Data protection is one of those issues that concern is all. How often have you received an unsolicited phone call on your private number? It’s something that can be as upsetting as it is annoying, to feel that our privacy has been invaded, and that some very personal information about us could be out there.
That’s why the Data Protection Act (1998) exists to protect individuals and their personal information from being used inappropriately.
As a small business owner, it’s crucial that you understand how the Data Protection Act applies to you and the obligations you have to ensure you’re staying on the right side of the law. Failure to do so, could mean a fine of up to £500,000.
The first thing you need to consider is whether you need to register with the Information Commissioner’s Office or not. For most businesses this is a £35.00 annual cost that puts you on the Data Protection Register as a ‘data controller’ – meaning you have personal data you are in control of, and you will abide by the Data Protection Act to process it appropriately.
Some businesses are exempt from registration, this may be the case if:
- you only process data for the purposes of: staff administration and payroll, accounts and record keeping, and advertising, marketing and PR that is directly related to your own business.
- your business is a ‘not for profit’ organisation
- the data you own is only being processed for personal, family or household affairs
- you only process data to maintain a public register
- if no automated system is in place – ie, manual record keeping
You can find out by using this handy self-assessment (https://ico.org.uk/for-organisations/register/self-assessment/y) which can determine if you need to register and tells you how to go about it.
Once you’re registered with the ICO (and even if you don’t need to, this is considered good business practice), there are eight key principles of data protection that you need to abide by. You may be asked to prove that you consistently act in accordance with the principles – drawing up a data protection policy specifically for your business outlining your processes and the systems you have in place is a good way of achieving this.
- All data must be processed fairly and lawfully
You must provide individuals with the name of your business and full details of how you will store and use their information. Particularly important is if it isn’t obvious how you might use the information, i.e. if it’s passed to third parties such as credit agencies, etc. It should also be made clear that the individual can access and amend/correct the information held about them, at any time.
- All data must be processed for a specified lawful purpose
You cannot simply collect data speculatively but for a clear and lawful reason – i.e., it needs to be necessary as part of running your business to have the information. This also means that data already collected appropriately can’t be used for any unlawful purpose.
- The data must be adequate, relevant and not excessive
You should only be collecting the bare minimum of information required to be able to run your business. Any information that is not immediately relevant to the purpose you specify or is more than you need, must not be collected or stored.
- The information must be accurate and up to date
Any information you do collect and store must be factually accurate and kept up to date. Depending on how big your business is, and what you use the information for, you may need to find ways of allowing your customers to check and update their details easily – a yearly data review, for example.
- The data must not be kept longer than is necessary
You should tell your customers how long the data is likely to be retained for and if you specify a time limit, ensure that the information is safely destroyed once this time has passed.
- The information can only be processed in accordance with the rights of individuals
The Data Protection Act sets out the rights of individuals as well as your responsibilities as a data controller. You need to make sure that you understand these rights and act in accordance with them at all times.
- The data must be kept secure at all times
You must take adequate steps to ensure that the date is stored securely, which means safe from tampering, loss and unlawful processing. This is where robust systems and processes are needed to be in place to protect you and your customers.
- The information must not be transferred outside the European Economic Area without adequate protection
This means that the data can only be transferred out of the EEA if the country it is being transferred to has adequate legal protection for individuals and their details. A quick phone call to the ICO can give you the information you need about this.
Data protection really isn’t as scary as it sounds as long as you know what you have to do.
The Information Commissioner’s Office has some very useful guides about data protection and how it applies to small business owners, along with a self-assessment toolkit (https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment-toolkit/) which can guide you to reaching full compliance with the Data Protection Act.
So if you haven’t looked into Data Protection for your business, make it a priority today. A little work now can ensure your business is performing well and within the law.