Most small businesses collect information on their customers everyday without giving it a second thought. It seems obvious doesn’t it - to operate a business you’ll need to store key details about your clients.
Name, telephone and address all seem innocuous enough, but if you hold these or other personal details on your customers, staff or suppliers you have a responsibility to comply with the Data Protection Act.
To help you get to grips with your businesses obligations we invited data protection specialist Charlie Pigott to answer some of the most commonly asked questions on the Data Protection Act.
What does the Data Protection Act 1998 do?
The Data Protection Act 1998 (DPA) seeks to ensure the safe and secure processing of data in order to protect individuals’ information. This personal data needs to be protected due to the fact that it can be sensitive in nature and could be used in a discriminatory way.
Why do I need to comply?
In recent years Data Protection has carried negative connotations, with many individuals meeting the same brick wall of – “I can’t do that because of Data Protection…” when it may not even apply. As a result, many people turn a blind eye to the issue viewing it as an example of the increasing amount of “red tape” that chokes SMEs.
The majority of UK business comprises of SMEs. With great pressure to grow their enterprise often small business owners have little time to think about data security leading to SMEs becoming the soft underbelly of business. If you do not ensure that your business is data compliant, then your money, your information and your reputation are all at risk. For example:
- In 2015 74% of SMEs experienced a data breach of some kind. This was a 17% increase from the previous year.
- The average cost to an SME for security breaches ranges between £75,000- £311,000.
The number of security breaches has increased, the scale and cost has nearly doubled and if data security remains low on the to-do list of SMEs then the cost to businesses is going to continue to rise.
In my opinion, the Data Protection Act is less like red tape and more like a safety net for SMEs when it is understood and used properly.
My business handles individuals’ data, what are my responsibilities?
Where a business processes personal or sensitive information about individuals it will normally need to be registered with the Information Commissioner’s Office (ICO). This “notification” tells the ICO what personal and sensitive data will be processed, the groups of people whose data will be processed and who that data may be shared with. There are some exemptions to notification, but if they do not apply and you have not notified, then that is a criminal offence with a fine of up to £5,000.
In addition, businesses need to ensure that they are following the eight principles (guidelines) under the Data Protection Act.
- Principle 1 – All data should be processed fairly and lawfully. In order to ensure fairness the data controller should be clear, open and transparent with the data subject when it comes to how and why their data is being collected.
- Principle 2 – States that personal data must only be used for the purpose for which it was intended. This helps to reinforce the first principal as data controllers and data processors must be clear and transparent with the data subject about the handling of their data.
- Principle 3 – Makes sure that the data collected is adequate for the purpose that has been specified clearly and transparently in the previous two principals. This ensures that data collected is not excessive in nature.
- Principle 4 - Focuses on the accuracy of data. The more personal or sensitive the data, the more steps need to be taken to ensure that it is accurate.
- Principle 5 – Looks at the retention of data. If the data collected / processed for a specified purpose is no longer needed, it should either be archived or securely deleted.
- Principle 6 - Subject to satisfying certain conditions, the data subject has the right to access a copy of their personal data that a data controller possesses. In addition the data subject has the right to have inaccurate personal data rectified, blocked, erased or destroyed, and claim compensation for damages caused by a breach of the DPA for example.
- Principle 7 – States that the nature of the security should match the level of sensitivity of the data. It is vital that data controllers have put in place the correct physical and technical security, reinforced by robust policies.
- Principle 8 – Is concerned with the exporting of data outside the European Economic Area (EEA). This principal states that personal data should not be transferred outside the EEA unless that country or territory possesses adequate levels of protection for the rights and freedoms of the data subjects.
It is your responsibility to abide by these principals in order to ensure that your business is DPA compliant.
How do I ensure that my business remains data compliant and avoid a data breach?
There are two main causes of data breaches; staff related security breaches and malicious hacking.
Establishing an embedded culture of data compliance is a key way to protect your business from breaches occurring. Having well informed and well trained staff is vital to your business. In 2015 31% of SMEs experienced a staff related security breach, which was an increase from 22% in 2014.
Similarly ensuring that your customer and staff data is secure from theft is key to ensuring data compliance. If the necessary defences are not in place to protect against hacking then you could face a fine from the ICO of up to £500,000.
Making sure you install software updates regularly, use strong passwords and delete suspicious emails are the basics in protecting your business from online threats.
- Log in to post comments