Data Protection & Privacy
More likely than not any new start-up business will be dealing with customers, suppliers and may be employees; online they may be offering newsletters, e-commerce or at the very least have a contact form or similar communication method. All the above contain the potential for what is termed ‘personal data’ to be collected/processed/stored etc. (processing). It’s also data that is covered by the data protection & privacy legislation.
Personal data is more than just names, addresses, department and remuneration held by HR and so on. Under the Data Protection Act 1998 (DPA), it’s data which can identify any, or relate to any identifiable, living individual.
Data Protection principles
It’s of vital importance and a legal requirement to ensure that such personal data is:-
- used fairly & lawfully and only for the purpose it has been supplied
- adequate, accurate, up-to-date and only kept for as long as is necessary
- secure and not accidentally or deliberately compromised
- stored in a location/country that has adequate provision for data protection
If you are going to be the decision maker who says how and why personal data is processed for the new enterprise, you will be the data controller under the DPA.
As a data controller you have to be able to demonstrate your conditions for processing personal data.
Historically the conditions used for legitimate processing of personal data have been, amongst others; that it was necessary:-
- for the performance of a contract to which the data subject is a party, or
- for the taking of steps at the request of the data subject with a view to entering into a contract
You will also need to know that there is a separate classification for certain types of personal data which is known as ‘sensitive personal data’ and that there needs to be an additional condition for processing this type of sensitive personal data as well as a condition for processing the initial ‘personal data’.
Anyone other than an employee of the data controller who is processing personal data on behalf of the data controller will be the data processor under the DPA.
New Kid On The Block
There’s some new legislation, called the General Data Protection Regulations, (otherwise referred to simply as GDPR), which replaces the Data Protection Act 1998; it applies and becomes enforceable from 25th May 2018.
The government has confirmed that the decision to leave the EU by the UK will not affect the commencement of the GDPR.
GDPR is in effect updated legislation that reflects the new technology and ways of working since the introduction of the DPA but also adds to and updates some of the definitions in relation to personal data.
Moreover it’s not just computerised records. The Information Commissioners Office (ICO), who regulates the legislation in the United Kingdom, confirms that GDPR will still include manual filing systems where personal data are accessible according to specific criteria.
This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data. Source: ICO
Plan & Budget
There’s just over twelve months to go before enforcement of GDPR, so ensure you plan and importantly budget for it.
Start now, by conducting a review of your plans to incorporate data protection and privacy before you launch even if this means delaying or putting back the launch a little.
Even if you have already launched look at the how/what/where/who scenarios:-
– What personal data you collect and process
- The legal conditions for processing
- Is any of the data sensitive personal data?
- The legal conditions for processing sensitive personal data
- Can you minimise the amount of personal data collected?
– How you collect and process
- Is it transparent, fair & lawful?
- Is it being collected and used for only the purposes that consent was given?
- Have you considered the mechanism by which the personal data is to be maintained to ensure that it is accurate and kept up to date and only kept for as long as is necessary?
– Where is the personal data stored?
- In a location/country with adequate data protection provision?
- Is it secure?
– Who has access to the personal data?
- What controls are in place to ensure the personal data is not accidentally or deliberately compromised
Have you reviewed the privacy notice to ensure it is compliant, written in plain writing and makes sense to a non-technical person?
- Does it have the data controller details clearly shown?
- Does it show the purpose or purposes for which the information will be processed; and
- Any other information that needed to ensure that the processing of personal data supplied (either by the data subject or from other sources) is fair?
- If the site utilises a content management system, have you incorporated a policy to ensure that it is kept up to date, backed up and scanned for malicious software?
- Does it have the necessary cookie notice/policy (if used)
The ICO has a privacy check list
It’s not too late to get compliant in readiness for the 25th May 2018.
We Can Help
eNacyH believe that organisations will find the transition to the new regime easier if they are complaint with the existing regulations, such as Data Protection Act 1998, Privacy and Electronic Communications Regulations etc. The UK Government have guidelines ‘Data Protection and Your Business’.
Don’t be put off or feel intimidated by this legislation, it’s there to protect you, your new business, your clients, suppliers and employees.