Data. It’s valuable. Look. After. It.
Over the past twenty years I have lost count of the number of times people have complained to me as to data protection. Probably done the same! It’s a bore, it’s time consuming, it’s bureaucratic , it’s complicated and a waste of time. Whilst I recognise your frustration don’t be silly; it’s a wrong position to take; your data is valuable, look after it, every new client is data, every new client becomes an important client, one client becomes ten and when you come to sell the sale of the data becomes hugely significant. So don’t ignore your data.
Do you have a record of what personal data you hold? Do you know what you use it for?
Any data that can identify a living person is considered to be data. If you have employees from 1-250 then as a small to medium sized organisation that handles personal data you need to comply with data protection law. Personal information is any information that can identify a living person. This could be anything from a name or email address to medical information or a computer’s IP address.
Do your records include the following information?
- The type of data you have, such as names and email addresses.
- How you got the data, such as on paper forms or through your website.
- Why you have the data.
- How long you’ve had the data or will keep it.
- If you share the data.
- If the data is ‘special category data’ or sensitive data, such as medical information.
Do you tell people how you use their personal data?
- Do people know you have their personal data and understand how you use it?
- Do you tell people if you’re sharing their data?
- Do you tell people what you plan to do with their data either in paper form, such as using leaflets or posters, or online through a privacy notice or statement?
If so, does this privacy notice or statement include all the below information?
- The name of your business and the person responsible for data protection.
- Why you hold the personal data (your lawful basis) and what you do with it.
- Where you got the data from.
- Who you share the data with and how you do this, including any sharing outside the UK.
- How long you keep the data for.
- How people can request access to, or correction or deletion of, their data.
- How to complain to the ICO.
- Whether you make automated decisions or do profiling based on the data you hold.
- Do you only collect the personal data you need to work with and use?
- Do you make sure people know the difference between information they need to provide and information that is optional?
Why is this important?
Saj runs a small book keeping business. He collects his clients’ names and addresses to be able to provide his services but he decides that rather than posting his reports out to his clients he wants to email them instead. As the emailing of the reports is not necessary for him to carry out his service he must state that the provision of an email is an option and the user can opt to maintain the postal service. Saj can also decline the custom of course if he feels that a failure to provide the email will limit his services.
- Have you decided and documented how long you will hold the personal data you collect?
- Do you refresh or destroy personal data after specified periods of time?
- Do you securely delete or destroy personal data as soon as you no longer need it?
Michael is a window cleaner and supplier of weekly cleaning equipment. He collects the name, address and phone number of his customers, as well as their weekly orders and details of their payments. Michael creates a document that details what personal data he collects and how long he holds it (the retention period). At the end of the retention period, he securely destroys the data by shredding it. He also annually checks the personal data he holds to make sure everything has been deleted at the end of its retention period.
Do you regularly check that the personal data you hold is accurate and up to date?
Kevin is the manager of a local karate club. Every month he emails the club about upcoming sessions. Kevin should regularly check with the team members that the email addresses are still accurate.
Can you update information quickly if asked by an individual?
- Do you keep personal data secure in the office, for example by using lockable filing cabinets and locking or logging off computers when away from your desk?
- Do you take steps to keep personal data secure before you take it out and about or send it somewhere else? For example, do you only take with you the data you need or send it in advance by secure methods?
- Do you keep paper documents secure, say by using lockable storage and disposing of paper records securely?
- Do you keep electronic data secure, say by encrypting mobile devices, using passwords and backing up the data?
- Do you know about the rights individuals have under the law?
In summary these are as follows:
- The right to be informed – being told what data you hold about them and what you do with it.
- The right of access – being able to request a copy of their data you hold.
- The right to rectification – being able to have inaccurate data corrected.
- The right to erasure – being able to ask you to delete / destroy their data.
- The right to restrict processing – being able to limit the amount or type of data used.
- The right to data portability – requesting to move their data electronically to another business.
- The right to object – being able to request you stop using their data.
- Do you have plans in place so you can deal with any requests?
- Do you know that a request can be made in writing or verbally, in person or on the phone?
A request could be made over the phone, in an email, or face to face. It doesn’t have to be made formally in writing by letter. If you can, treat requests that are easily dealt with as routine matters, in the normal course of business.
Simon, a local football-team manager, receives a call from a player asking for details of all the matches he has played in the last year. This can be dealt with as business as usual.
Peter (the newsagent) is asked by a customer in the shop for the balance of her account. This can be dealt with as business as usual.
You would probably want to treat the following requests in a more formal way:
One of Susan’s ex-employees requests a copy of the reference she gave about him to a prospective new employer.
Kevin manages the under-10s football team and receives a request from one of the children’s parents for a copy of the information held on their child.
Do you know how long you have to respond to a request?
Pam receives a request on 3 September, the time limit will start from the same day. This gives her until 3 October to complete the request.
However, Sachin receives a request on 31 March, the time limit starts that day. As there is no equivalent date in April, Sachin has until 30 April to complete the request. If the 30 April is on a weekend, or is a public holiday, she has until the end of the next working day to comply.
Are you able to delete someone’s information if they ask you to?
Alex processes personal data to send direct marketing materials by post. As individuals may have the right to have their personal data erased, Alex makes sure he can erase personal data within one month, if needed.
Have you trained all your staff who handle personal data on their data protection responsibilities?
Bob is a builder and employs two office staff. He has briefed them about keeping information safe and secure, explained to them what privacy information he has given his clients, and told them what to do if anything goes wrong or records go missing. He also displays a poster in the office, which he printed from the ICO’s Th!nk Privacy library, and does an office sweep every week to check that personal data is locked away securely.
Do you know what to do if something goes wrong, including a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Do you know which breaches to report to the ICO?
A breach can have a range of adverse effects on individuals, which include emotional distress and physical and material damage. You need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If a risk is likely, you must notify the ICO.
Do you know which breaches you have to inform individuals of?
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, as soon as possible.
- Do you only collect the personal data you need?
- Do you only keep personal data for as long as it is needed?
- Do you keep personal data accurate and up to date?
- Do you keep personal data secure?
- Do you have a way for people to exercise their rights regarding the personal data you hold about
- Do you and your staff (if you have any) know your data protection responsibilities?
- Do you know if you are obliged to pay a data protection fee?
Need help? To get started click here.