Many entrepreneurs think that the protection of personal data is less important than other business obligations. But how wrong these people are, claims Clive Rich of Lawbite.
Data protection is sometimes overlooked by business owners. While most entrepreneurs plan for the year ahead by preparing budgets and forecasts, a number of owners often forget to review their legal matters. And if your business involves the collection, storage and processing of personal data, then please read on. I will highlight topics that you should definitely include in your business plans for 2022.
How data protection is important to your business
Personal information is any information that can be used to identify a person. It includes names, phone numbers and addresses. You can be identified by your home or work address, via email address or through your computer IP. This kind of information is now protected by the UK’s General Data Protection Regulation (UK GDPR).
Whether your business is a data-driven tech company, or you’re simply collecting personal information (from clients, employees and contractors), this regulation sets out requirements that you need to follow. And don’t forget: UK GDPR does not apply only to so-called ‘data businesses’. And if you don’t comply with these requirements, you may be subject to fines from the Information Commissioner’s Officer (ICO).
Key obligations under UK GDPR
There are seven key principles that all processing of personal data must follow:
- Lawfulness, fairness and transparency: You can only process personal data if you have a legal basis to do so. You must do it in accordance with the law in a reasonable, honest and transparent way.
- Purpose limitation: You must inform data subjects about how you are processing their personal data. You cannot use such data for other purposes.
- Data minimisation: You should only process data to the minimum extent necessary to achieve that purpose. You should not process personal data if you don’t need to.
- Accuracy: You must ensure that you only hold personal data that is accurate and not misleading.
- Storage limitation: You must not hold personal data beyond the point at which you have achieved a particular purpose.
- Integrity, confidentiality and security: You must ensure that the personal data you process is kept confidential and secure at all times.
- Accountability: You are accountable for your actions and omissions in relation to the processing of personal data.
You must also ensure that your data subjects are permitted to exercise their rights in relation to their personal information. This means you need to have policies and procedures in place to deal with the following:
- Keeping them informed about how you process their personal data.
- Administering their requests to access, amend, delete or transfer their personal data.
- Agreeing with their requests to limit the ways in which you process their personal data.
Depending on the relevance of personal data to your business, you may be required to appoint a data protection officer. If so, you must then inform the ICO of this appointment. Any appointment will depend on the extent, complexity and impact of your processing activities. And you must keep a record of all measures you take in relation to the processing of personal data.
Assessing how you comply with UK GDPR
Now that you are aware of your key obligations, in the handling of personal information, it is important you assess to what extent you comply with them.
This assessment shall include replies to the following questions:
What types of personal information are you collecting and how?
Do you process personal data on behalf of other parties, such as clients?
What do you do with the personal information you collect?
How do you store this personal information?
How do you inform data subjects about the processing of their personal information?
How long do you keep personal information?
How do you keep this personal information secure?
Do you keep your team informed about data protection obligations?
How do you deal with requests for personal information?
How do you deal with data breaches?
What to do if something goes wrong
Despite having all the necessary legal documents and technical tools required for securely storing personal data, breaches can still happen. Personal information can leak or be corrupted. If you believe a security breach of personal information has occurred, then you should promptly try to discover which type of data was involved.
Time is of the essence and the first 72-hours are critical. You should act fast to contain the breach. Then, you must assess the type and amount of personal data involved. You must also find out how many people may have been impacted by the breach. And you must try to work out who were the culprits and recipients of this breach.
This assessment will indicate how serious the breach was, and what measures need to be taken to mitigate its impact. These measures may include legal action, and you must try to improve your current cybersecurity, through changes to encryption and passwords.
Depending on the outcome of this assessment, you may be required to report the personal data breach to the ICO. If required, reports must be sent to the ICO within 72 hours of you becoming aware of the breach. Reporting is required if the breach is likely to affect rights and freedoms of those data subjects whose information has been corrupted or stolen.
Importance of support
As I have outlined, complying with UK GDPR involves several steps. We, at LawBite, provide data protection experts to help you solve all of your issues. We will guide you through the entire process to make certain that all the personal data you store stays firmly protected and secure.