of mobile devices and cloud technology in recent years means there’s more places that data is stored (many of which are carried around in public) and more opportunities for criminals or human error to intervene. Just because you’re a small business doesn’t mean you can assume you won’t be targeted by criminals, or held responsible and punished for lapses and data losses, so it’s your responsibility to know what your legal obligations are.
Why data protection is important
One business that’s learned this the hard way is London sole trader, Jala Transport. As reported in the news recently, when a laptop was stolen from the business owner’s car, an external hard drive containing financial details of approximately 250 customers was also in the same bag.
Although the drive was password protected, the data stored on it wasn’t encrypted and so personal details, including customer names, dates of birth and scans of their identity documents, could all be accessed relatively easily by hackers and potentially used to commit identity fraud.
For its negligence, Jala was fined £5,000 but initially they were looking at a charge to the tune of £70,000. Jala’s finances and the fact they’d declared the data loss to authorities were both factors in the penalty reduction, but the Information Commissioner’s Office used the case as a potent warning to others.
This should serve as a wake-up call to SMEs that data protection is a serious responsibility and business owners must take steps to stay on top of it.
Data protection law
In the UK, the Information Commissioner’s Office is the independent authority set up to “uphold information rights in the public interest” and ensure that organisations handle and protect data properly.
To stay within the law, a company must first adhere to the ICO’s principles of data protection. These principles cover the entire data lifecycle, from how it is obtained and stored, to how it’s protected and eventually disposed of. There are also rules governing what data you are allowed to collect and how long you should keep it for.
The net these rules cast is extremely wide, and could potentially cover virtually any action which is carried out on a computer, so the first thing to do is read the ICO’s guides and identify whether your company is being compliant.
Depending on the data that’s being collected and how it’s being used, some companies have to register with the ICO. This costs £35 a year, but be warned, there are agencies out there that offer to do this on your behalf who may claim it costs more. Often the best course of action is to deal with the ICO direct. To help you find out if your business even needs to register with the ICO at all, or is deemed to be exempt, it’s put together a 15-question self-assessment test.
The ICO has also produced a checklist tailored specifically for small businesses. It can be downloaded here, and walks you through the process, step by step. From deciding if you really need the information you’re collecting, to ensuring customers are aware they’re being recorded by CCTV, the checklist helps you assess how your business is currently collecting and protecting data and where improvements need to be made.
As the incident with Jala Transport shows, how your data is stored electronically should be a key concern. Properly encrypting personal data is vitally important and in many ways it pays to be over cautious and encrypt wherever possible. For example, when Sony’s Playstation Network was hacked in 2011, the personal the details of around 77 million accounts were stolen. Whilst Sony insisted that all credit card data was securely encrypted, other customer data including usernames and passwords was not. As one of the world’s most well-known technology brands, Sony was fined £250,000 by the ICO for putting such a large amount of its customers’ data potentially at risk.
Choosing where to store your data is also an important consideration. Backing up your data is good practice, but so is ensuring the backup is as secure as the original. When syncing your storage over multiple devices, including mobile technology, consider whether customer personal data is necessarily needed to be shared this way. It most likely isn’t, and if just one of these devices doesn’t have the proper security protocols installed on it then you’re in breach of data protection laws. Mobile and portable devices are also more at risk from loss or physical theft, as was the case with Jala Transport. Your emails on your Blackberry, for example, could contain sensitive data that if lost could result in a breach of data protection laws.
Finally, once you’ve implemented proper data collection and security protocols, it is essential that all of your employees know exactly what their responsibilities are too. Explain to them the importance of data protection and what constitutes a breach – disclosing customer personal information over the telephone, for example.
Whilst this may sound like a lot of work, the consequences for breaching data protection law are far worse, and can damage both your company’s reputation as well as its bank balance. However, taking action and ensuring you have the proper measures in place shows your staff, customers and the ICO that your company takes its responsibilities seriously and has the organisational skills required to protect data properly.