Any organisation that handles and captures customer or employee data, whether it be on a server, in a cloud or even on a usb stick, needs to follow the appropriate data protection laws in doing so or it can face heavy penalties.
Last month a marketing firm was fined £70,000 by the Information Commissioner’s Office, and earlier this year the Ministry of Justice was fined £180,000 for serious breaches of the Data Protection Act. A recent survey by Sophos suggests staff are often concerned that their companies do not fully comply with data protection requirements in the data they store.
Here are some top tips to help businesses follow best practice in this area and get ready for the changes ahead:
1. Read the Data Protection Act 1998 (DPA)
It is surprisingly user friendly and contains eight data protection principles. Although the law is due to be updated and this area is subject to review at EU level too, it is essential you are following the current framework.
2. Find out if you need to ‘notify’
Businesses processing personal information under the DPA as ‘data controllers’ are required to register with the Information Commissioner’s Office. However, you may not need to if you only process personal information for core business purposes, for example if you only do so for staff administration and accounting purposes. The Information Commissioner’s Office website includes a useful online self-assessment tool.
3. Get your policies right
Clear and up-to-date policies and procedures are important as is the training and education of staff who handle and store data, specifically marketing, sales, customer relations and HR departments need to know the rules as well as the IT department.
4. Think security
Businesses are under an obligation, under the DPA, to put in place adequate security measures to protect data against security breaches. Given the increasing prevalence of cybercrime resulting in the loss of personal data, this is critical.
5. When processing ‘sensitive’ data, treat it carefully
Data concerning an individual’s ethnic origin, political opinions, religious beliefs, health conditions, sexuality and commission of criminal offences would constitute ‘sensitive personal data’ under the DPA. There are more stringent rules around the processing of such data which it is wise to be aware of.
6. Minimise personal data and keep it up-to-date
Using incorrect or out-of-date records and asking for more information than is necessary may not only annoy customers but is also contrary to the provisions of the DPA.
7. Beware when sending personal data overseas
If you need to do this, make sure your customer or employment contracts (if the data concerns staff) offer you adequate protection as, in certain cases, the explicit consent of the data subject may be required.
8. Don’t forget recruitment and selection is covered by the DPA
Do not collect personal information from all applicants when you really only need it from the successful candidate. Use the information that you collect for recruitment and selection only, or explain to applicants what their information will be used for.
9. Police your contracts properly
For example if you receive personal data from your clients and customers as part of your business, ensure that your service agreement protects your position. Particular care over contractual terms is needed when clients and customers are providing you with the personal data of third parties.
10. Are you selling your business?
Be aware of your data protection obligations during the due diligence process. You may need to anonymise certain data and you should ensure that potential buyers and data room providers are subject to appropriate contractual terms regarding the confidentiality and security of the data disclosed.
This article first appeared in Real Business magazine online in December 2014