The Foundations of Data Protection for Small Businesses

The Foundations of Data Protection for Small Businesses

I know data protection and business compliance sound like nightmares and time-consuming tasks. However, putting the foundations in place can significantly benefit your business. Regulations don’t stop you from doing things; they amend how we do them.

I know everyone keeps saying you need data protection because it is a legal requirement, but being data compliant is so much more than that. Having the systems and processes in place to ensure data privacy compliance has several benefits

  • It builds customer (and employee) trust. Customers are likelier to trust and engage with businesses prioritising their privacy and data security.
  • Competitive advantage: Customers are increasingly more privacy-conscious, and having systems in place can differentiate your business
  • Reduces the risk and impact of data incidents and breaches
  • Foundation for growth

Understanding Data Protection Laws

In the UK, data protection or privacy is regulated by three main regulations: the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the Privacy Electronic Communications Regulations (2003).

The laws are designed to safeguard individuals’ privacy rights and ensure that data is collected, processed (used), stored and disposed of securely and lawfully. The fundamental principles and the Individual’s (data subject) rights are essential.

According to Article 4 of the GDPR, personal data is any information related to an identified or identifiable natural person. In other words, personal data is any data linked to a living person’s identity.

Personal data is funneled into two categories – those that control the data and those that process the data (controllers vs. processors).

Steps Towards Compliance

1. Know all the data your business collects

Review the data you collect within your business activities and procedures by doing an audit.

From the audit, create a comprehensive map of your data usage and any records of processing activities. Ensure you include all areas or departments engaged in data processing. This typically includes HR, recruiting, marketing, business intelligence, accounting, development teams and technical support. Mapping out your data allows you to assess the risks with your current data handling procedures and figure out new measures to address them best.

2. Risk assess your data requirements

Organisations should only collect essential data to be GDPR compliant. Accumulating sensitive data without a compelling reason will signal alarm bells for the supervisory authority monitoring your compliance.

All data requirements should be scrutinised through a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA). These impact assessments are mandatory when the data collected is highly sensitive.

I know, I know. PIA and DPIA sound the same, but there are some subtle differences. A Privacy Impact Assessment (PIA) is all about analysing how an entity collects, uses, shares, and maintains personally identifiable information related to existing risks. A Data Protection Impact Assessment (DPIA) is all about identifying and minimising risks associated with the processing of personal data. They are both different forms of risk assessment.

The Information Commissioner’s Office has created a DPIA template that can be used as a guide for data protection assessments. This template provides a deeper context into the activities that require a DPIA to help you decide whether your particular processing activity requires an evaluation.

3. Data incident and breach reporting

An incident or breach is any negative occurrence that impacts data protection or security. This term encompasses various situations, from those typically addressed by IT service desks to broader business continuity issues. Such incidents can involve both digital and physical records and range in severity from minor, affecting a single individual’s data, to major, impacting millions of records.

Incident reporting serves as a mechanism for notifying relevant authorities about any abnormal event, problem, or situation that might result in unwanted outcomes or breaches of established policies, procedures, or norms.

Breaches fall into three main categories:

  • Confidentiality breach: Unauthorised or accidental disclosure or access to personal data.
  • Availability breach: Unauthorised or accidental loss of access to, or destruction of, personal data.
  • Integrity breach: Unauthorised or accidental modification of personal data.

No matter whether it is an incident or a breach, it needs to be reported internally and risk assessed to determine whether it needs to be reported to the ICO. If required, the report to the ICO must be done within 72 hours.

4. Data Protection transparency

One of the fundamental principles is transparency. This means you must clearly explain how you collect personal data from users on your website or through business interactions. You must ensure a privacy policy, cookie policy, and user-friendly guides explaining how you handle your users’ data. We offer a Website Bundle, a standardised solution consisting of a Privacy Policy, Cookie Policy, Terms of Use, and guidance on ensuring a legally compliant website. For B2B startups, it also includes Data Processing Agreements to protect the data of client companies.

5. Ensure policies, procedures, and processes are in place

Based on the results of your data assessment, it is recommended that you start creating relevant data protection policies, which include security policies and a new set of procedures for addressing data requests from your users. From a technical perspective, your policies should ensure that each data operation has protective measures to prevent breaches. These measures should also control access to the data, for example, by implementing two-factor authentication to prevent unauthorised access. If necessary, you should encrypt and mask the data and use antivirus and firewall software to help you monitor any threats to your data security.

6. Implement training

Human error is the number one cause of personal data breaches, so start building a privacy culture in your company. Familiarise your employees with basic privacy concepts and train them to perform their data protection compliance and information security duties.

