Data protection has never been a more pressing issue than now. With many businesses collecting information in CRM databases, commercial and transactional databases, email addresses, etc, it’s important for business owners to understand their responsibilities towards data protection and security. For a full definition of what is considered to be data, please see the ICO’s definition of data, which will show that data covers automated and non-automated records.
There are 8 main principles behind the Data Protection Act (DPA). It would be good business practice for all business owners that utilise any data that falls within the DPA definition to ensure that all relevant employees are aware of these 8 principles.
- Personal data should be processed fairly and lawfully – this applies to how you collect, use, disclose, retain and store the data that you have collect. Whilst fairly and lawfully should be considered separately, one of the main ways that you can influence your fairness of data processing is to be very transparent about how you collect, use and disclose that data. Clear disclosure policies are an absolute must in the internet age, but also making sure that providers of information have a choice of whether to supply that data or not and a clear understanding of what that data will be used for. This is particularly relevant for when personal data is then used for marketing purposes, and you should be extremely careful of giving that data to third parties without prior consent of the information supplier to do so.
- Amount of data you may hold – this principle basically asks that you not store more data than is necessary for the purpose which you intend to use that data for. So don’t store addresses and phone numbers if you don’t have a clearly defined purpose for using them. In practice, this means planning a data strategy for your business with clearly defined purposes for each set of data. Developing a data strategy will almost always open up new ideas for marketing and CRM, so it’s a great practical exercise.
- Data should be kept accurate and up to date – this is an important one. If you have repeated interaction with individuals about whom you are storing data then you need to have a process to check that the data you are storing is accurate and current. One off transactions do not require regular checking of data, but if your purpose for using data requires it to be current then you need to ensure that you adhere to this principle. So if your staff are informed of a change in data then you need to provide a good system for those requests to be processed in a timely fashion.
- Retaining personal data – basically, you shouldn’t keep data for longer than necessary for the purpose that you intend to use the data for. In practice, one of the main impacts of this principle is the requirement to securely update, archive and delete data. You will need to make provision for the secure collection of deleted physical records, and possibly the need for professional deletion of electronic records, which should also be stored encrypted.
- Rights of individuals – individuals have the right to a copy of the information that you are storing, the right to object to any processing of that information if damage or distress is likely to be caused, a right to prevent direct marketing usage, a right to object to automated decision making based on that data, a right to have data rectified and destroyed and a right to claim compensation for any breaches of this act. Be warned, the rights of the individual should be taken very seriously, and you should build a process into your business to deal with requests for information and processing. For most businesses, the main impact of this principle is on direct marketing. Permission needs to be sought from individuals, and opt out mechanisms should be processed quickly. Failure to do so will not only breach principle 6, but could possibly be considered to breach principle 4 also. If permission is removed, and this is not updated in a timely fashion, then records are not being kept up to date.
- Information security – this is the principle that really makes the news headlines. Lost email records, hacked credit cards details, top secret documents being left on trains in South East London! Invest in sound computer security and also consider getting a series of data safes and fire safes to protect any physical records or backup data storage devices. This principle also requires data holders to protect against data damage, destruction and accidental loss, so proper security procedures cannot be underestimated.
- Sending data outside the European Economic Area – this is really important for international businesses that need to record data. You might be required to inform individuals if their data is being transferred elsewhere under principle 1, but you will also need to ensure that data is transferred securely under principle 7 and that the rights of the individual under principle 4 are adhered to in the country that the data is transferred to.
Understanding all of these principles, and being able to recall them really does make sound business sense. Having them posted around the office is another good idea to ensure that data handlers are mindful at all times of the requirements placed on them for the proper usage of data.
Note: Read this article published November 2017 – 7 Data Security Tips To Keep Your Small Business Safe