It’s always difficult to start these things off, but I recently shared the contents of this page in a networking meeting I attended. They were gratefully received so I thought it would be good to share them on here too.
This page all relates to data protection in the UK for UK nationals to take notice of. Some of what is here are lesser-known legal requirements others are thoughts of how you can achieve best practice in your own business, or organisation.
To start with compliance for data protection in the UK takes more than just registering with the ICO. Registration is a requirement for any business, or any association, club, or organisation, but that is only the start.
Financial penalties for non-registration range from £400 to over £3,000 and there are further penalties available to the ICO should further non-compliance be found.
At the time of writing this article the EU had granted the Data Protection Act 2018 and the full UK legal framework equal ranking with the EU GDPR. This means that if someone is trying to sell you EU GDPR compliant frameworks because the UK data protection if sub standard from an EU perspective, they should not be listened to. It is true, however, that for certain aspects of cross-border data transfer further documentation and controls should be in place. However, that was also true before the UK left the EU.
Compliance with the legal framework is made up of two types of documentation, externally viewed documentation and internal documentation. Both types are equally vital as one should reflect the other.
Unfortunately, the internal documentation required will vary from business to business, or organisation to organisation. It is true to say though, that three policies will be required to convince the ICO, upon investigation, that you have considered what you are doing and that you are taking steps to get better and better with how you approach the control of all data and, in particular, personal information.
There are three internal policies that are most important. These are: a) Data Policy b) Marketing Policy and c) Information Security Policy.
A data policy (of some description) with basic information of why data is collected, how it is used, how it is stored and how it is destroyed. This should cover the three types of data, physical (or printed) data, electronic data (including photographs and videos) and voice data, like recordings of telephone conversations and voicemail messages.
It is important to note that some requirements may be externally set in other laws. Like HMRC regulations that requires financial information to be retained for a minimum of 6 years and the Companies Act 2006 required to keep certain personal information mentioned at board level for 10 years.
Different to a marketing strategy, this document sets out what type of marketing you are allowed to do and where, and/or when, you would rely on data, and especially personal information, when marketing to your clients and/or potential clients.
There are many detailed restrictions to be considered in the Privacy and Electronic Communications Regulation 2003 (PECR) that also need to be considered when constructing this policy.
This policy isn’t just about changing your passwords regularly. For the modern business there are a plethora of electronic wizardry to assist you on your administrative, marketing, and financial journey. All of them, software and hardware alike, have floors and weaknesses that the regulations have some definite things said about them. Use of biometric data, most commonly used on smartphones, have the potential to identify people as easily as using their photograph on a website, or a social media post.
A close look at your processes is required to make the correct assessment about how appropriate your actions are.
Other useful bites that are part of the legal framework are: