Data Protection Essentials

Here are 23 questions that you really should know the answers to:

  1. Do you understand what data flows through your business and record:
    • what personal data you hold,
    • where it came from,
    • who you share it with and
    • what you do with it?
  1. Have you recorded at least one of the six legal reasons for processing the data?
    • If you use consent
      • it is good consent,
      • Do you record how it has been given; and
      • Do you record and manage ongoing consent?
    • If you are relying on legitimate interests
      • Have you done the three-part test, and
      • Can you demonstrate that you have fully considered and protected individual’s rights and interests?
  1. Are you are currently registered with the Information Commissioner’s Office?
  1. Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?
  1. Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?
  1. Do you make sure that the personal data you hold remains accurate and up to date?
  1. Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?
  1. Do you know what to do when someone asks you to restrict the processing of their personal data?
  1. Can someone move, copy or transfer their personal data from your system to another safely?
  1. Can you deal with an individual’s objection to the processing of their personal data?
  1. Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?
  1. Do you have a data protection policy, and demonstrate your compliance with it?
  1. Do you regularly review the effectiveness of your data handling and security controls?
  1. Do you provide data protection awareness training for all staff?
  1. If you have third parties that process your personal data, do you have a written contract with them which meets the legal requirements?
  1. Do you know the information risks you have and their business impact so that you can manage them in a structured way?
  1. Have you have implemented technical measures and policy to integrate data protection into your data processing?
  1. Do you understand when you must conduct a Data Protection Impact Assessment?
  1. Have you nominated a data protection lead, or a Data Protection Officer if you are required or prefer to? Note this role can be outsourced)?
    • If you have a Data Protection Officer have you notified the Information Commissioner’s Office?
  1. Do you champion a positive culture of data protection compliance in your business?
  1. Do you have an information security policy supported by suitable security measures?
  1. Do you record all personal data breaches no matter how trivial?
    • Can you manage and resolve them?
    • Do you know which must be reported to the Information Commissioner’s Office
    • Do you know which must be reported to the data subject?
  1. Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?

If you don’t know the answers you really had better find out – we can help – take a look at our data protection solutions.

Crab Insight June 2020

Red Tape Busters Volume 7, Issue 09, Restoration

Welcome to the June edition of Crab Insight

Love your business – we do! As companies across the UK prepare for the ‘new normal’ we’ve just made our word of the month ‘Restoration’.

How are you going to restore your services while also taking account of and adapting to what was for most very difficult times?

Remember we are here for you, to help you meet the challenges ahead.

Stay safe.

Claudia Crab’s June Focus

Claudia the Crimson Crab icon

Personal Data Processing

“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.”

Elizabeth Denham, Information Commissioner

The Information Commissioner is the UK regulator for data protection and can impose substantial penalties for infringements. Data subjects also have a right to claim compensation if a company has caused the damage by a breach of the rules.

When you collect data you need to be transparent about why you are collecting it and how you will use it. This should be set out in an easy to find (and read) privacy notice or policy.

Where you share data with anyone else you need to make it clear with whom you are sharing it and why.

There are specific requirements and guidance if you outsource your data handling to a third party data processor. You must carry out suitable diligence and have written agreements in place which cover defined points.

If you use CCTV, cloud computing, cookies or engage in direct marketing, to name but a few, there is also specific guidance which must be followed.

Our top tip is if you process personal data, make sure you pay the data protection fee and give the correct privacy information to people, don’t forget employees and suppliers as well as customers and clients.


F2 Business Huddle Online

Location: Your Workstation

The next online F2 Business Huddle is FREE

It’s on Friday 12 June 2020

12 noon to 2 pm

It is going to be the biggest F2 Business Huddle ever – so far

All the favourite features that you have come to know and love at the F2 Business Huddle – online


Reputation Advocates

When you need a reliable and dependable expert click on the crab

Accredited Crimson Crab Reputation Advocate Logo

Feedback

We love to receive feedback and it really helps us to improve our services for everyone.


Until next month look after your reputation!!

Ethical, legal, responsible trading wave
T:023 9263 7190 | E: enquiries@crimsoncrab.net | W: www.crimsoncrab.co.uk

Copyright (c) 2020 Crimson Crab Ltd, all rights reserved.

Why are Terms and Conditions important for my business?

Terms and conditions (T&Cs) – the small print – is understandably not the most exciting of issues for you to focus on, but they are crucial to safeguard your company and its clients.

Trusting peoples word is good, but it’s not enough if things go wrong.

What is the point in having Terms & Conditions for my business? Are they required by law? When did I last read the small print before signing on the dotted line?