7. Set up data processing agreements

It would be best to manage relationships with partner companies that receive your customer data and work with them using appropriate data protection agreements. Another critical point is international transfers: if your partners or suppliers are located in another country, this will require additional contractual safeguards to ensure the proper handling of client data.

8. Appoint a privacy professional

Last but not least, consider whether you need a Privacy Manager or a Data Protection Officer, a professional who oversees data protection compliance within the company. An internal employee or an external contractor can perform these roles. Learn more about data protection officers in our article on Virtual Privacy Professionals. Alternatively, book a clarity call to see how we can support you.

Privacy compliance is not just about measures; it’s about your and your company’s mindset. Data protection can become your competitive advantage if you treat your client’s privacy as a company value.

Privacy Management – What is all the fuss about?

Privacy Management – What is all the fuss about?

Privacy management can be a contentious issue. Isn’t it the business’s data when I have it? The data is out there, so why can’t I use it? Why should businesses care about the management of data and privacy?

History

The Universal Declaration of Human Rights in 1948, has one of the earliest statements towards the right to an individual’s privacy.

That was over 70 years ago, and the rights of an individual, in relation to privacy, are still being defined and redefined; 1973 and the first Data Act, in Sweden. The 1998 Data Protection Act in the UK and then, subsequently, the 2018 General Data Protection Regulations (GDPR), led to countries around Europe updating their own data protection laws.

Businesses have adapted and changed in 70 years, especially with the advancement and speed in technology. Hence the changes and updates in legislation, especially in relation to information sharing.

Privacy conflict

Businesses need data to run their businesses. Ideally, many businesses would say, they need to gather information to contact prospective clients and use that data as they want within their business. Look at the big tech companies, like Meta, Google and Amazon, who rely on the collection and ‘reusing/distributing’ of data as a fundamental cornerstone of their business. The selling of data can be a considerable income stream.

It is no wonder that businesses, no matter how big or small, have difficulties with privacy; especially when you have to balance the needs of the business with the needs of the individual. The individual has rights!

And there is the conflict. Many businesses argue either the information is out there or that the person has given it to them, so why can’t I use it the way they want to?

Good data management is good for business. Having everything in place can mean that things run smoother, and ore importantly, it can help reduce costs (especially in relation to software).

Who’s data is it?

GDPR set out to clarify the importance of privacy and data security. More importantly, it determines who the owner of the data is. The individual owns the data, and not the business. Businesses are, in effect, custodians of the information held by a living person. As a result, they have to follow the principles of the regulations.

  • Lawfulness, Fairness and Transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

In short, that means that businesses need to

  1. Identify the legal reason for collecting and storing the information AND have a way of informing the individuals.
  2. Ensure individuals’ rights are protected and acted upon.
  3. Only use the information for the purpose it was collected. This means we can not collect information and then use it for whatever reason we want, regardless of it being in the public domain.
  4. Only collect and store the bare minimum we need for the minimum amount of time we need to store it
  5. Ensure that the information we keep is accurate and if not correct it
  6. Ensure that the data is not lost or destroyed
  7. Being able to show compliance with the legislation.

Managing privacy

Saying we are data protection compliant is not enough. Businesses need to prove it. Some key areas to look at are

  1. Know your data
    • Map out what data you collect, save and keep; for what reason, and where it is.
  2. Only use it for the purpose collected
    • One example of this is, networking contacts can not be added to your email marketing or send sales emails. They consented for you to have their details; they did not consent for you to add them to your email marketing
  3. Keep it up-to-date and accurate
    • Account status, contact information, and payment history.
  4. Assess, review, and update
    • Assess what documentation you have and need
    • Review for updates and changes in practice
    • Look at trends in data security
  5. Secure it
    • Ensure that physical material is locked away securely
    • Ensure digital devices are secure and backed-up
  6. Training
    • Train your staff on what is data protection, and IT security
    • Have policies and processes in place, so they know what to do
  7. Keep records
    • log incidents and lessons learned
    • keep records of equipment, software
    • risk assessments and DPIAs

Sounds complicated?

It doesn’t need to be complicated. Help is at hand. As a data protection specialist, I am here to support and assist with your data protection woes. Why not get in touch?

Five Tips for GDPR

Five Tips for GDPR

If GDPR and compliance are a concern for you or your organisation, don’t worry. Taking all the different aspects in at once can (and probably has) caused everyone to feel a little overwhelmed at some point. But it doesn’t need to. Here are the five tips to know about and why they matter.

Transparency

When it comes to GDPR, transparency is a fundamental principle. The reason why that’s the case is simple. It gives individuals as much control over their data as possible and facilitates their rights.

Control and rights are both fundamental underpinning principles of GDPR.

How does a company demonstrate transparency? The content of privacy notices is a good start. Good, compliant examples include

  • the contact details of the company;
  • if required, the Data Protection Officer,
  • the purpose and lawful bases for processing the data
  • and the categories of personal data you hold to name a few.

Mapping your data

Data mapping confuses some, but its principle is relatively easy. Mapping your data means establishing what information you hold and exactly how it flows through your company. This type of audit (also known as a mapping exercise) should be performed regularly by assigned individuals.

Doing so ensures it is maintained and amended as needed by a person or persons who are aware of their responsibilities.

Reporting breaches

Breaches can unfortunately happen, and on a long enough timescale, something similar to the list below probably will.

Data breaches can take many forms, such as:

  • Device loss or theft
  • Phishing scams
  • Hacking
  • Lost or stolen external USB drives

Breaches can also result from carelessness or lack of awareness, such as unattended computers and, especially recently, working from home on unauthorised personal devices and unprotected networks.

Reporting breaches of personal data have been mandatory since before the GDPR came into force. It just became more visible,, and the assessment for reporting changed. The Information Commissioner’s Office has a dedicated section for more information about breach reporting.

Knowing your subject’s rights

Data subjects have a wide range of rights relating to the data you hold about them, making it essential to know why you are processing the information you hold about them.

Data subjects have some or all of the following rights:

The right to be informed (Including why you are processing their data, how long you intend to retain it and who you might share it with.)

A right of access (Typically referred to as a Subject Access Request or SAR which must be dealt with in a timely way.)

The right to rectification (If the subject feels their data is incomplete or inaccurate.)

A right to erasure (Also known as the right to be forgotten, sometimes for legal reasons this may not always apply)

The right to restrict processing (In certain circumstances, an individual as the right to store their data but to stop you using it.)

A right to portability (The right to obtain their data and reuse it for another purpose or service.)

Being accountable

For both controllers and processors, demonstrating compliance and putting measures in place to meet the requirements for accountability will mitigate the risk of enforcement action. Still, it will also build trust in your business and its services and raise you above the competition.

For help and advice around transparency, avoiding breaches, mapping the data you use, subject’s rights and accountability, get in touch today; I’d love to offer you help and advice in the field I specialise in.

The Six Principles Underpinning GDPR

The Six Principles Underpinning GDPR

We know that GDPR is unavoidable for businesses of every size and scope. We also know that the requirements are considerable, and at times they can even feel overwhelming.

Don’t worry. Help is out there in the battle to understand exactly how you and your business will navigate a smooth path towards compliance.

The underpinning principles of GDPR are an excellent starting point.

Each of the principles is worthy of a deep dive in its own right, but for now, let’s have a brief look at each. What they involve and how they can help you to process data safely, securely and legally.

Remember, these are set out at the start of the legislation itself to help organisations and the people who run them to make the decisions. They will also enable you to put the practices in place that will embody the spirit of good GDPR practices.

Processing data in a lawful, fair and transparent way

This principle may seem self-explanatory; it basically requires that the practices you use to collect data don’t break laws. This requires a sound working knowledge of GDPR to adhere to, though, to achieve the principle’s intended goals of ensuring nothing is hidden from data subjects, stating the type of data collected in your privacy policy and the reasons for its collection.

Purpose limitation

Data has to be collected for a pre-defined and specific purpose and only for as long as necessary for that same purpose.

Data minimisation

When it comes to personal data, only process that which you need.

Data accuracy

GDPR expects that every reasonable step is taken to ensure the accuracy of data. If that isn’t the case and processed data is inaccurate, then erasure or prompt rectification is vital. Individuals have the right to request it.

Storage limitation

Another important aspect of GDPR compliance relates to safely and securely delete data that is no longer needed. How do you know when that is the case?

When does a customer stop being a customer? When is data relating to a former employee, business partner or freelancer considered obsolete?

These are complex questions, and the answer will vary depending on an individual’s industry and the reasons for the data itself. To be sure, and allay any doubts, consult a professional.

Security

Data must be processed in a way that guarantees its confidentiality and integrity. That includes things such as accidental loss, theft or partial destruction. This principle is intentionally vague to allow for changing technologies and evolving methods of best practice.

Many organisations look towards encryption, cloud-based services and staff training to fulfil these criteria.

All these principles should lay the foundation for the general data protection regime and always inform a solid GDPR policy.

As a certified Data Protection Officer, I can offer the help and support you need to ensure you and your business follow the principles underpinning GDPR compliance. You can send me a message, live chat or request a call any time. I’d love to help!