Updated: Jan 7
If you have a small business it's safe to assume you are processing information about your customers and suppliers. If you have staff you're processing information about them too. It's important to understand your obligations and to be aware of certain data protection regulations.
The Data Protection Act 2018 and UK GDPR applies to any business established in the UK. Small businesses are not exempt from this and establishing a set of transparent rules and procedures around how you deal with personal data shows your customers you are doing everything you can to protect their personal data, therefore establishing a level of trust.
The Data Protection Act - 7 key principles
There are 7 key principles set out within the DPA and you must consistently follow them
1. Personal data must be processed lawfully, fairly, and in a transparent manner
This principle requires you are transparent in your process and use clear language when explaining how you process personal data. You must communicate the name of your business and tell individuals how you are going to use their data. Additionally you must tell them if you are going to use their information in any way that isn't immediately obvious. For example, you must tell the individual if their details will be shared with any third parties, who these third parties are and what purpose the information is shared - for example you may use a third party to manage your payroll processing.
If the data you are collecting is sensitive, you'll need to gain explicit consent from individuals in order to process it.
Sensitive data includes:
trade union membership
Right of access
All data subjects have the right to maintain their data, and to request copies of the data you hold for them. This will usually be in the form of a Subject Access Request (SAR). Are your systems able to meet this demand? Where are you storing data, and do you regularly ensure the data is up to date and still relevant for the purposes you need it?
Did you know that if you have staff, you should have a separate data privacy notice for them which explains what data you collect and for what purpose, and whether you use any third parties to process the data such as My Office Fairy for example?
2. Personal data must be processed for specified, explicit, and legitimate purposes
You must communicate clearly why you are collecting someone's personal data, and what you intend to do with it. If the reason you are collecting data changes over time you cannot assume that as you already have the data it's ok to use it, you will need to gain specific consent to use that data for a new purpose from the individuals.
3. Personal data must be adequate, relevant, and not excessive
You should only collect the minimum of information you need, that's relevant to the specific purpose. You may not collect information that "is nice to have" if it isn't immediately relevant to the specified purpose.
4. Personal data must be accurate and up to date
The information you hold about a person should be accurate, and you need to have processes in place to ensure it remains so. This could be a regular communication asking data subjects to update you of any changes, or an employee portal to allow your staff to take responsibility for updating their own information. People have a right to correct inaccurate or incomplete personal data that you are processing. Data subjects also have the "right to be forgotten" which means they have the right to ask you to delete any information about them you may have.
5. Personal data shouldn’t be kept any longer than is necessary
How many of us have files and records that go back for years "just in case"? This is a big no-no under the DPA. You should have systems and processes in place that regularly review the data you hold on file and archive/destroy it appropriately. This also helps you keep on the right side of principal no. 4 above.
There are specific guidelines on how long you should retain certain records for, and it's a good idea to set these out in a policy.
6. Personal data must be processed securely
You must ensure you process personal data in a manner that maintains its confidentiality and integrity. In practical terms this means you need to have security measures in place, such as physical locks on paper records, and adequate password security, authentication and backup measures in place for digital records. Should a data breach occur and you haven't taken such steps you are likely to be found liable and this can attract fines, as well as loss of confidence and trust from your customers.
7. The controller is responsible for GDPR and must demonstrate compliance
Finally, as a data controller you are responsible for compliance and can be held accountable for your own compliance and the compliance of your processors. Here is a handy GDPR checklist for Data Controllers. I would run your own business through it first and then show it to your clients to help ensure they are also in compliance. More information about your responsibilities as a data controller can be found here.
For more information on GDPR principles see the ICO website.
Whilst every care has been taken in compiling this information, My Office Fairy Ltd cannot be held responsible for any errors or omissions and the information is not intended as a substitute for specific legal advice.
If you need support with anything discussed above, or any other aspect of your business, My Office Fairy are here to help so just get in touch.