Although we at Berwins do a lot of work advising on data protection issues for technology businesses, understanding the protection of personal information is essential for all businesses.
The obligations on businesses are not dependent on size; they are dependent on what a business does. Amongst out clients, a multinational engineering company supplying other businesses with have less to consider than a startup developing a dating app. There will be employee data to consider, but the commercial data will be fat less complex.
This is because the protection is for personal data – not purely commercial data. Some commercial data will be personal – such as names and contact details – but if a business isn’t collecting personal data as part of its business model, them its requirements may be relatively slight. The more that customers are individuals, the more a business needs to be aware of its data protection obligations under the General Data Protection Regulation (GDPR, of course) and the Data Protection Act 2018.
At the core of data protection regulation are the principles of accountability and transparency. You need to be making clear to your customers what you are doing with their data, as well as making sure that the purposes are legitimate. That often doesn’t mean you have to have tick boxes to use customer data; “consent” is only one of six legitimate reasons for processing personal data.
Whilst data protection can seem like a minefield, there are good, accessible resource available. We’d always suggest starting with the Information Commissioner’s Office website www.ico.org.uk. As well as guidance, there are also load of checklists, sample policies etc, for different types of businesses and organisations. Someone in your organisation, at a senior level, needs to have a handle on this, and know when to reach out for external advice. The Information Commissioner’s Office has substantial powers to fine non-complaint companies, but it will use these only where there is blatant and repeated abuse. Its main purpose is to advise and assist so that individual’s personal data is treated properly.
Steps to take
There are certain specific steps a business should therefore take, which include:
- If you handle (“process”) any personal data at all, you need to be registered with the Information Commissioner’s Office (it costs very little)
- Be in a position, if asked (by a “subject access request”), to provide an individual who is entitled to the information, with details of the personal information you have about them
- Know what you can and can’t do with personal information – don’t make it a free-for-all
- Don’t collect more data than you need
- Don’t keep data for longer than you need it – have a process for deleting it.
- Have a policy, and stick to it
- Make sure people in your business know about the policy
- Have in mind the people’s personal information is theirs not yours, so you need to treat it with respect (as you would like your own personal data to be treated)
- Consider what would be appropriate/proportionate technical and organisational measures to protect the security of the data you need to collect. Limit access to that kind of information to those who need access to it
- Be particularly aware if you are dealing with sensitive personal data - The
What counts as 'special category' data'?
GDPR defines special category data as:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
For this, particular rules apply, and you need to be particularly vigilant to observe those – see the ICO website.
This does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply.
Because of our work with technology businesses in particular, we are well equipped to advise all types of businesses the area with deep level of expertise – please contact us on firstname.lastname@example.org for assistance.