Every small business must handle personal data appropriately; it is a vital part of building trust with customers, suppliers and staff, and staying on the right side of the law.
Businesses need to know what the need to do to comply with both the Data Protection Act (2018) , otherwise referred to as the UK GDPR), the EU GDPR and the Privacy and Electronic Communication Regulation (2003), commonly known as the PECR.
Very few businesses will not collect personal information, but to check whether you do have to comply with these laws, you must go to the ICO website, found here https://ico.org.uk/ , and check whether they need to pay the registration fee. If the test identifies that you do collect personal data, or personal identifiable information, you must pay the fee and register with the ICO to start to comply with all the laws. Data protection is required for more organisations than you might think.
Appropriate practices, outlined in your policies and procedures, will cover a multitude of circumstances and provide comfort to everyone that their date is safe with you.
The legal definition of personal data is information that identifies, or can help to identify, an individual that is a resident of a country, or region. The UK GDPR applies to every person considered to be a resident of the UK. The EU GDPR applies to every individual considered to be a resident of the EU.
Within the legal framework there are three main types of information defined, personal data, special category data, and information related to children. There can be special attention paid to other information deemed to be sensitive to the welfare of an individual. Special Category Data is generally accepted as be the protected characteristics as listed in the Equality Act (2010).
You Need To:
Be Fair, operated legally and be transparent about your intentions.
Use any personal data you collect for the purpose of that process only.
Only collect what you need to complete that process.
Use the minimum date required to perform that process.
Make sure the information collated and stored is accurate.
Store and personal information securely and only for an appropriate time, after which it must be destroyed.
Understand that the company and senior management, including directors, are accountable for the actions taken, or lack of them.
Every applicable organisation will need to nominate and register a Data Controller. This is not optional. Every person that processes personal data is defined, under the law as a Data Processor (even those that process it on your behalf as a third party – like your accountant, or your solicitor).
A Data Controller must be a person that has the skill to understand the legal requirements that the organisation must follow. They must also be senior enough to influence the most senior management. He/She must be able to create policies and procedures and present them to management. They must keep communicating with the Data Processors to understand what is working well and what is not. Some organisations, mostly larger ones, have more than one Data Controller. There may be need to specialise in supporting senior management for a particular area of the organisation.
Data Processors are classified as anyone who processes personal data within, or on behalf of, a registered organisation. In smaller organisations the Data Controller can also be a Data Processor. Where this happens their two different roles must be made clear in the documentation of the company.
Data Processors must remain vigilant, follow the procedures set by management and report those that do not work as designed to their Data Controller. Many times Data Processors have been blamed for breaches as they either have not followed the issued procedures (as they have not worked), or through malicious intent. Those that are found to not follow procedures because of malicious intent can be prosecuted individually by the ICO.
Not every organisation will need a Data Protection Officer (or DPO). For those that do, the DPO should hold a relevant qualification and have an understanding of that organisation, including it’s ethos and industry/sector knowledge. It can be useful to have a DPO, no matter what your size to support your Data Controller. Your Data Controller may find it difficult to keep up to date with all of the impacts of new, or revised, regulatory requirements. The Data (Use and Access) Act (2025) is one such revision that will require consideration and implementation over time.
Unfortunately, not all of the rules are fully understood any many skip steps that they should follow. Another, less publicised principle is called Data Protection by Design. It underpins the key principles and is an important tool when considering process changes, including introduction of new systems, particularly computer systems.
Another example is processes should be submitted to a Data Protection Impact Analysis (or DPIA). This is particularly true if personal data that relates to children, or Special Category Data is a part of that process.
In the end any issue upheld by the ICO has five main remedies.
Quite simply, having a good Data Protection structure promotes the trustworthiness of your organisation.
It Means:
Your organisation will be registered with the ICO (where this is applicable).
The Privacy Policy for your organisation will be clear about what information your website collects.
Your Data Controllers contact information will be visible.
Reporting of appropriate breaches will be reported to the ICO within 72 hours of discovery.
Your Terms and Conditions will include elements relevant to personal data.
Processes for reporting data breaches will be clear to those who need to follow them.
System based security will be clearly identified in the procedures.
The business will run more efficiently with well thought out processes.
Continuity plans for successful cyber attacks will mean less time that the organisation cannot operate.
Data entry forms will be streamlined and relevant to each process.
Training new staff, or externally placed Data Processors, will enable efficient communication.
Have a checklist to measure, and maintain, compliance to the regulatory framework. It is the easiest way to stay on track. Review all the documentation that relates to the regulatory framework at least annually. Use plain language rather than jargon as it is easier for everyone to understand.
Perform the actions stated in your policies and procedures, like destroying data that is no longer required. Make sure that your third-party processors are operating in line with their authority. Ensure your published documents, like your Terms & Conditions, reflect the current legal framework.
Be ready to respond to potential data breaches and cyber-attacks to protect personal data and to ensure investigations and remedies are appropriate. Please remember, 60% of companies fail within 6 months of suffering a data breach and 72% fail within 2 years.
Being compliant with the regulatory framework for data protection isn’t just about protecting your organisation from fines and other enforcement processes. You should include, protecting your market share, protecting your reputation and proving you can be a trusted partner, as either a customer, a supplier, or an employer.
Very few organisations do not have to follow this regulatory framework. If you haven’t taken the test on the ICO website yet, assume you do and start to take steps towards becoming compliant now.
What is in here that you did not know, about? Look at other blogs on our website here: https://www.eyebra.com/blogs/ to see if there’s more answers.
Contact us now to find out more about how we can help. You can book your discovery call by using my calendar link: https://meetings.hubspot.com/eyebrayltd
Otherwise, email using: enquiries@eyebray.com or call us on 020 3026 5600, or 07943 211611.
