Search

Preventing Dodgy Data Protection

Business11-Oct-2021

Barbara Neilan, BridalBuyer.com’s business law expert, talks us through her top ’data protection horror stories’, offering top tips on how best to manage data mishaps and comply with GDPR regulation.

Halloween is nearly upon us. It’s the time where we carve pumpkins, eat too many leftover sweets because the trick or treaters didn’t show up, or watch a scary movie. Being scared can be fun...right? But not when it comes to your business. That brings me onto this month’s topic – data protection breaches and what you can do to ward off this evil!

Let me tell you a terrifying fact…

For the most serious of data protection breaches, you could face a maximum fine of £17.5 million or 4% of your annual global turnover, whichever is greater. Are you scared yet?!

This level of breach is typically reserved for the worst offenders, but is definitely something for you to keep in mind. That being said, not every breach warrants a fine – the Information Commissioner’s Office (ICO, the UK’s independent authority on data protection) can issue you with a slap on the wrist, temporarily ban you from processing personal data or order you to delete personal data completely. This depends on how bad you’ve been.

What’s scary though is that breaches (and penalties issued) are published on the ICO website, which could damage the reputation you’ve worked hard to earn.

What can me and my employees do to avoid committing a breach?

1. Understand what personal data is

In a nutshell, personal data is any data which a person can be identified from, whether directly (such as their full name accompanied with their date of birth or contact details) or indirectly (such as their first name and the company that they work for).

A personal data breach is where personal data is accidentally or unlawfully destroyed, lost, altered, or disclosed to an unauthorised person. For instance, this could be sending personal data by email to the wrong person, a hacking of your computer systems or losing a USB stick with customer personal data saved onto it. You need to keep personal data safe at all times!

2. Register with the ICO

You must register with the ICO and pay the annual registration fee of between £40-60 if you process personal data. Almost all UK businesses do, despite what others may have told you!

3. Website

As I touched on in last month’s article, your website needs certain things in order to be compliant with the Data Protection Act 2018 (DPA). I’ll let you read this at your leisure, but as a recap every website needs a privacy policy and cookies consent banner.

You should implement the following into your business processes:
• Nominate a person in your business responsible for data protection.
• Think carefully about who needs access to customer personal data and restrict access to those who don’t.
• Be sure to encrypt and password protect personal data. This is particularly important where you have laptops/mobile devices that are taken off the premises and could be lost or stolen.
• Train your staff on their data protection obligations.
• Produce a company data protection policy.
• Keep a log of data breaches, whether you need to report this to the ICO or not.

5. Third parties

Where you deal with third parties to provide goods or services on your behalf, you should ensure that you have the consent of your customers to pass on their personal data information (this will often be contained within the privacy policy that is on your website). Along with this, the contracts you enter with these third parties should also include legal obligations to process your customer’s personal data in accordance with the DPA.

6. Reporting breaches

As soon as you become aware of a data breach, you need to report this to the ICO without delay and certainly no more than 72 hours afterwards. That being said, only those breaches which pose a risk to people’s rights and freedoms need be reported. For instance, if your customer database, which holds names and contact detail, is accessed by an unauthorised third party, such as a hacker, this data may be used to commit identify fraud and as such it likely to impact their rights and freedoms. You should report this!

When you report the breach, you need to give the ICO as much information as possible, such as how many customers are affected, what kind of data has been disclosed, and what measures you have taken to deal with the data breach.

Where breaches are reportable, you will also need to inform the affected customers as soon as possible to explain to them the nature of the breach and what steps have been taken to mitigate the risks posed to them.

7. Marketing

If you send out email marketing to your customers, they must have provided you consent to contact them in this way. That consent can be withdrawn at any time, and you need to comply with their request so as not to fall foul of the ICO. Many of the published breaches on the ICO’s website relate to marketing emails. A recent example is a fine of £200k issued to We Buy Any Car for sending 191.4 million marketing emails and 3.6 million marketing texts without full consent over a 12 month period. The moral of the story: consent is key.

Data protection is an absolute minefield, so be safe out there!

How can we contact you to find out more?

At Jamieson Law, we pride ourselves on helping small businesses understand their legal obligations and trying to make everything that bit less daunting. This includes helping out with data protection.
If you feel like you could benefit from some one-to-one advice on your responsibilities as an employer, or any other legal matter, please take advantage of our free 15-minute legal advice calls.
These are not sales calls; just our way of giving back to the business community. You can book a slot here calendly.com/jamiesonlaw/15min