Crab Insight April 2021

Red Tape Busters Volume 8, Issue 07, `Deal with risk’

 

Welcome to the April edition of Crab Insight

As lockdown eases we need to move forward with our businesses and identify opportunities for growth or at least to get back to where we were before lockdown.

Beware though every opportunity carries with it some degree of risk.

So, Claudia Crabs focus this month is dealing with risk. It’s important not to lose perspective, don’t sweat the small stuff and ignore the real show stoppers.

HR management,  health and safety management and data protection can all be problematical in their own ways. If you need some practical help please do take a look at some of our solutions:

 
 
 

Claudia Crab’s April Focus

Claudia the Crimson Crab icon

“Deal with risk”

““Opportunities pass by frequently, but people don’t always see them. Taking risks grants you an invisible set of glasses that reveal the many opportunities which surround you.” ― Anas Hamshari, Businessma n With An Affliction

A good starting point is a SWAT. Strengths, weaknesses, Opportunities & Threats analysis In this way, both internal and external factors are identified, remember weaknesses are best thought of as areas for improvement. If you find your self struggling with external factors try using the acronym PESTEL.  This will help you think about the opportunities and threats likely to develop. PESTEL, polictical, economic, social, technological, environmental and legalThe use of a SWAT Matrix helps you identify where:

strengths play to opportunities or reduce threats

weaknesses hold you back or exacerbate threats

SWOT Matrix Once the major areas are identified you can carry out a risk assessment in a systematic way. risk assessment The key is to unpick how you can reduce the likelihood of a high-risk occurrence happening and, or reduce the damage done to the business if it does happen. That way you will be taking responsibility for your businesses strategy by proactively managing risks. You will also be in a better position to deal with issues that crop up as they should not come as a surprise.  This follows Crimson Crabs strapline:

Ethical  |  legal  |  Responsible

So this month we are asking the question:

Does your strategy take account of business risks? 

Look out for our social media posts and our blog later in the month as we will hopefully be able to flesh out your thinking.
Top tip – A great starting point is to understand some of the risks that your business faces and our Business MOT can help with this

F2 Business Huddle Online

Friday 14 May 2021

12 noon to 2 pm

WE ARE LIMITED TO 100 PLACES

TO AVOID DISSAPOINTMENT 

Get your ticket on Eventbrite


Reputation Advocates

When you need a reliable and dependable expert click on the crabAccredited Crimson Crab Reputation Advocate Logo


 
Feedback

We love to receive feedback and it really helps us to improve our services for everyone.

Until next month look after your reputation!!

Ethical, legal, responsible trading wave
T:023 9263 7190 | E: enquiries@crimsoncrab.net | W: www.crimsoncrab.co.uk

Copyright (c) 2021 Crimson Crab Ltd, all rights reserved.

Essential GDPR Training Package for Front Line Staff

SLCM Business Support Ltd logo

 

 

Crimson Crab Limited and SLCM Business Support Limited are pleased to announce the release of their Data Protection / GDPR e-learning package, which gives employees working within businesses the essential knowledge they need to keep their employer on the right side of the law.

The course aims to reduce the risk to businesses of one of their employees causing a breach or other personal data incident which might lead to reputational damage. It’s written in plain English, uses easy to understand terms and requires no prior or deep legal or technical understanding. It will help businesses demonstrate that they are complying with the ‘integrity and confidentiality’ principle[1] of the GDPR,

The package provides for an understanding of:

  1. Some basic definitions used in privacy law
  2. The Data Protection principles
  3. The rights of people whose information is being ‘processed’
  4. The practical things that employees can do day to day to keep data safe.

Successful completion of the course, which takes around 30 minutes, requires that a short, multiple-choice test is passed.

Based on best practice, all the information contained within the training course has been taken from the information provided by either the Information Commissioner’s Office (the ICO) or the National Cyber Security Centre (NCSC).

For more information about this service please email enquiries@crimsoncrab.net

[1] Article 6(1)(f) of the General Data Protection Regulation requires that personal data shall be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).’

Crab Insight July 2020

Red Tape Busters Volume 7, Issue 10, Profile

Welcome to the July edition of Crab Insight

What has been your biggest learning in recent weeks, and how will this change the way you present yourself to people?

Our word of the month for July is PROFILE, it’s all about how you will present yourself so as to stand out from the crowd in a digital-focused world?

Crimson Crab is on your side and ready to help you meet the challenges ahead.

Stay safe.

Claudia Crab’s July Focus

Claudia the Crimson Crab icon

“A website is a shop window to the world – it is also a great way to showcase breaches of the law”

If you have a website you need to make sure that you comply with the law in the following areas:

Disclosure

You should identify yourself correctly and give an address at which you can be contacted, there are specific requirements for a registered business, (e.g. Ltd, PLC, LLP).

Copyright

It’s imperative that you protect your copyright effectively and make sure that you do not breach other peoples copyright. It makes sense to also have a document setting out the terms of use of the website.