Questions like these may be floating around in your head – so let’s clear up some of the negative connotations you may have when it comes to terms & conditions, and work towards building your understanding of their value.

Protect yourself

Even when your terms are written and signed, it doesn’t necessarily make them legally secure. When you are dealing with a non-business customer, according to the Gov.UK website: “A contract term and notice has to be fair to be legally binding on your customer. If it isn’t, they can challenge it – including in court if necessary.” There is also legislation which limits the extent to which one party can avoid liability through the use of exclusion clauses such as disclaimers in any contract.

Terms & conditions which are fair to your client have the power to protect your business if or when someone that has agreed to purchase your services doesn’t stick to what was originally agreed. It would be unwise to provide a service without terms & conditions with thorough but fair terms you will have more of a leg to stand on to protect yourself.

For example, if you sell something online a non-business customer gets a right to cancel the purchase for any reason within fourteen days of delivery. If you don’t tell them about that right they can have a year to cancel. You have to give a full refund including all postage charges.

Protect your clients

Whether you are operating as a B2B or B2C enterprise, nothing you achieve now would be possible without your customers. Every business needs the money to prosper – it’s economics – so why would you not want to protect your clients and reassure them in the process?

When you invest time to write your terms, place yourself in your customers’ shoes and ask yourself about how they may read and access them.

Review your Terms & Conditions

It’s best practice to review terms on a regular basis – perhaps once a year or every time you change an element of your service – make it a part of your annual plan, to ensure they continue to be robust for your business, they are fit for purpose and continue to reassure clients who purchase your product or service.

It’s also worth noting and understanding what ‘force majeure’ means. It’s written into contracts to cover situations where unforeseeable circumstances prevent a person from fulfilling a contract. So – in a nutshell – when something goes pear-shaped your business and clients remain protected.

For more information or to discuss this topic further, get in touch with our team.

Remain resilient during the COVID-19 outbreak, yes, but keep compliant too

It will be some time before life returns to “normal” in the UK and even then, things will no doubt be different.

Teams up and down the county have responded to what’s happening and stayed resilient by working from home.

But, how is remote working supporting many companies in their attempt to be resilient through these strange economic times? And, how are they remaining compliant every step of the way?

Working from Home

Thousands, if not millions, of employees, are working from home as a result of this pandemic.

From Microsoft Teams calls to Zoom, progress in using technology has proven to be an excellent benefit for businesses across the country.

Technology (and a reliable Internet line) hasn’t been relied on as much as it has in these unprecedented times.

While working away from the office is allowing businesses to continue efficiently, it does come with risk:

Data Protection

With an increase in the number of employees working from home, your people must understand the importance of protecting personal data on the IT they are using.

It’s all well and good if your company is following Data Protection legislation within an office environment, you must still ensure this doesn’t get thrown out the window with your remote workers. Especially if they are new to working at home or remotely.

If you need any help check out our Data Protection Solutions here: https://www.crimsoncrab.co.uk/our-solutions/data-protection-information-risks

Cyber Security

Producing an effective Cyber Security Policy comes with an understanding of where your own security is currently at.

If your business is susceptible to a cyber-attack then you must be ready to deal with this unfortunate risk… both for those working in an office and from their own home. Any system is only as good as the weakest link and regrettably, this is most likely to be an individual away from the discipline of the office environment.

Similar to protecting data, think about how you can remain compliant while keeping resilient throughout the lockdown.

Understand more about Cyber Security at the NCSC website here: https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security

Scams

Stay safe from online scams by taking simple steps while working from home.

Check your privacy settings, be aware of unsolicited emails, always use unique, strong passwords (use a trusted password manager – not the browser), update your software regularly, make sure your network is set up correctly, change all the default passwords on devices to a secure one and avoid using public Wi-Fi connections.

There is more information about Fraud and Cyber Crime on the Action Fraud website here: https://www.actionfraud.police.uk

Remember – your business must trade legally and it is your responsibility to do so ethically – no matter where your staff are based. Take full responsibility and get in touch with us on how you can remain compliant while focused on being resilient.

Remain resilient during the Corvid-19 outbreak, yes, but keep compliant too

It will be some time before life returns to “normal” in the UK and even then, things will no doubt be different.

Teams up and down the county have responded to what’s happening and stayed resilient by working from home.

But, how is remote working supporting many companies in their attempt to be resilient through these strange economic times? And, how are they remaining compliant every step of the way?

Working from Home

Thousands, if not millions, of employees, are working from home as a result of this pandemic.

