Practical Tips for Ensuring Your Business Meets Data protection standards
The 28th January is Data Privacy day so I thought it would be a good opportunity to delve into data protection standards a bit more. I know, boring, right? It definitely can be pretty boring but also a really important thing to think about if you’re a business owner and it’s your responsibility to be aware of it. So, that said, if you want some practical tips on making sure that your business is meeting data privacy standards, avoid any data breaches and keep yourself fine free - read on!
What are the key data Protection Rules businesses need to comply with?
If your business stores or uses anyone’s personal information, it is essential to follow data protection rules in line with The Data Protection Act 2018. This applies to any details about both your staff and your customers/clients. Examples of personal data include storing customers addresses, using previous customer information to inform your marketing strategy and storing CCTV images/videos.
The data protection rules state that you must ensure that any information you hold about an individual is kept secure, accurate and up to date. It is essential that, when you collect an individual’s data, you communicate with them who you are and how you’ll be using their information, this also includes if you intend to share this with other organisations. When you obtain someone’s personal information, you should also communicate with them that they have the right to see any information you hold about them (and correct it if it’s wrong), request that you delete their data and specify that they don’t consent for you to use their data for certain purposes. It’s essential that if a client (or member of staff) exercises their right to any of these things, you comply with their wishes or risk facing penalties.
Do I need to tell anyone that I am processing sensitive data?
As a business who stores or uses anyone’s personal information, you are required to report this to the Information Commissioner’s Office (ICO). Depending on what information you’re processing and how you’re using it, you may be required to pay a registration fee. From the ICO website they state:
“The cost of the data protection fee depends on your size or turnover. There are three tiers of fee - £40 (tier 1), £60 (tier 2) and £2,900 (tier 3), but if you pay by direct debit, you’ll get an annual discount of £5. Most organisations pay £35. VAT is nil.
Some organisations fall within the lowest tier regardless of their size and turnover, namely charities (including schools with exempt charitable status and Multi-Academy Trusts) and small occupational pension schemes.”
Once you’re registered with the ICO, you don’t need to do anything, unless your business experiences a data breach, in which case you are required to report this and can do that via their website. Although it can be tempting, as a small business who is not processing high levels of data, to bypass this registration and paying the fee, it is important to ensure that you and your business are protected by being registered in the right places. The ICO are also able to provide advice and guidance on all things data protection.
What systems and processes should be in place to protect customer data?
The systems and processes you need will vary depending on your business and what level of personal information you hold about customers or staff members. In general, you need to consider how and where you’re storing personal information in a way that is safe and only accessible to those who need to access it. Having a good CRM system in place within your business will support you in having one place to store all of your clients personal information in a way that is secure and access is controlled.
Beyond cyber security (having a secure password on your devices, ensuring that you lock your device when you’re away from it, etc) you also need to remember data protection when dealing with physical records. If you are printing or holding any physical records or individuals personal information, firstly you should consider whether you require these physical records and, if you do, that you have a secure way of storing them, e.g. in a locked filing cabinet where only those who need access have a key to open it.
You also need to have processes in place to enable you to respond to a data protection request, if a client or member of staff asks to see what information you have about them.
What are the consequences of failing to meet data Protection rules?
The ICO website states that “for serious breaches of the data protection principles, we have the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.” Although this number sounds scary, it is important to remember that this is for serious breaches and usually in advance of a fine being issued the ICO would usually first pursue warnings, enforcement notices and penalty notices (administrative fines).
The consequences of failing to meet data protection rules go beyond just the financial penalties. A breach of data protection rules can also lead to repetitional damage for you and your business due and result in a loss of trust from your clients. Even if you aren’t issued with a financial penalty, a breach of data protection rules can cause your business to suffer and, in some cases, struggle to recover due to these non-financial reasons.
How can businesses stay up to date with changing data Protection regulations?
Like many things, data protection regulations change and as a business owner, it’s your responsibility to stay up to date with these updates. To make sure that you’re aware of any changes or updates, you can subscribe to the ISO newsletter here where they share any relevant updates and you can specify your industry type and interests. It’s also worth looking for industry specific organisations who will be able to provide you with industry focused updates. You can also attend webinars and online courses to keep yourself up to date and aware of the current rules. If you’re reading this on the day I post it, the ICO are hosting a Data Protection for Beginners online webinar on Tuesday 28th January and you can register for your place here.
My Final Thoughts…
Although it’s a big and sometimes scary topic, data protection is so important, especially as a service based business. It’s important to ensure you are safely and securely managing your client and staff members data to avoid any data breaches. It’s your responsibility as a business owner to register with the ISO and keep up to date with any changes to the legislation and regulations. If you have any questions or you need some advice or guidance, the ISO have a a catalogue of support and an online chat service to help organisations.
Please bear in mind that this information is focused on the United Kingdom and only encompasses my own research. Please do your own research on this and your specific business needs!
