Contrary to popular belief “Data Protection” does not ban you from doing everyday common sense things to run your business.
Doing it properly means that you can administer your business, work with your customers and suppliers and manage your employees effectively and lawfully.
Below are a few questions we regularly get asked, along with our responses
Q: What does it mean for a small business?
As a small business, if you collect and use personal data (information about living individuals) about your employees, customers, suppliers and other business contacts you may have, you are legally obliged to protect that information.
This means complying with the Data Protection Act 1998 (DPA).
You will be classed as a Data Controller (a person or organisation who decides what personal data will be used for).
This means you will have to notify The Information Commissioner (ICO) the UK regulator for Data Protection regarding what you do with it (your purposes for processing). This process is called “Notification”.
Q: So what do you have to do?
Under the Data Protection Act, you must also:
- Only collect personal data that you need for a specific purpose;
- Tell people why you collect it;
- Keep it secure;
- Ensure it is relevant and up to date;
- Only hold as much as you need, and only for as long as you need it; and
- Allow the subject of the information to see it on request.
Q: So what does that really mean?
In plain terms, as an employer, you are obliged to protect your employees’ personal information.
Think about what you collect from employees, National Insurance numbers and other information you need to employ them.
Think also about why you need this and how long you need to keep it and how you will keep it secure.
Think also about your customer and supplier details (names, addresses, financial information etc). The same considerations apply.
If you get other companies to do work for you that involves them using personal data, you need to have a suitable contract in place with those companies, telling them what to do.
If you do telephone, email or other electronic marketing then you need to comply with the Privacy and Electronics Communications Regulations along with the Data Protection Act.
If you buy and sell databases containing customers’ personal information then you still need to comply with the Data Protection Act.
Your employees and customers also have the right to see their personal information. You need to have a process in place to deal with this.
Q: What if you decide not do all of this?
Simply put, you have to. It’s the law!
The Information Commissioner has the power to issue Civil Monetary Penalty Notices (MPN) of up to £500,000 per breach of the Data Protection Act.
They also report and publish details of the penalties they issue, so think of the bad press, loss of customer and supplier confidence and all the embarrassment.
Notification is also a legal requirement and most organisations that process personal information must register with the Information Commissioner. Failure to notify the ICO is a criminal offence.
Q: What are the benefits in doing this?
In short, complying means you will be meeting your lawful obligations.
Also, Data Protection compliance provides a range of benefits.
You’ll enhance your business’ reputation, increase customer and employee confidence that you are dealing with them fairly and lawfully, and by ensuring that the information you hold and use is accurate, save you both time and money.
In short, it makes rather good business sense!