Amongst other things the Data Protection Act puts organisations under a legal obligation to demonstrate that they:
1) use personal information fairly and legally;
2) collect only the information necessary for a specific purpose;
3) ensure it is relevant, accurate and up to date;
4) only hold as much as is required, and only for as long as it is needed;
5) allow the subject of the information to see it on request; and
6) keep it secure.
Crimson Crab Limited and SLCM Business Support Limited are pleased to announce the release of their Data Protection / GDPR e-learning package, which gives employees working within businesses the essential knowledge they need to keep their employer on the right side of the law.
The course aims to reduce the risk to businesses of one of their employees causing a breach or other personal data incident which might lead to reputational damage. It’s written in plain English, uses easy to understand terms and requires no prior or deep legal or technical understanding. It will help businesses demonstrate that they are complying with the ‘integrity and confidentiality’ principle of the GDPR,
The package provides for an understanding of:
Some basic definitions used in privacy law
The Data Protection principles
The rights of people whose information is being ‘processed’
The practical things that employees can do day to day to keep data safe.
Successful completion of the course, which takes around 30 minutes, requires that a short, multiple-choice test is passed.
 Article 6(1)(f) of the General Data Protection Regulation requires that personal data shall be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).’
There are many benefits to outsourcing work, from increased efficiency to cost advantages, it seems a no-brainer to take advantage of another’s skillset when the time is right for your business.
But, if you fail to do the due diligence when outsourcing and something goes wrong, it may cripple your business.
As a responsible businessperson, if you fail to conduct the reasonable steps to avoid a tort or offence within your company and they do arise, you’re at fault.
That’s why we’ve listed some considerations to support you with ensuring you carry out the due diligence and protect the reputation of your business when outsourcing.
Do both sides of the agreement hold the same expectations?
Mismatched expectations can create countless obstacles in business. One way to avoid this from happening is to ensure everything is written down on paper, then agreed and understood by everyone involved with the outsourced work.
Have a contract agreed.
Similar to the expectations have a contract which states what work will be carried out, completed by when and by who, as well as a clear price too. A contract has the power to be a simple reference for a solution to any conflict.
What’s the reputation of the business you are outsourcing work to?
Seems obvious, right? But companies do fail to do their research regarding the reputation of someone who is completing work for them.
If the service someone provides isn’t recommended, why would you use them to support your company? You wouldn’t.
Do they know their health and safety?
If an outsourced service poses a health and safety risk to your workforce and you don’t mitigate it, then if an accident takes place the responsibility falls on your shoulders.
Is the company you’re outsourcing to savvy with data protection?
GDPR – you’ve heard it before and will continue to hear all about it into the future. Why? Because peoples’ personal data matters.
If you’re outsourcing work to someone required to deal with data within your business (making them the processor), for example, the personal details of your clients, then you as the controller are responsible for how the outsourced work is handled. You also need a written contract covering data processing.
Are those claiming to be an expert actually an expert?
If you’re looking to outsource an element of your business, such as HR, then is the person claiming to have the ability to complete the work actually competent in it?
For further details on how to avoid having a negative impact on your business for when you outsource work, get in touch with Crimson Crab.
Our focus this month is on outsourcing. The business practice of engaging an external party to perform services or create goods that traditionally were done in-house by the company’s own employees.
For example, a business may take the decision to outsource bookkeeping duties or the functions of human resource departments, such as payroll or recruitment, or health and safety activities as doing so may be more cost-effective than retaining an in-house specialist for each area or for a business owner trying to become an expert in each.
When used properly, outsourcing is an effective strategy to reduce expenses, and can even provide a business with a competitive advantage over rivals.
Whatever your outsourcing strategy you need to make sure that the company carrying out the work you require will not present additional risks to your business.
Claudia Crab’s September Focus
“To make sure you do everything possible not to get let down by someone else, do your diligence before selecting an outsourcing partner.”
Robert Briggs – Compliance Director Crimson Crab
Outsourcing can be used to reduce labour costs, together with the cost of overheads, equipment, and technology.
Skill and knowledge gaps can be filled using third party experts.
Outsourcing may also be used to focus on the core aspects of the business, trusting the less critical operations to outside organisations.
On the downside, communication with the outside provider can be hard, and security threats can escalate when multiple parties access sensitive and personal data.
Building a website is easy, right? With the click of a few buttons and some vibrant graphics, you’re ready to go. Yes, perhaps, but is it compliant?
Even though your website is your organisation’s shop window, it’s important for it to look good and entice your target audience, it’s also crucial for it to be legally compliant.
But – what does that mean and how can you ensure it is compliant?
All websites must conform to the Data Protection Act (and GDPR Regulations).
“If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.”
“Three-quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. I find that shocking.”
Elizabeth Denham UK Information Commissioner
Your website is a powerful tool to grow your business – but can also be detrimental to the business if it isn’t compliant.
That’s why our tips are some of the top things to consider when it comes to your company’s website.
Always have a valid reason: Personal information from individuals and organisations can be useful for many reasons – but do you have a valid reason to use it for your intentions? Be clear about WHY you’re collating peoples’ details – and what it’ll be used for. Always give them the opportunity to give you permission in the correct way if you need to.
Security is key: If your website isn’t secure, you’re leaving yourself and your visitors susceptible to hackers and cyber-attacks. Don’t be responsible for this!
What has been your biggest learning in recent weeks, and how will this change the way you present yourself to people?
Our word of the month for July is PROFILE, it’s all about how youwill present yourself so as to stand out from the crowd in a digital-focused world?
Crimson Crab is on your side and ready to help you meet the challenges ahead.
Claudia Crab’s July Focus
“A website is a shop window to the world – it is also a great way to showcase breaches of the law”
If you have a website you need to make sure that you comply with the law in the following areas:
You should identify yourself correctly and give an address at which you can be contacted, there are specific requirements for a registered business, (e.g. Ltd, PLC, LLP).
Businesses have an obligation to make reasonable adjustments to help disabled individuals access their goods, facilities and services. The Equalities Act 2010 requires that websites are accessible to disabled people including Blind people. One way of meeting this responsibility is for website owners to comply with the WCAG 2.0 standard at Level AA the UK Governments recommended best practice for accessibility.
You need to make sure that you comply with the Data Protection laws (including the GDPR) for all contact forms and any personal data collection. You also need to make sure that you have an appropriate Cookies policy detailing the cookies used and their purpose (and for example use a pop-up or other means to obtain ‘consent’).
Provision of Services
If you provide any services on or offline you have to make sure you comply with the Provision of Service Regulations. They require service providers to make available contact details where information requests and complaints can be sent, together with other specified information. One way of complying is to include the required information on a web page and proactively provide the link to clients when discussing your services.
When using a website for e-commerce purposes then you still need to comply with the law that relates to a bricks and mortar outlet along with some special rules for an online business.
So there must be for example no unfair commercial practices and suitable control of sales of age-sensitive products (e.g. alcohol, tobacco, fireworks, knives, solvents, videos & games). If any products are sold to which safety legislation applies, for example, toys, bicycles, electrical goods the rules have to be followed, as they do when food of any type is sold.
The Consumer Contracts Regulations require that you provide certain information when selling online, and also require you to tell the customer about their right to cancel the purchase within 14 days (not 7 any more). Failure in this respect can mean that the customer can enjoy a much longer cancellation period (up to 12 months)!
You also have to be careful to comply with the requirements of Card Providers and you cannot make additional charges for using such payment methods.
There are also rules around the way that complaints are dealt with and the provision of access to Alternative Dispute Resolution and the European Commissions Online Dispute Resolution Platform.
Do you understand what data flows through your business and have recorded:
what personal data you hold;
where it came from;
who you share it with; and
what you do with it?
Have you recorded at least one of the six legal reasons for processing the data?
If you use consent
it is good consent;
you record how it has been given; and
you record and manage ongoing consent.
If you are relying on legitimate interests
you have done the three-part test; and
you can demonstrate that you have fully considered and protected individual’s rights and interests.
Are you are currently registered with the Information Commissioner’s Office?
Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?
Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?
Do you make sure that the personal data you hold remains accurate and up to date?
Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?
Do you know what to do when someone asks you to restrict the processing of their personal data?
