Search

Data Privacy and Data Protection Must Knows!

Are you a business owner with limited knowledge on the world of data privacy and data protection? Then grab a coffee and take a quick 5 minute read of our data protection blog as we point you in the right direction to unravel the world of data privacy!


What is Data Protection/ Data Privacy?

Data protection and data privacy exists to protect people’s personal data from misuse by businesses. There are a set of rules and regulations, set out in the UK legislation, which aim to reduce the amount of corruption, theft, misuse and lost data about individuals. Without these processes and protections, data about individuals would be everywhere and there would be an increased risk of your data being handled inappropriately.


Does GDPR still apply?

Yes! Even though the UK left the EU, the UK has adopted the GDPR regulations into UK law in the form of the Data Protection Act 2018. The same obligations and principles still apply here in the UK.


What does GDPR even mean?!

It stands for General Data Protection Regulations – it’s a piece of legislation that sets out (in detail!) the do’s and don’ts when dealing with peoples data in a business context.


Why should I care?

It is a legal requirement, if you are a business owner, to comply with the rules and regulations and to ensure you have in place safeguards and systems to protect any personal data you collect about individuals. If you are found to be in breach of the rules then fines could be imposed on your business (by the Information Commissioner’s Office “ICO”) or there is even the risk of prison sentences for directors of a company that commit serious breaches.


Oh my goodness, I know nothing…what do I need to do??

Don’t panic. The fact you are reading this blog means you have already taken the first step. Next focus on these issues:


1. Get knowledgeable! Take a good look at the ICO’s website for guidance and information on what your obligations are: www.ico.org.uk


2. Assess what data you collect about people – clients contact details (name/email/phone number)? Date of birth? Bank details? Any special category data (information about their health, criminal convictions, ethnicity and so on)? Does your website use cookies to track peoples use of your website? By having a think and carrying out a mini-audit of the data you collect will help you work out what you should be doing to comply with the laws.


3. If you collect any personal data about individuals (in a business sense), then you MUST register with the ICO as a data controller. This is like a data protection tax and helps fund the work the ICO carries out when investigating data breaches and providing its services on data protection guidance.


4. At the very least, get a good privacy policy in place – this helps you meet a large chunk of the legal requirements. When collecting personal data about people you need to tell them who you are, what data you are collecting, for what purpose, how it will be used, who it will be shared with and what their rights are. Your privacy policy should cover all of this and can neatly sit at the foot of your website. Then every time you collect any personal data about anyone you can simply let them know it is being collected in accordance with your privacy policy and provide a link.


5. Put in place robust data sharing practices. Do you need to share any personal data with any third parties? For example, do you have an associate that you share data about clients with? Do you use a document management system to store your client data? As the person who originally collected the data from the individual, you are responsible for ensuring that any third party to who you share the data with also complies with the data laws. You really should make sure you have something in place (in writing) obliging them to comply with the laws AND to indemnify you in the event something goes wrong. To put it simply, you need to make sure they are on the hook to pay you back any fines you incur as a result of their wrongdoing with respect to the treatment of the data you shared with them. In short, you either need a Data Processing Agreement in place with them or some data processing clauses in your legal agreement with them (if for example you have a services agreement in place already).


6. Check you have the right tick boxes and notifications in place. When collecting personal data (like names/email addresses) you simply need to alert people to the existence of your privacy policy (just include a link). But if you are collecting any special category data (like health data, data about ethnicity, criminal convictions, etc) then you may need to obtain express consent – in which case you’ll need a tick box.


7. What about marketing? Well, if you are collecting email addresses for marketing then there are other rules to follow (sorry!). If you are simply going to be marketing people for the same types of services/products for which they originally contacted you, then you can simply do this without the need for a tick box. Just make sure you have information about how to unsubscribe on every communication. If however, you are doing something different or approaching people who have not contacted you before then you will need them to click a box to agree. Also…be aware that you might need them to tick some boxes if you are intending on sharing their data with other third parties. If you are planning on doing some complicated marketing activities, then seek legal advice on consents / tick boxes.


8. Remember that website cookies are a form of personal data! If your website collects cookie information about website visitors then you will need to either have a cookie policy on your website or a detailed section within the privacy policy about the cookies used on your website, for what purpose and how they can be disabled. The law also requires that websites have a pop-up consent notice for all first-time visitors to a website.


Still confused?

If you’re still confused and need some help deciphering your specific data protection situation, then get in touch. We can carry out mini audits, help draft privacy policies, data processing agreements, consent tick boxes and cookie wording.