compliance-pack-icon-1

Compliance

There are a lot of regulations and policies related to using and storing data and keeping up to date isn’t easy. The example list here is far from comprehensive.

Larger organisations may have dedicated departments but most smaller businesses need to use their time and resources on sales, not admin. eNaycH has been helping people with compliance for over 15 years and we know the policy landscape.

We can work with you, short or long-term, or train your team so that data protection is built into your processes to ensure your data is secure and your company safe from potential enforcement action or financial penalties.

Just a few policies to be familiar with!

compliance-pack-icon-1

Websites & eCommerce

Whether it’s one page of information about your business or a multi-page ecommerce site, if you collect any personal data either directly or for use by a third party (automatic email list building, ecommerce payment/delivery service providers), visitors must be able to see how information about them will be used.

Many people don’t realise that their website data isn’t stored in the UK. Hosting companies, especially budget hosting, often store data in the USA, Europe or whichever country is offering ‘cheap servers’. The Data Protection Act states that personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection.

The ‘Safe Harbor Scheme’ in the USA is to be replaced with the EU-US Privacy Shield which will have implications for the privacy of data stored there.

This is just the start of online data protection. eNaycH can help businesses of all sizes ensure they know their responsibilities and meet them.

Sample website regulations

Blogging, Membership or Newsletters

There are specific rules on:

  • direct marketing by telephone (landline and mobile), emails, SMS/texts and faxes;
  • cookies (and similar technologies);
  • keeping communications services secure;
  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

The regulations extend to video messaging and automated messaging by telephone. They also offer some protection to corporate subscribers. The important part of the Regulations is that they only apply to unsolicited direct marketing.

So if you are using Pop-Up’s soliciting your website visitors to sign-up to your blog, membership scheme, newsletters etc., you have to be very clear in notifying the visitor exactly what they are providing the information for and how it will be used.

eCommerce

If you have an ecommerce site and use a third party such as PayPal, you need to inform visitors of both your own and the third parties data usage.

It may be obvious that the third party will need certain information from your site in order to complete the contract, but you must explicitly notify the visitor who the third party is, and their privacy policy. This may also mean that customer data will be stored by the third party, which may reside on servers outside the UK and be subject to different regulations.

WordPress

WordPress is a solid and reliable CMS, but there are some common and frequently overlooked security precautions everyone should take. We work in partnership with wPUPdate to provide either advice or a completely managed service to secure your website and private data.

Location Data

PECR places restrictions on the processing of location data (it does not apply to traffic data). Location data may only be processed where:

  • that user or subscriber cannot be identified from such data; or
  • where necessary for the provision of a value added service, with the consent of that user or subscriber.

It is important to note that the following information must be provided prior to obtaining the consent of the user or subscriber as above:

  • the types of location data that will be processed
  • the purposes and duration of the processing of that data
  • whether the data will be transmitted to a third party for the purpose of providing the value added service.

There should always be the ability for the user or subscriber to withdraw consent at any time, and this ability offered in each transmission of a communication.

Privacy

In order to comply with the Data Protection Act 1998 and PECR and adopt good practice there is also the ICO Code of Practice in relation to privacy of individuals.  The code of practice is designed to help you collect and use information fairly and transparently.

Clear privacy notices ensure that individuals know how information about them will be used, and that they understand the impact it will have on them.

The code uses the term ‘privacy notice’ to describe the explanations that are available to individuals when information is collected about them.

The need to actively provide privacy notices is strongest where the collection or intended use of the information may be unexpected or objectionable. The code explains how best to gauge people’s reasonable expectations to understand when it is necessary to actively communicate information.

Here’s the Privacy Notice – Code of Practice

compliance-pack-icon-1

Marketing

If you’re planning a direct marketing campaign, you’ll have to comply with specific regulations for unsolicited electronic messages sent by telephone, fax, email or text, and material sent by post.

There are specific rules on:

  • direct marketing by telephone (landline and mobile), emails, SMS/texts and faxes
  • cookies (and similar technologies)
  • keeping communications services secure
  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

The regulations extend to video messaging and automated messaging by telephone.  They also offer some protection to corporate subscribers.  The important part of the Regulations is that they only apply to unsolicited direct marketing.

Sample marketing regulations

Automated Calling Systems

Telephone systems capable of automatically initiating a sequence of calls to more than one destination, in accordance to instructions stored in that system and which transmit sounds that are not live speech fall into this bracket.

It does not cover fax, electronic mail and (SMS)/text, picture and video messages.

The regulation states that such messages from automatic calling systems must not be transmitted without the prior consent of any subscriber – which includes the workplace. All messages must give the identity of the caller and an address or free-phone number where the caller can be contacted for opt-out purposes.

It is a breach of the Regulations to send automated messages without consent.

Fax Marketing

The Fax Preference Service (FPS) is a statutory list of those who do not wish to receive marketing faxes. Registration with the FPS is available to individuals and corporate subscribers and requires a one off registration.