Can someone move, copy or transfer their personal data from your system to another safely?
Can you deal with an individual’s objection to the processing of their personal data?
Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?
Do you have a data protection policy, and demonstrate your compliance with it?
Do you regularly review the effectiveness of your data handling and security controls?
Do you provide data protection awareness training for all staff?
If you engage third parties to process your businesses personal data on your behalf (e.g. email marketing companies, database providers, cloud-based service providers), do you have a written contract with them which meets the legal requirements and carry out suitable and sufficient diligence?
Do you know the information risks you have and their business impact so that you can manage them in a structured way?
Have you have implemented technical measures and policy to integrate data protection into your data processing?
Do you understand when you must conduct a Data Protection Impact Assessment?
Have you nominated a data protection lead, or a Data Protection Officer (DPO) if required or preferred (note this role can be outsourced)?
If you have a DPO have you notified the ICO?
Do you champion a positive culture of data protection compliance in your business?
Do you have an information security policy supported by suitable security measures?
Do you record all personal data breaches no matter how trivial?
Can you manage and resolve them?
Do you know which must be reported to the ICO?
Do you know which must be reported to the data subject?
Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?
If you don’t know an answer you had better find out fast!
Love your business – we do! As companies across the UK prepare for the ‘new normal’ we’ve just made our word of the month ‘Restoration’.
How are you going to restore your services while also taking account of and adapting to what was for most very difficult times?
Remember we are here for you, to help you meet the challenges ahead.
Claudia Crab’s June Focus
Personal Data Processing
“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.”
Elizabeth Denham, Information Commissioner
The Information Commissioner is the UK regulator for data protection and can impose substantial penalties for infringements. Data subjects also have a right to claim compensation if a company has caused the damage by a breach of the rules.
When you collect data you need to be transparent about why you are collecting it and how you will use it. This should be set out in an easy to find (and read) privacy notice or policy.
Where you share data with anyone else you need to make it clear with whom you are sharing it and why.
There are specific requirements and guidance if you outsource your data handling to a third party data processor. You must carry out suitable diligence and have written agreements in place which cover defined points.
If you use CCTV, cloud computing, cookies or engage in direct marketing, to name but a few, there is also specific guidance which must be followed.
Our top tip is if you process personal data, make sure you pay the data protection fee and give the correct privacy information to people, don’t forget employees and suppliers as well as customers and clients.
It will be some time before life returns to “normal” in the UK and even then, things will no doubt be different.
Teams up and down the county have responded to what’s happening and stayed resilient by working from home.
But, how is remote working supporting many companies in their attempt to be resilient through these strange economic times? And, how are they remaining compliant every step of the way?
Working from Home
Thousands, if not millions, of employees, are working from home as a result of this pandemic.
From Microsoft Teams calls to Zoom, progress in using technology has proven to be an excellent benefit for businesses across the country.
Technology (and a reliable Internet line) hasn’t been relied on as much as it has in these unprecedented times.
While working away from the office is allowing businesses to continue efficiently, it does come with risk:
● Data Protection
With an increase in the number of employees working from home, your people must understand the importance of protecting personal data on the IT they are using.
It’s all well and good if your company is following Data Protection legislation within an office environment, you must still ensure this doesn’t get thrown out the window with your remote workers. Especially if they are new to working at home or remotely.
Producing an effective Cyber Security Policy comes with an understanding of where your own security is currently at.
If your business is susceptible to a cyber-attack then you must be ready to deal with this unfortunate risk… both for those working in an office and from their own home. Any system is only as good as the weakest link and regrettably, this is most likely to be an individual away from the discipline of the office environment.
Similar to protecting data, think about how you can remain compliant while keeping resilient throughout the lockdown.
Stay safe from online scams by taking simple steps while working from home.
Check your privacy settings, be aware of unsolicited emails, always use unique, strong passwords (use a trusted password manager – not the browser), update your software regularly, make sure your network is set up correctly, change all the default passwords on devices to a secure one and avoid using public Wi-Fi connections.
Remember – your business must trade legally and it is your responsibility to do so ethically – no matter where your staff are based. Take full responsibility and get in touch with us on how you can remain compliant while focused on being resilient.