From Microsoft Teams calls to Zoom, progress in using technology has proven to be an excellent benefit for businesses across the country.

Technology (and a reliable Internet line) hasn’t been relied on as much as it has in these unprecedented times.

While working away from the office is allowing businesses to continue efficiently, it does come with risk:

  • Data Protection

With an increase in the number of employees working from home, your people must understand the importance of protecting personal data on the IT they are using.

It’s all well and good if your company is following Data Protection legislation within an office environment, you must still ensure this doesn’t get thrown out the window with your remote workers. Especially if they are new to working at home or remotely.

  • Cyber Security

Producing an effective Cyber Security Policy comes with an understanding of where your own security is currently at.

If your business is susceptible to a cyber-attack then you must be ready to deal with this unfortunate risk… both for those working in an office and from their own home. Any system is only as good as the weakest link and regrettably, this is most likely to be an individual away from the discipline of the office environment.

Similar to protecting data, think about how you can remain compliant while keeping resilient throughout the lockdown.

Understand more about Cyber Security at the NCSC website here: https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security

  • Scams

Stay safe from online scams by taking simple steps while working from home.

Check your privacy settings, be aware of unsolicited emails, always use unique, strong passwords (use a trusted password manager – not the browser), update your software regularly, make sure your network is set up correctly, change all the default passwords on devices to a secure one and avoid using public Wi-Fi connections.

There is more information about Fraud and Cyber Crime on the Action Fraud website here: https://www.actionfraud.police.uk/

Remember – your business must trade legally and it is your responsibility to do so ethically – no matter where your staff are based. Take full responsibility and get in touch with us on how you can remain compliant while focused on being resilient.

Acknowledge the risks facing your business and be ready to take action

Our minds can be a powerful tool when it comes to addressing matters which could have a detrimental impact on business.

What’re we talking about? Risk.

The attitude towards the urgency of addressing risks for business often comes too late.

Managing business risks may seem a daunting task – especially when there are countless types of risk out there.

But it’s important to understand not all risks should be approached and managed in the same way. Every case is unique and may require varying actions.

The type of risk you as a business owner may face can alter from one extreme to the next.

These may be:

  • Economic risks
  • Compliance risks
  • Reputation risks
  • Competition, or comfort, risks
  • Security and fraud risks
  • Financial risks
  • Operational risks

Failing to manage risks can affect your reputation and, in some worse cases, sink the company you are invested in. Now that’s something nobody would like to happen.

But tackling risks doesn’t just stop at the initial hurdle of acknowledging them; new risks are frequently appearing within any business so it’s necessary to evaluate and execute risks on a continuous basis.

A policy, process or procedure should be implemented within your business on how you deal with risk when it arises.

It’s no good having an attitude of “this is something we need to sort now as it has been brought to our attention recently” as it’ll be too late to address.

It’s good practice for business people to be proactive towards doing something about the risks a company is faced with before it’s too late.

Don’t be ignorant about the risks you face.

Compliance model – driving the culture of the organisation to be compliant.

Operating Ethically – Do you have an anti-bribery policy?

“Desperate Times Call for Desperate Measures” is the phrase that comes to mind when someone bribes another for their gain in a business context.

Crimson Crab explores bribery and the means to protect your company from this illegal action which can have serious consequences.

So, what is bribery?

The dictionary definition “to bribe a person is to “dishonestly persuade someone to act in one’s favour by a gift of money or other inducement: they attempted to bribe opponents into losing.”

Bribery is unethical. It’s bad for business, can lead to a hefty jail sentence and other unpleasant sanctions.

It is illegal to offer, promise, give, request, agree, receive or accept bribes – an anti-bribery policy can help protect your business.

We hear you, business is important. Whether it’s your own company or one you work for, having a stable model offers an element of security for everyone. Therefore, it’s pretty important you invest in protecting it.

Regards the concern of being affected by bribery, you can safeguard your business with an anti-bribery policy.

Your anti-bribery policy needs to be written with the level of risk your company faces in mind and gives reassurance to your people about what to do in potentially difficult situations.

It should include:

  • Your approach to reducing and controlling the risks of bribery
  • Rules about accepting gifts, hospitality or donations
  • Guidance on how to conduct your business, e.g. negotiating contracts
  • Rules on avoiding or stopping conflicts of interest

Even though it is not a legal requirement to have an anti-bribery policy, you are obliged by law to manage the business risks effectively. That’s why we’d suggest having the policy.

For more information on how to manage business risks – and to discuss anti-bribery policies in detail – please get in touch!