Personal Data: Top tips for business owners
Personal data is the lifeblood of any organisation. Protecting this data, which in turn protects your data subjects, will lead to business growth and longevity.
Who are your ‘data subjects?
They are your clients, colleagues, prospects, referral partners and suppliers. They are your business.
This article will explain how you can take four initial simple steps to protecting personal data in your organisation, whilst remaining compliant with the UK GDPR regulations that came into force from January 1st, 2021:
TIP 1 – Register with the ICO & pay the data protection fee.
The ICO (Information Commissioner’s Office) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO. To simplify whether you need to pay the fee work on the premise that if you submit invoices to clients, you need to register with the ICO, as you will be processing personal data.
The fee for a business with less than 10 staff or annual revenue of less than £632,00 will be the Tier One charge of £40 (£35 if paying by direct debit) and for businesses with a turnover of less than £36m and with 250+ staff it will be £60 (£55 if paying by direct debit). Visit https://ico.org.uk/for-organisations/data-protection-fee/ for further details.
TIP 2 – Understand the data protection law and regulations in the UK.
The Data Protection Act (2018) legislates how your personal information is used by organisations, businesses, or the government. The Data Protection Act (2018) is the UK’s implementation of the EU General Data Protection Regulation (GDPR).
Under the DPA (2018) everyone responsible for using personal data must follow strict rules called data protection principles. They must make sure the information is:
- used fairly, lawfully, and transparently.
- used for specified, explicit purposes.
- used in a way that is adequate, relevant, and limited to only what is necessary.
- accurate and, where necessary, kept up to date.
- kept for no longer than is necessary.
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage.
The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK GDPR also applies to data controllers and data processors based outside the UK if their processing activities relate to:
- offering goods or services to individuals in the UK; or
- monitoring the behaviour of individuals taking place in the UK.
There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA. The EU GDPR still applies to this processing, but the way you interact with European data protection authorities has changed.
TIP 3 – Build a close business relationship with a trusted data protection expert.
Always seek data protection advice from trusted and qualified sources. For example, a company in your business network and the ICO.
Data protection law and UK GDPR is very complex and there are many different requirements for both individuals and organisations. Failure to adhere to the law, through a data breach for example, could cost a business up to 4% of its global annual turnover. Not to mention the reputational damage and other costs.
Nominate a data protection officer for your business. This is someone with relevant industry knowledge who can be your go to source of knowledge, and they should work with you proactively to promote compliance and excellence within your organisation. Data protection officers minimise risk, reduce liability, ensure legal compliance, look at the impact of decision making from a personal data point of view and are a vital cog in the growth and success of your business. They add value.
There are many financial options available to businesses of all sizes and no business should miss out on compliant, expert advice because of financial constraints.
TIP 4 – UK GDPR compliant Privacy Notice.
Ensure you have an up-to-date privacy notice, that has been reviewed since January 1st, 2021 by a data protection expert. A privacy notice is an external facing document that communicates to your stakeholders how you are going to protect their personal data after they engage with your products and services.
A privacy notice is a company document and not a website document.
Privacy notices should be easily accessible (e.g., on the footer of your website and provided in hard copy), laid out in a clear format and structure, and contain plain and simple English.
They should be reviewed at least once every 12 months or when there is a change in how the business controls and/or processes personal data. They should also be reviewed pending any changes to data protection legislation (e.g., implementation of UK GDPR from January 1st, 2021).
Privacy Notices should never be copied from a template or copied from the internet. They will be tailored to each organisation, taking several variables into account (e.g., special category data or international data transfers).