Like many things in business, as there is in life in general, there is a need to check where you are and make sure you’re where you’re meant to be. Getting a data protection health check is one of those things. Whether we like it or not there are things we need to do to make sure we are following the legal framework that is imposed upon us. Ignoring the framework can cost you. It really is as simple as that. If you, like some I know say “I fix it once I know something is wrong” you can run some pretty big risks.
Just remember that as far as the ICO is concerned being ignorant of what data protection requirements are, not having the time to sort out what is required and not having the money to do the work that is required is no defence in their eyes.
So then, what is a data protection health check?
First off, understand what the law requires you to have. Check you are registered with the ICO and see if you have at least got the minimum documentation completed for your organisation. We all know that if you have a website, you have a privacy policy on it. But is it up to scratch. What does it tell the users of your website about how you use their data while navigating through it? How do they change the choices about the cookies you may have placed into the back-end of the system? The regulation that governs cookies isn’t the Data Protection Act, it is the Privacy and Electronic Communication Regulation (or PECR for short).
Following this you need to have documentation that proves you understand and have processes for: a) collating, processing, storing and destroying data, b) keeping data secure and c) showing you know that how you complete your marketing doesn’t breach ICO guidelines. Not having sufficient documentation detailing Special Category Data, and other sensitive data, will also get you in hot water of you are found out.
How you conduct your affairs is easily evident by those who interact with you. If they are “switched on” they will know, from what you do, whether you are paying attention to the principles of data protection. These are the people who will complain to you and report you to the ICO. If you get a complaint about how you connect with people, what data of theirs you use and whether you use it carefully or not, this is warning. If you do not respond correctly, that is when the complaints to the ICO start.
So, understand terminology like a Subject Access Request is and know how you should respond.to one. You should also understand what “safe” means when talking about keeping personal information safe. Come to that understand what personal information really is! Understand the different types of data and which ones should be treated more carefully than others, in line with the recommendations from the ICO.
Not understanding whether your organisation triggers things like the requirements for a Data Protection Impact Assessment (or DPIA), the requirement for a balance test, whether you have broken the Children’s Code can all get you in hot water.
Many who “chance it” and don’t have appropriate practices and documentation are basically behaving like Ostriches. Standing there with the head in the sand waiting for something to hit them. They don’t know when they will be hit, or how hard each hit will be, but they’ll deal with the aftermath. Whether you deal with your responsibilities surrounding data protection before, or after, you get caught out it will take time and it will take money. But doing it after the ICO are aware you have been caught out means they will be looking over your shoulder forcing you to get to certain standards in a timeline chosen by them. No-one wants that! Although many suffer that exact consequence.
Cyber-crime is one way that organisations fall foul of lax practices when it comes to data protection. Unfortunately, as many as 72% of businesses close within 2 years of suffering a successful cyber-attack. Being susceptible to cyber-crime is one of the things covered in data protection legislation and you should take note of the widely publicised dangers of not taking precautions.
If you haven’t got the basics, for your organisation, covered sufficiently, and you get caught, there will be consequences. These will negatively impact your organisation. It can be relatively simple to stop behaving like an Ostrich and start by completing a Data Protection Health Check.
Apart from the example already provided about cyber-crime, the ICO will investigate your organisation if it hears negative reports about it. You will have to give them time so that they can see what documentation you have and whether you have followed any procedures you have properly or not.
Not having any, or insufficient, documentation is the worst place to be is, so understanding what you need is step 1. Not doing anything about it cast cost your organisation up to 4% of its turnover. Yes, you did read that right turnover, not profit. That might not be the end of it either. If the failings found are seen to be deliberate then the owner and maybe senior management can be fined up to £500,000 (please don’t shoot the messenger here) – and these would be personal fines not payable by the company.
In one sense, apologies for bombarding you with information, but there is a lot more to say on this subject. Please look through the other blogs here Blog – Eye Bray Limited. The information you want may well have been provided already. Some of what I provide is very detailed.
Nevertheless, we would be pleased to answer your enquiry through email at enquiries@eyebray.com, by calling 0743211611, or by using https://meetings.hubspot.com/eyebrayltd to see when I am free.
