Data protection and privacy compliance is a complex area with a lot of rules, regulations, codes and other guidance which makes it challenging to identify the best starting point. The following top 5 tips will help you get you started in this process.
1. Am I responsible for complying?
In the UK and across the EU, the “data controller” is the organisation which is responsible for complying with the law and safeguarding personal data.
If you collect and use personal data of customers and/or employees for your own business purposes, you are likely to be a “data controller” and will need to comply with applicable laws, including the UK Data Protection Act 1998 (“DPA”).
2. What personal data do we hold and why?
As a data controller you need to know and understand the “personal data” you store either electronically or some form of filing system if in hard copy. “Personal data” is any data that can be used to identify an individual, even indirectly.
As an organisation you should know and understand what data you hold, why you use it, how you process it and how long you keep it for.
You should make efforts to remove personal data periodically (unless restricted by law) and also ensure that you are aware of where any third party service providers (e.g. cloud service providers) send data, such as to the US or India.
3. What about our Privacy Policy?
It is a legal requirement to have in place a “fair processing notice” (typically referred to as a “privacy policy”) which sets out as a minimum: who you are; what personal information you collect; and how you use the information.
The privacy policy is one of a number of privacy compliance building blocks and it is important to be transparent in the way you use personal data.
4. Have we registered with the regulator?
The Information Commissioner’s Office (the “ICO”) regulates and enforces the DPA. Depending upon the type of personal data you process as a data controller, you may need to register with the ICO.
This is a relatively simple process and more information is available at: http://www.ico.org.uk/for_organisations/data_protection/registration. Failure to register with the ICO is an offence, so you should look to do this at the earliest opportunity.
5. Should we get consent from customers?
For everyday processing of personal data, it is essential to provide your customers with information about how you intend to use the information they provide you with (which is typically by way of the privacy policy).
In some circumstances, such as where you intend to use personal data you hold for marketing, consent from the customer might be needed.
Explicit consent is not always needed, but you should consult either ICO guidance or speak with you legal representative to consider when consent is needed and would be appropriate to obtain.