Whatever stage of growth your business is currently at, it’s likely that as you grow you will collect, process and store more and more data. Whether that’s from your customers for marketing purposes, from manufacturers that you have a professional relationship with, or from employees as you begin to take more people on board – the amount of personal data you could be collecting is vast. So, it pays to take steps to make sure you comply with data protection legislation to protect your business’ reputation and make sure you avoid large fines in relation to data breaches.
So how do you go about complying with data protection legislation.
What is data protection, and why should your business comply?
Data protection guidelines protect the access and use of personal data where it is collected, processed and stored. These guidelines are stipulated by the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).
Although the UK will be leaving the EU, during the Brexit transition period, the rules of GDPR still apply. There is also extraterritorial reach of GDPR – that means that businesses that wish to trade or provide services with the EU after Brexit will need to comply with the regulations. Guidelines detailed by the GDPR and the Data Protection Act should be reviewed together by businesses who may be handling personal data to make sure they comply.
It’s important for you, and any employees you may have, to comply with the Data Protection Act and GDPR because a failure to do so could result in a fine that could severely impact your bottom line.
How do you know what to look out for?
If your business is likely to handle personal data – that could be personal data you receive and store from customers, suppliers, and employees – then it’s likely that you’ll need to make sure you comply with the aforementioned legislation.
Keep in mind that personal data refers to “information relating to a living individual who can be identified by the data, or from the combination of this and other data which the data controller is in possession of”.
In essence, that means that any names, contact details, addresses, job titles, and dates of birth can constitute personal data. This even extends to a person’s IP address and cookies.
Whatever industry you’re in, it’s likely that you will handle personal data to some extent, so you would benefit from professional advice from a specialist data protection solicitor. This will help you identify: any high-risk areas for your business, who should be responsible for your organisation’s personal data, and whether or not you will need to create an in-depth data protection policy to help everyone in your business comply with the relevant legislation.
What do you need to comply with?
According to Data Protection law and the GDPR, you must comply with the following principles:Lawfulness, fairness and transparency: You should not mislead people in order to collect their personal data. Instead, you should explain the purpose of collecting their data.
- Purpose limitation: The reason why you’re collecting the data should be specific, so any new purpose for using that data should be closely connected to the initial purpose for collecting it.
- Data minimisation: You should collect only the relevant data that you require for the initial purpose of collecting the data. It should not be excessive, but only relevant to the initial purpose for its collection.
- Accuracy: All data that you collect, and store should be kept up to date and as accurate as possible.
- Storage limitation: As soon as the data is no longer needed, it should be properly deleted or disposed of.
- Integrity and confidentiality (security): Steps should be taken to ensure that any personal data that is collected and processed is not susceptible to loss or damage, and the proper security measures should be put in place to protect against security breaches or unlawful processing.
- Accountability: At all times, you must take responsibility for all personal data you collect, process and store, and put the correct measures in place to ensure your compliance.
Should you create a data protection policy?
You are not legally obliged to produce a data protection policy for your business. However, putting a clear system in place could help you reduce the risk of breaches and subsequent fines brought against you.
Creating a detailed policy will help you to delegate responsibility, and depending on the extent of that personal data you collect and process, it will also help you follow a clearly laid out system. Specifically naming a data protection officer could also help you eliminate any confusion as to responsibilities and who your employees can go to with questions. To ensure compliance when creating your data protection policy make sure you seek expert legal advice – where possible ask your solicitor to draft it for you to make sure that it follows the key principles of data protection as outlined above.
Are there any resources for businesses on data protection guidelines?
The Information Commissioner’s Office (ICO) website is a great source of information for businesses. Here you’ll find all the resources necessary to make sure you remain compliant and you’ll even be able to access toolkits and checklists to improve your businesses data protection policies and procedures. The ICO’s SME data protection hub is a great place to start.
Subscribe for entrepreneurial & small business advice
Subscribe to our newsletter for advice and insights on starting, managing and growing a small business in the UK.
Whatever route your business takes, make sure that you take the necessary measures to comply with the complexities of data protection legislation. As you progress and your business evolves, reassess the measures you’ve put in place regularly, and step them up where necessary to protect yourself from potential data breaches or unlawful processing of personal data.