In this series of frequently asked questions, this article will look at those asked when people get a little more involved with their data protection journey.
If you want to check how well you are doing, or realising that you aren’t doing things right, these are the things to ensure are being asked, or done, to get you further down the road for compliance with The Data Protection Act 2018 and/or The GDPR.
Question 1: What does accountability mean for senior managers in an organisation?
The owner, and/or the senior managers, of an organisation are individually liable for the part(s) of the organisation that they control. Failure to comply with regulations can result in personal financial penalties of up to £500,000 each.
Question 2: How is data relating to children different to Special Category data?
Children are not legally responsible for specific actions until they reach a certain age. Therefore, if you have a business that collates, processes, stores and destroys personal information on children without a parents consent take extra care. Make sure only authorised people have access to this type of data and that it is stored more securely than standard personal information, just like Special Category Data should be.
Question 3: Does data protection legislation mean I can’t send any marketing out now?
Absolutely not. Marketing is the constant reminder of what your organisation does and keeps business relationships going. The two major pieces of legislation that determine what can be done are the Data Protection Act 2018 (DPA) and the Personal Electronic Communications Regulation 2003 (PECR). Not to over generalise things, hopefully anyway, the DPA provides the framework and the PECR provides more specifics about the restrictions, e.g. how to market pension products to individuals.
Question 4: What can I do to keep in contact with my customers?
The most important thing is to keep records. Your data policy will tell you how long you can keep personal information for after your relationship has ended, either as a client, colleague, collaborative contact, etc. Other things that can affect this is the guarantee linked to the product you have sold, e.g. “white goods” may have a guarantee of 2 years and certain flooring may have a guarantee of 25 years. If you create your policy correctly you will be able to communicate the fact that a guarantee on a product you have supplied is coming to an end. If you have permission to send them marketing materials you can then add details of the potential replacement products and any special offers you may have.
Question 5: When can I share personal data?
The shortest answer is “where you have consent to do so, where there is a legal obligation, or where someone life may depend on it”. Sound drastic? It’s not meant to, but sometimes making things punchy adds drama. There are lots of extenuating circumstances and examples that go with this but the simple fact is your organisation cannot share data just because you want to.
Question 6: How long can I keep data for?
The regulations say that you cannot retain personal information for longer than the purpose for which you collated it for. That makes a certain amount of sense, but every employer wants to have their employees work history verified – at least. This leaves every employer with a conundrum. What data do I keep, and for how long, and what can I divulge? Basic data to confirm an individuals’ identity their start date and end date at an organisation is pretty much expected these days. Keeping their sickness records for the same period would be very questionable. Individuals should have control of these records themselves rather than organisations controlling them.
Question 7: I’m only a small business, I can’t do everything on the ICO’s list?
The ICO, and the application of the regulation, always looks at the organisation itself to determine what level of control and activity should be relevant for each organisation. A data policy for a global organisation would be much larger than one for a family business. In the same way the data policy for a childrens charity would be larger than one for a small independent retailer, but there should always be one. The most important thing to do is right down your decisions and keep them separate. Then those that need to know can see that you have the intention to follow the regulations to the best of your ability.
Question 8: How do I know when a Data Protection Impact Assessment (DPIA) will be required?
When you do or use something completely new, you would research it. You would find out it’s good and bad points and if the bad outweighs the good then you would not use it. If there is something bad that you can get around with a little extra effort, you may well go ahead with it. This is what a DPIA is like in practice. Yes – it’s box-ticking, but it’s informed box-ticking. Writing down what you find and why you accept, or reject, an idea is what is required. Don’t you do this with everything that you want to try? I certainly would, and this is what the regulation requires. It doesn’t have to be a 50 page report with risks, issues and mitigations included in it, but some would have you believe that this is what it must be.
Question 9: How do I know what is going to be appropriate control for my organisation?
You have appropriate controls when you can identify all of the processes in your organisation that utilises personal information. If you do not have that documented you are at risk of not having appropriate controls for your organisation.
Question 10: How do I know what to look for in suppliers of IT services and other third-party vendors?
If you have completed your documentation properly then you should be able to ask your suppliers for the same type of detail. Do they have the same amount of documentation as you? Do they have controls appropriate to support your organisation? At the end of the day, you wouldn’t want a rogue having access to something to regard highly – more than money even. Their terms of services would be the first place to look for clues about their attitude towards personal information. If you do not like what you see, e.g. there is no mention of any provision to protect personal information, trust your gut instincts and walk away.
There is a part 1 for this article too.
Don’t have a piece missing from your data protection puzzle. https://eyebray.com/frequently-asked-questions-about-the-next-steps-on-your-data-protection-journey-part-1/ the first ten questions about moving on with your data protection journey.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through sending an email to firstname.lastname@example.org, or by calling 0743211611.