In 2021 I ran a series of blog posts from guest contributors focused on maintaining our mental health. Following feedback in my Facebook group, I decided that my blog theme for this year’s guest contributors would be “taking our businesses to the next level”. This post is the eighth of this 2022 series, and comes from data protection and compliance specialist Sam Alford.
You can read the other posts in the series here:
5 Ways To Grow Your B2B Business Using Social Media
Personal branding: taking your business to the next level
How to create a 2-page marketing strategy
Making your business a tough nut to crack
Profit First: Next Level Cash Management
You Don’t Have To Do This Alone
Sam is a data protection and compliance specialist based in South Manchester. She’s a published author on the subject of Data Protection but she’s also a qualified chef, an ISO 9000 Auditor, a Health and Safety at Work Manager and the Chair of our Local Chamber of Commerce Board. Having initially trained as a chef Sam spent just shy of 20 years as a Logistician in the Royal Air Force. After a number of voluntary and paid roles she now runs the “Compliance” section of PPP Management Ltd. Over a long and varied career Sam has worked in the Public, Private, Voluntary and Charity Sectors and as a small business owner she understands how hard it is to find time to do all the “admin” as well as “doing the do”.
**************
So, first things first… There are 3 camps when it comes to Data Protection especially GDPR (or UK GDPR as it is now) – which one are you in
- Those who have it covered
- Those who think its EU nonsense that doesn’t apply to them
- Those who know it’s important, don’t want to do it wrong and have either their head in the sand or have not yet had the time to deal with it.
If you are a small business it is rare that you will be in the first camp if you are well done and keep up the good work. If you are in the second camp – sadly you are deluding yourself and you need to make a start. So that leaves the third camp and this blog will help you on your journey.
What’s it all about?
When it comes to protecting personal data it’s pretty simple really. You should expect to treat other people’s data with the same care as you do your own. This means telling them what you have (and why), where you got it, who you’ll share it with, how you keep it and how long for and what you’ll do with it when you don’t need it any more.
What should I be doing?
First of all you need to understand what data you have. Even if you store this on your phone or email you are processing the data and you will need to have a legal reason to hold the data. Anything that can be used to identify a pink (live) human being is personal data. This includes email addresses if they have a name in them. I use the honeycomb below to identify what data is used but a list is just as good.
I know the “What” – So what’s next?
Most important once you know what data you are holding is that you need to register with the UK Information Commissioner (the ICO). The potential fine for processing data without being registered is £4000+ but the annual registration fee for a small business is usually £35 – it’s a no brainer really. Once you’re registered you get a certificate and a reminder to renew each year. Keep the certificate somewhere safe in case you are asked for it. I have only heard of a handful of cases where the organisation did not need to register – if this is you then remember to take a screenshot for your records.
And Then What?
Call it what you will (Data Protection, Information Governance are most common) you then need to have some processes in place. Under UK GDPR organisations have to be able to DEMONSTRATE their compliance with the legislation. The easiest way to do this is to have a good set of documents:
- A Record of Your Processing Activities (ROPA) – this does not have to be wildly complex (a simple spreadsheet will do) but for every category of data subject (customers, staff, suppliers) it should list every item of data you process, what you need it for, the legal reason you process it, how you’ll store it, who you share it with, how long you keep it and how you get rid of it.
- A Privacy Notice that takes the information from your ROPA and explains to data subjects in a way that they can understand. My top tip here is to use the format on the ICO website rather than use one of the many super complex legalese ones on the internet.
- A compliant “Cookie Banner” on your Website if you have one. Use a cookie checker like Cookie Serve to check what cookies your website drops and get your website provider to put a compliant banner up – remember not to prefill the boxes so people can “Opt in” not “Opt Out”.
- A Data Protection Policy – this can be as simple as you like but should include things like what to do in the event of a data breach or subject access request and it should list the people within the business who have responsibility for data protection. You can also add information on CCTV/Dashcams and the use of Business Mobiles/IT.
- A Data Sharing Policy – if you have any sub processors (Payroll, IT, Website).
- A Marketing Policy – if you do any marketing you are required to comply with the PECR regulations as well as UK GDPR.
- A record of Data Protection Training – this should take place every 2 years and there are some great (and unusual companies) offering everything from “training set to music” to regular short videos about real breaches/issues. Of course there are online providers who offer more traditional PowerPoint and multi choice courses and others such as myself who offer a bespoke tailored training for your setting.
What to do when things go wrong
1 in 3 businesses will suffer some form of data breach. Whether this is sending something to the wrong person, ransomware or other cybercrime it pays to be prepared. The most common ways businesses fall foul of the regulations are:
- Not understanding the “Purpose limitation clause” – you can only use data for the purpose you gathered it for. This means you need to make sure you check with the individual if it’s OK to use their data for the new purpose. For example when someone asks for contact details you should check before forwarding them on.
- Approaching risk to the individuals from the business standpoint and not the data subject’s. You need to think if there is a risk to the rights and freedoms of the individual in addition to any business/reputational risk.
- Taking a Subject Access Request personally – It’s easier all round if you just deal in the facts and leave the personal at the door.
- Not complying with the Marketing regulations – most ICO fines until now have been for PECR infringements so it pays to make sure you are doing things right.
Where to turn to
By having policies and procedures and training in place you can prove you’re doing it right. You can also opt for an independent audit to check you’ve got things covered. As well as the ICO the National Cyber Security Centre and the North West Cyber Resilience Centre have plenty of advice, support and information.
If you want more information on any of the above or just a quick chat to check you are on the right track you can contact me via the website, or follow me on LinkedIn or Twitter (@pppmauthor) … or ask Helen because she has permission to share my details.
Sam Alford
PPP Management
October 2022