Data Protection Essentials

Here are 23 questions that you really should know the answers to:

  1. Do you understand what data flows through your business and record:
    • what personal data you hold,
    • where it came from,
    • who you share it with and
    • what you do with it?
  1. Have you recorded at least one of the six legal reasons for processing the data?
    • If you use consent
      • it is good consent,
      • Do you record how it has been given; and
      • Do you record and manage ongoing consent?
    • If you are relying on legitimate interests
      • Have you done the three-part test, and
      • Can you demonstrate that you have fully considered and protected individual’s rights and interests?
  1. Are you are currently registered with the Information Commissioner’s Office?
  1. Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?
  1. Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?
  1. Do you make sure that the personal data you hold remains accurate and up to date?
  1. Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?
  1. Do you know what to do when someone asks you to restrict the processing of their personal data?
  1. Can someone move, copy or transfer their personal data from your system to another safely?
  1. Can you deal with an individual’s objection to the processing of their personal data?
  1. Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?
  1. Do you have a data protection policy, and demonstrate your compliance with it?
  1. Do you regularly review the effectiveness of your data handling and security controls?
  1. Do you provide data protection awareness training for all staff?
  1. If you have third parties that process your personal data, do you have a written contract with them which meets the legal requirements?
  1. Do you know the information risks you have and their business impact so that you can manage them in a structured way?
  1. Have you have implemented technical measures and policy to integrate data protection into your data processing?
  1. Do you understand when you must conduct a Data Protection Impact Assessment?
  1. Have you nominated a data protection lead, or a Data Protection Officer if you are required or prefer to? Note this role can be outsourced)?
    • If you have a Data Protection Officer have you notified the Information Commissioner’s Office?
  1. Do you champion a positive culture of data protection compliance in your business?
  1. Do you have an information security policy supported by suitable security measures?
  1. Do you record all personal data breaches no matter how trivial?
    • Can you manage and resolve them?
    • Do you know which must be reported to the Information Commissioner’s Office
    • Do you know which must be reported to the data subject?
  1. Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?

If you don’t know the answers you really had better find out – we can help – take a look at our data protection solutions.

The Data Protection Bill

The UK’s third generation of data protection law has entered Parliament.

The Data Protection Bill was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come. 

The Information Commissioner’s (ICO) website has been updated to include new section about the Data Protection Bill.

This explains the relationship between the Bill and the GDPR, detailing the additional areas the proposed new legislation covers. It also includes links to the ICO’s GDPR and Law Enforcement pages and to a Data Protection Bill fact sheet.

Notification under the Data Protection law

When the General Data Protection Regulations (GDPR) come into effect next year there will no longer be a requirement to notify the Information Commissioner’s Office (ICO) as there is now.

There is a provision in the Digital Economy Act which means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines will be passed directly back to the Government.

The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing. The final fees will be approved by Parliament before being put into place.

Cookie banner frustration

The European Commission has proposed new regulations that would limit the way companies track users on the internet.

Part of that plan would see the removal of website banners that provide disclaimers on cookie policies and instead have the user’s browser preferences automatically apply to each site they visit. In addition companies will need to get explicit consent from a user before being allowed to track their online activities.

If passed, the new rules will come into effect by May 2018.

Read more… (opens in a new tab)

Do you own a residential building over 18 metres high which is cladded?

Melanie Dawes the Permanent Secretary of the Department for Communities and Local Government (DCLG) has sent a letter to owners, landlords and managers of private residential blocks in England.

DCLG are offering, private owners of residential buildings an opportunity to test cladding on blocks over 18 metres high through arrangements put in place with the Building Research Establishment (BRE).

These checks will be paid for by DCLG, and the information will be available to DCLG from BRE.

Where owners consider that they may have concerns about cladding on buildings over 18 metres high, there is a process to follow described in the letter.

DCLG have provided an email for enquiries:

The letter and downloadable data return form are available here.