Fax Marketing can only be sent to individuals with consent and to corporate bodies provided they have not subscribed to the FPS. It is also a breach of the Regulations to allow someone else to use your line to send faxes in contravention of the Regulations.

Consenting specifically to receive marketing faxes from a particular organisation will override the effect of FPS registration in respect of that organisation only, and your consent may be withdrawn at any time.

Telephone Marketing

The Telephone Preference Service (TPS) is a statutory list of those not wishing to receive telephone marketing calls.

Individuals only need register once, however corporate subscribers must register annually. Registration is free.

Regulations apply to live voice calls by landline or mobile, but not (SMS)/text or automated calls. Under the Regulations individuals and corporate subscribers can be contacted by telephone unless they have objected to receiving marketing telephone calls or are registered with the TPS.

As with Fax Marketing, those registered with the TPS can override their registration by actively consenting to receiving marketing calls from a particular organisation and are free to withdraw their consent at any time.

SMS/Text and email

Marketing can be sent by email/SMS/text to individuals only where individuals have opted in to receiving them, or they have exercised the “soft opt in”. No prior consent is required for corporate subscribers.

However, when sending such messages, senders must always give a valid address to enable recipients to opt out of receiving more and must never conceal or disguise their identity. There are no restrictions on marketing to corporate bodies but the rights of individual employees under the Data Protection Act 1998 to stop receiving direct marketing still applies.

An individual is deemed to have “opted in”, if email details have been obtained in the course of a (1) sale or (2) negotiations for a sale to the recipient and the marketing communication being sent is for similar goods and services and the recipient has been given the opportunity to opt-out at the time the details were collected. The opt-out option should be included with each communication.

Location Data

PECR places restrictions on the processing of location data (it does not apply to traffic data). Location data may only be processed where:

  • that user or subscriber cannot be identified from such data; or
  • where necessary for the provision of a value added service, with the consent of that user or subscriber.

It is important to note that the following information must be provided prior to obtaining the consent of the user or subscriber as above:

  • the types of location data that will be processed
  • the purposes and duration of the processing of that data
  • whether the data will be transmitted to a third party for the purpose of providing the value added service.

There should always be the ability for the user or subscriber to withdraw consent at any time, and this ability offered in each transmission of a communication.

compliance-pack-icon-1

Workplace Security

Whatever size your organisation the protection of personal data is paramount. Employees, contractors and sub-contractors must be aware of their responsibilities and requirements around what data is and how it must be secured and protected.

There are many tools available to organisations, with the Information Commissioners Office issuing a Think Privacy toolkit to raise awareness and help employees become engaged in data security.

The Clear Desk Policy is an instrumental part of Think Privacy. It highlights such important messages as:

  • Locking Desk Drawers
  • Keeping the Desk and workspace clear of any personal data
  • Locking mobile devices such as laptops away in drawers
  • Locking the computer screen when not at the workstation
  • Disposing of personal data in the confidential waste bin

Personal Information Promise

The Information Commissioners Office are urging organisations to adopt the Personal Information Promise initiative to demonstrate the commitment to data protection from “the top down”. The aims of the initiative are to improve compliance with the Data Protection Act and strengthen public trust and confidence in those who are entrusted with their personal information.

eNaycH can help your organisation or small business develop these ‘integrated practices’, building data security into your normal way of working to save time and prevent accidental security lapses.

compliance-pack-icon-1

Monitoring

Workplace monitoring such as cameras, recorded phone calls, emails or letters, in private premises or public areas is covered by the Regulation of Investigatory Powers Act 2000 (RIPA). The Act also covers the use of covert human intelligence sources and accessing electronic data protected by encryption or passwords.

There are many legitimate reasons why employers may wish to monitor their workforce and assets. Mainly as a detection/prevention of:

harassment by email
disclosure of confidential information
circulation of libellous statements
fraud or other criminal activity
abuse of resources (staff time, company vehicles, internet)
poor performance and breaches of policy/procedures
circulation of unlicensed software

However, collecting information without abiding by the regulations may qualify as an invasion of privacy and could mean severe legal penalties. eNaycH can help you avoid potential litigation while collecting information important to your business and your team.

Common types of Monitoring

  • CCTV
  • Telephone Monitoring
  • Internet/Intranet Monitoring
  • Time recording/entry pass systems
  • Vehicle “black box” systems
  • Key Stroke, to monitor efficiency
  • Location Data
    • mobile phone location data
  • Audio bugging
  • Direct Surveillance by management or others on managements’ behalf

Monitoring of these types requires you provide the right information for those being monitored, hold and understand the necessary policies and guidelines for your business and have adequate security for the data which is collected.

A breach of confidentiality or unlawful collection of data can severely impact your business with potential enforcement action, monetary penalties and a loss of trust with customers or staff. With our help you can keep your data and your customers safe.

Password Reset
Please enter your e-mail address. You will receive a new password via e-mail.