Are you adequately managing your data? Every week, regardless of the size of your UK-based company, you’re likely to process a large amount of personal data about prospects, customers, workers, and suppliers, so you need to be sure you’re handling it properly and following data protection laws. If you don’t, you risk receiving significant fines and a loss of reputation, faith in your company, and more legal action.
Are you doing everything you can to protect your data?
Here are some guidelines to assist you in making sure you’re doing everything correctly:
#1 – Learn about the legislation’s history.
The GDPR was implemented in 2018 to offer people more control over the personal data they supply to businesses by establishing explicit guidelines for how organizations receive, store, use, safeguard, and delete that data.
The new standards demand firms be significantly more open and equitable in their processing and have a far higher level of governance and control over those operations. GDPR was first enacted as EU legislation, but after the United Kingdom left the EU, the regulations were incorporated into the UK’s Data Protection Act as the UK GDPR.
#2 – Know what personal information is.
The regulations’ main goal is to protect people’s personal information and prevent it from being misused. Personal data includes information such as a person’s name, phone number, address, email address, credit card, bank account information, employee comments, photographs, and IP address.
Businesses tend to collect a lot of it, such as when they keep track of their customers’ contact information or how many hours their workers work.
These facts could compromise people’s privacy or security, which is why they must be handled properly.
Religious beliefs, medical records, ethnicity, and gender are examples of unique categories of personal data that require additional safeguards.
#3 – Understand the principles that underpin data protection legislation.
The law is founded on seven basic principles that outline how you and your company should handle personal data processing:
- Personal data is processed in a lawful, complete, and transparent manner.
- It is gathered for specific, unambiguous, and lawful purposes.
- It is restricted to what is required.
- Data is accurate and kept up to date as needed.
- Only kept for as long as it’s needed
- Processed in a safe manner
- That you, as the data controller, can formally demonstrate that you are responsible for the data’s security.
You also have a legal need to respond appropriately to individuals’ data-related requests, such as informing them of what data you’re processing and why and their requests to amend, delete or stop processing their data.
The Information Commissioner’s Office (ICO) is in charge of data protection in the UK, and it was established to guarantee that businesses handle and protect data properly. You can read the ICO’s guidance on data protection for businesses here.
#4 – Join the ICO (Initial Coin Offering).
Unless they are exempt, all enterprises, organizations, and sole traders who process personal data must register with the ICO and pay a data protection fee, normally £40-60 per year. You can use the ICO’s online checker to determine whether your company is required to pay the charge or is exempt. Even if you are not required to pay a charge, you must nevertheless adhere to other data protection requirements.
#5 – Take command
As a business owner or leader, you must get this done properly. Start by examining what kind of personal information you presently gather, how you store it, and what you do. Then consider whether your current actions comply with the regulations. For small business owners and sole traders, the ICO has launched a free online self-assessment checklist to see how well they comply with data protection rules and what else they should be doing. It can be found here.
#6 – Make sure your storage systems are up to date.
Regardless of how you gather, store, and process data, whether on a computer, a smartphone, or in the cloud, you must ensure that your systems are secure by doing proper risk assessments and, if necessary, installing stronger security measures like firewalls. Many businesses adhere to industry security standards such as Cyber Essentials or ISO 27001.
Suppose you share data with third parties, or they handle data on your behalf. In that case, you must assess the adequacy of contracts and the quality of their security procedures and safeguards for data processed (transferred, viewed, stored, etc.) outside of the UK or EU.
#7 – Report any data breaches as soon as possible.
Data breaches can happen on purpose or by accident. A breach could be caused by a criminal hacker attacking your systems. Still, it could also be caused by an employee sending personal information to the wrong person, such as by copying everyone on a mailing list, by someone leaving a laptop with personal data in a taxi, or by the company storing data on a database that isn’t protected with adequate security controls.
If the persons are in danger, you must report the ICO within 72 hours of becoming aware of the breach, regardless of how it occurred.
#8 – Consider this a long-term commitment.
Data protection regulation isn’t something you should do once and then forget about; you need to be on top of it all the time. Data protection is the responsibility of everyone in the organization, from the top-down, so make sure everyone understands their responsibilities and that your employees receive regular data protection training.
XLN, a small business telecoms provider, was founded by Christian Nellemann.
You can purchase Christian’s book Raw Business: A Straight-Talking Account of What It Means to Be a Successful Entrepreneur.
Additional reading
A podcast with experts on cyber security and data protection for SMEs
