In this series of frequently asked questions, this article will look at the questions asked when people take the first steps on their data protection journey.
When starting a business, or realising that you aren’t doing things right, it can be difficult to know how to get on the right track. Here are 10 quick-fire questions and answers to ensure are being asked. They will get you further down the road for compliance with The Data Protection Act 2018 and/or The GDPR.
Question 1: Do I have to pay the registration fee to the ICO?
Not necessarily. You have to use the ICO checklist to find out whether you will be required to pay or not. Use this link to find out if you need to pay or not: https://ico.org.uk/for-organisations/how-much-will-i-need-to-pay/
Question 2: Do I need to nominate a Data Controller?
Yes, in all cases. A business must nominate a Data Controller irrespective of size of the organisation or complexity of its processes. The Data Controller must be an employee of the organisation, which can include the owner of an owner managed organisation or a sole trader. For more information see https://eyebray.com/poor-data-controller/
Question 3: Do I need to nominate a Data Protection Officer (DPO)?
Not necessarily. You will do if you meet the following conditions:
- Perform large scale processing of personal data items on individuals (NB processing 10 data items counts as 10 not 1).
- You have more than 250 employees.
- You are a public authority, or body.
There is also a checklist on the ICO website that you might want to complete: https://ico.org.uk/for-organisations/does-my-organisation-need-a-data-protection-officer-dpo/
A DPO does not have to be an employee, it can be someone with the appropriate skills from outside the organisation.
Question 4: What happens if it I refuse to register with the ICO?
There are fixed penalty fines for not registering with the ICO when you should have done so. The fines start at £400 (10 times the amount of the registration fee) rising to £2,940.
There would also most likely be an enforcement order placed on the organisation to ensure it takes the right steps towards compliance. These are usually very time consuming as it’s like working with an auditor providing constant feedback to the ICO on progress.
If you do not keep up with an enforcement order you would most likely be issued with another financial penalty too.
Question 5: What would the ICO recognise as an organisation taking the right steps?
To have the right documents in place and to have an ethos that protects customer personal information over profit. This is a huge attitude change for some as they view this legislation purely as a tick-box exercise from the “fun police”.
Question 6: What documents do I have to produce to help alleviate the risk of being penalised?
There are five things to be done.
- Write a data policy from which all of your processes relating to use and storage of personal data are derived from.
- Write a practical information security policy that will help secure the personal data collected in the course of your business.
- Write a marketing policy that will govern the extent of personal information used.
- Insert a paragraph, or two, into your terms and conditions that mirror your data policy.
For more information see https://eyebray.com/policies-procedures-internal-documents/
Question 7: Is there something to look at in my organisation that will help determine if we are proceeding in the right way?
Compliance can be difficult to judge because of the risk appetite of those in charge of the different organisations. Seeking an external view is always the best way, as a specialist will highlight risks and issues for you to consider.
However, if you cannot agree with the principles below you are most likely not proceeding in the right way.
- Protecting the personal information is not one of the most important things when deciding your processes.
- Using an incorrect “basis for processing”.
- Taking risks with the security of personal data collated due to how much it will cost you to change.
Question 8: How much should I pay attention to cyber-attacks?
Cyber-attacks are the most publicised form of breach, but the smaller business you are the likelihood diminish. Would you have 9 million data records, including customer payment details within the information you collect? Why is that relevant? you may ask. Simply that the response to the threats you believe you face must be appropriate.
Therefore, if you have an online shop, then yes pay lots of attention to cyber threats. Otherwise you should be able to manage your risks using secure communication methods (encrypted channels) when communicating with customers and suppliers
Question 9: Want is meant by a data breach?
Put most simply it is where information has been accessed by some unauthorised means, or by it being destroyed prior to the time advised in your documentation. For more information see https://eyebray.com/data-breach-anyway/
Question 10: Do I have to judge how well I am doing complying with the data protection laws?
The short answer is yes. Ideally you should be looking at the policies that derive your processes and make sure that they are still relevant. You also need to check that the procedures you have put in place are being followed by those that process personal information.
The recommendation is to review your policies annually and align them with your processes immediately after the policies are approved.
Doing what you always do will not bring about change. Think outside the box and finding a route to compliance may be easier.
More FAQ style responses about data protection issues can be found here:
https://eyebray.com/frequently-asked-questions-about-the-next-steps-on-your-data-protection-journey-part-1/: More ideas on data protection to consider and to get your teeth into part 1.
https://eyebray.com/faq-your-data-protection-journey-part-2/: More ideas on data protection to consider and to get your teeth into part 2.
More detailed articles can be found at https://eyebray.com/category/gdpr/
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through firstname.lastname@example.org , or by calling 0743211611.
Alternatively visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.