Data protection can be a thorny topic for small businesses and one that is often ignored. But failing to follow procedures can land you in trouble, warns Rianda Markram
Almost everyone in business these days handles data, in relation to customers, suppliers or employees. For most of us, that data comes with legal obligations attached to how we request, record, store, share and use it.
Many of these obligations are covered by the Data Protection Act 1998. This includes information about a person such as name, address, gender and date of birth; it also extends to comments about a person, and any other information from which that person can be identified. An example of information that is usually covered by the rules includes a database that holds customer email addresses, medical or bank details.
As a starting point, you should collect personal information only for a specific, clearly communicated purpose, and get consent. Examples of collecting data include CCTV recordings, obtaining personal information over the phone, and via email and website cookies.
Hold only as much personal information as you need for your business purposes, and only for as long as you need it. Most customers object to data being held on databases or other formats where there is no benefit to them, and may complain when they discover it’s happening without their consent. Such complaints can damage your business relations and reputation, and even expose you to fines and other consequences.
Once the data is collected, make sure it is used only for your stated purpose. Otherwise, you’ll subsequently require express consent to expand your usage of it to other stated applications.
Ideally, you must ensure the data you collect and retain is relevant and up-to-date. Using out-of-date records is likely to annoy your customers, and it may get you in trouble.
Safety is also paramount. Keep it secure by encrypting any data that you store, erasing or destroying data when it’s no longer needed, using strong passwords, and shredding and safely disposing of printouts that contain sensitive data. These practices protect both you and your customers; if you leak personal information, even inadvertently, it can expose you to legal consequences. Further examples include using up-to-date anti-virus software, filing paper records in a lockable filing cabinet, and making regular back-ups of important electronic files.
If requested, you must promptly (usually within 40 days) allow the client, employee or supplier of the information you’ve collected to see it.
The Information Commissioner’s Office (ICO) deals with all matters in relation to personal data protection and freedom of information in the UK. Businesses that hold and process personal information may need to inform the ICO of that activity; this process is called ‘notification’.
Businesses that process personal information only for core business reasons, such as staff admin or their own marketing, usually do not need to notify the ICO. Examples of when you’ll need to notify the ICO include if you process personal information for accounting purposes, or if you use CCTV in your business. Failure to notify or renew your notification when you are not exempt from this requirement is a criminal offence, punishable by a fine of up to £5,000. If you are uncertain if you need to notify, consult the self-assessment guide on the ICO website.
Finally, new data protection rules will be triggered by a new EU regulation in 2018, the General Data Protection Regulation. We’ll keep you informed on the development of these rules. This regulation – or most of its content – will be adopted despite the UK’s exit from the EU, according to the ICO.
RIANDA MARKRAM is a Commercial Professional Support lawyer at FSB Legal. If you have a legal query, call 03450 727 727