Data protection can seem like a never-ending web of obligations. As a business, you have to comply with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR). They are lengthy pieces of legislation. Thankfully, the Information Commissioner’s Office (ICO) has a helpful website that will answer your questions as they crop up.
As a starting point, these are the top five things that you need to know about data protection as a small business.
Recruiting and managing employees
When you’re recruiting for new positions, you’ll accumulate personal information of candidates. That’s things like their name, address, email address, date of birth etc. You need to keep this personal information on file and keep it secure in locked filing cabinets or password protected electronic files.
That’s the case for your existing employees too. You have to keep their data secure. Your staff have the right to see their own records at any time. But only people with the right training in data protection can see the records of other employees. That’s likely to be people in your HR team.
Lots of small businesses operate CCTV on their premises. If your business uses CCTV, you must register your details with the Information Commissioner’s Office (ICO) and pay a data protection fee.
You also have obligations to the people who enter your CCTV-monitored building. Firstly, you have to tell them that they are being recorded. You’re probably familiar with the sorts of display signs we mean. You will have seen them before in public spaces. It’s important that these signs are clearly visible and legible.
As is the case with other personal information, you should control and limit who can see the recordings.
Finally, be clear on the reasons you started using the CCTV system, and don’t deviate from that purpose. Most CCTV systems are set up to detect crime. If that’s the purpose, then you can’t use the CCTV system to start monitoring your staff.
Marketing your products or services
You’ll be familiar with those tick boxes you see when you sign up to a newsletter, or purchase a product. They ask you if it’s OK to keep your data on file for marketing purposes. As a small business, you need to do this too.
Any customer addresses you collect must kept on file, and kept secure. When you collect a customer or a client’s personal data you must tell them who you are and how you’ll use their information, including if it’s being shared with other organisations.
You might have to put a notice on your website to inform customers, or make sure you have one of those familiar tick boxes in place at the point of sale.
Responding to customer’s requests
Your customers have the right to request which personal information you hold on them. We recently wrote a blog about how to deal with these Data Subject Access Requests, if you’d like more information on the practicalities of responding.
The main thing to remember is that you are under an obligation to respond. If a customer asks you to delete their personal data, you must erase it. Or if they ask you to change it, or process it differently, you have to comply. Data protection laws are set up to strengthen the position of consumers, so whatever the customer asks for, they are probably within their rights to get you to comply.
Dealing with a breach
Despite your best efforts, data breaches will happen in the course of business. Don’t panic – it’s not the end of the world. You just have to deal with it quickly and effectively.
You need to report it to the ICO within 72 hours. Keep accurate records of what happened, how it happened, and the steps you’ve taken to minimise the risk of it happening again. Then, if it’s a reportable breach, you file a report with the ICO.
If you’re not sure whether or not the breach is reportable, use the ICO’s self assessment tool.
Data protection can be a bit overwhelming for small businesses. If you’d like a helping hand to guide you through your obligations, please get in touch with our team at HooperHyde Solicitors.