Disability Discrimination

Businesses have an obligation to make reasonable adjustments to help disabled individuals access their goods, facilities and services. The Equalities Act 2010 requires that websites are accessible to disabled people including Blind people. One way of meeting this responsibility is for website owners to comply with the WCAG 2.0 standard at Level AA the UK Governments recommended best practice for accessibility. 

Data Protection

You need to make sure that you comply with the Data Protection laws (including the GDPR) for all contact forms and any personal data collection. You also need to make sure that you have an appropriate Cookies policy detailing the cookies used and their purpose (and for example use a pop-up or other means to obtain ‘consent’).

Provision of Services

If you provide any services on or offline you have to make sure you comply with the Provision of Service Regulations. They require service providers to make available contact details where information requests and complaints can be sent, together with other specified information.  One way of complying is to include the required information on a web page and proactively provide the link to clients when discussing your services.

E-commerce

When using a website for e-commerce purposes then you still need to comply with the law that relates to a bricks and mortar outlet along with some special rules for an online business.

So there must be for example no unfair commercial practices and suitable control of sales of age-sensitive products (e.g. alcohol, tobacco, fireworks, knives, solvents, videos & games). If any products are sold to which safety legislation applies, for example, toys, bicycles, electrical goods the rules have to be followed, as they do when food of any type is sold. 

The Consumer Contracts Regulations require that you provide certain information when selling online, and also require you to tell the customer about their right to cancel the purchase within 14 days (not 7 any more). Failure in this respect can mean that the customer can enjoy a much longer cancellation period (up to 12 months)!

You also have to be careful to comply with the requirements of Card Providers and you cannot make additional charges for using such payment methods.

There are also rules around the way that complaints are dealt with and the provision of access to Alternative Dispute Resolution and the European Commissions Online Dispute Resolution Platform.

Top tip – We can check out your website


F2 Business Huddle Online

The next online F2 Business Huddle is FREE

It’s on Friday 10 July 2020

12 noon to 2 pm

It is going to be the biggest F2 Business Huddle ever – so far

All the favourite features that you have come to know and love at the F2 Business Huddle – online


Reputation Advocates

When you need a reliable and dependable expert click on the crab

Accredited Crimson Crab Reputation Advocate Logo

Feedback

We love to receive feedback and it really helps us to improve our services for everyone.


Until next month look after your reputation!!

Ethical, legal, responsible trading wave
T:023 9263 7190 | E: enquiries@crimsoncrab.net | W: www.crimsoncrab.co.uk

Copyright (c) 2020 Crimson Crab Ltd, all rights reserved.

Data Protection Essential Questions

Data protection essentials, 23 questions do you know all the answers?

  1. Do you understand what data flows through your business and have recorded:
    • what personal data you hold;
    • where it came from;
    • who you share it with; and
    • what you do with it?

  1. Have you recorded at least one of the six legal reasons for processing the data?
    • If you use consent
      • it is good consent;
      • you record how it has been given; and
      • you record and manage ongoing consent.
    • If you are relying on legitimate interests
      • you have done the three-part test; and
      • you can demonstrate that you have fully considered and protected individual’s rights and interests.

  1. Are you are currently registered with the Information Commissioner’s Office?

  1. Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?

  1. Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?

  1. Do you make sure that the personal data you hold remains accurate and up to date?

  1. Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?

  1. Do you know what to do when someone asks you to restrict the processing of their personal data?

  1. Can someone move, copy or transfer their personal data from your system to another safely?

  1. Can you deal with an individual’s objection to the processing of their personal data?

  1. Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?

  1. Do you have a data protection policy, and demonstrate your compliance with it?

  1. Do you regularly review the effectiveness of your data handling and security controls?

  1. Do you provide data protection awareness training for all staff?

  1. If you engage third parties to process your businesses personal data on your behalf (e.g. email marketing companies, database providers, cloud-based service providers), do you have a written contract with them which meets the legal requirements and carry out suitable and sufficient diligence?

  1. Do you know the information risks you have and their business impact so that you can manage them in a structured way?

  1. Have you have implemented technical measures and policy to integrate data protection into your data processing?

  1. Do you understand when you must conduct a Data Protection Impact Assessment?

  1. Have you nominated a data protection lead, or a Data Protection Officer (DPO) if required or preferred (note this role can be outsourced)?
    • If you have a DPO have you notified the ICO?

  1. Do you champion a positive culture of data protection compliance in your business?

  1. Do you have an information security policy supported by suitable security measures?

  1. Do you record all personal data breaches no matter how trivial?
    • Can you manage and resolve them?
    • Do you know which must be reported to the ICO?
    • Do you know which must be reported to the data subject?

  1. Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?

If you don’t know an answer you had better find out fast!

Remain resilient during the COVID-19 outbreak, yes, but keep compliant too

It will be some time before life returns to “normal” in the UK and even then, things will no doubt be different.

Teams up and down the county have responded to what’s happening and stayed resilient by working from home.

But, how is remote working supporting many companies in their attempt to be resilient through these strange economic times? And, how are they remaining compliant every step of the way?

Working from Home

Thousands, if not millions, of employees, are working from home as a result of this pandemic.

From Microsoft Teams calls to Zoom, progress in using technology has proven to be an excellent benefit for businesses across the country.

Technology (and a reliable Internet line) hasn’t been relied on as much as it has in these unprecedented times.

While working away from the office is allowing businesses to continue efficiently, it does come with risk:

Data Protection

With an increase in the number of employees working from home, your people must understand the importance of protecting personal data on the IT they are using.

It’s all well and good if your company is following Data Protection legislation within an office environment, you must still ensure this doesn’t get thrown out the window with your remote workers. Especially if they are new to working at home or remotely.

If you need any help check out our Data Protection Solutions here: https://www.crimsoncrab.co.uk/our-solutions/data-protection-information-risks

Cyber Security

Producing an effective Cyber Security Policy comes with an understanding of where your own security is currently at.

If your business is susceptible to a cyber-attack then you must be ready to deal with this unfortunate risk… both for those working in an office and from their own home. Any system is only as good as the weakest link and regrettably, this is most likely to be an individual away from the discipline of the office environment.

Similar to protecting data, think about how you can remain compliant while keeping resilient throughout the lockdown.

Understand more about Cyber Security at the NCSC website here: https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security

Scams

Stay safe from online scams by taking simple steps while working from home.

Check your privacy settings, be aware of unsolicited emails, always use unique, strong passwords (use a trusted password manager – not the browser), update your software regularly, make sure your network is set up correctly, change all the default passwords on devices to a secure one and avoid using public Wi-Fi connections.

There is more information about Fraud and Cyber Crime on the Action Fraud website here: https://www.actionfraud.police.uk

Remember – your business must trade legally and it is your responsibility to do so ethically – no matter where your staff are based. Take full responsibility and get in touch with us on how you can remain compliant while focused on being resilient.

Things to think about before Brexit

If you haven’t already thought about it there are some things that you will need to do to prepare your business for Brexit.

Especially if you:

  • import or export goods or services to the EU,
  • exchange personal data (including customers’ addresses, staff working hours or information you give to a delivery company) with an organisation in Europe (this includes using websites or services hosted in Europe & processing personal data from Europe), or
  • you use or rely on intellectual property (IP) protection (this includes copyright, trademarks and patents).

There is a useful step by step guide at https://www.gov.uk/get-ready-brexit-check

Network referrals

When seeking referrals off people in my networking group, what information is safe to gather? So, let’s say, for example, I ask Bob for referrals of our ideal client. Bob knows somebody who may be interested in our service – so passes us their contact details. Is this safe?

Samuel Poole Marketing Communications Manager Syn-Star Complete I.T. Solutions

Great question, actually in Data Protection terms it is not safe to do this unless certain things are in place.

Essentially when dealing with personal information such as contact details the person who decides what to do with the information is a data controller, in this case, Bob.

The data controller has to “process” personal data fairly (processing includes passing it to a third party i.e. you). They also have to have one of six lawful reasons to be able to process the data. The most appropriate one of which in these circumstances is the consent of the data subject. This has to be GDPR compliant consent i.e. given freely, not under duress and in full knowledge of what they are consenting to.

The data controller also has to give “privacy information” explaining how the subjects data will be used. There are specific things that have to be included in this information which often takes the form of a notice, but can also be given verbally depending on the circumstances.

It is incumbent on you to check that the necessary consent is in place for the use you wish to make of the data before acting on it.

Of course, once the information comes into your hands for marketing purposes you become a data controller, in addition, you will need to comply with the Privacy and Electronic Communications Regs in relation to electronic marketing messages (phone, fax, email or text).

How long does personal data have to be stored under the data protection law?

The short answer is no longer than necessary.

Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be based on individual business needs. A judgement must be made about:

  • the current and future value of the information;
  • the costs, risks and liabilities associated with retaining the information; and
  • the ease or difficulty of making sure it remains accurate and up to date.

There are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.

The CIPD have a great resource regarding HR records which can be found here.

The Data Protection Bill

The UK’s third generation of data protection law has entered Parliament.

The Data Protection Bill was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come. 

The Information Commissioner’s (ICO) website has been updated to include new section about the Data Protection Bill.

This explains the relationship between the Bill and the GDPR, detailing the additional areas the proposed new legislation covers. It also includes links to the ICO’s GDPR and Law Enforcement pages and to a Data Protection Bill fact sheet.

Notification under the Data Protection law

When the General Data Protection Regulations (GDPR) come into effect next year there will no longer be a requirement to notify the Information Commissioner’s Office (ICO) as there is now.

There is a provision in the Digital Economy Act which means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines will be passed directly back to the Government.

The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing. The final fees will be approved by Parliament before being put into place.