Do you understand what data flows through your business and have recorded:
what personal data you hold;
where it came from;
who you share it with; and
what you do with it?
Have you recorded at least one of the six legal reasons for processing the data?
If you use consent
it is good consent;
you record how it has been given; and
you record and manage ongoing consent.
If you are relying on legitimate interests
you have done the three-part test; and
you can demonstrate that you have fully considered and protected individual’s rights and interests.
Are you are currently registered with the Information Commissioner’s Office?
Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?
Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?
Do you make sure that the personal data you hold remains accurate and up to date?
Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?
Do you know what to do when someone asks you to restrict the processing of their personal data?
Can someone move, copy or transfer their personal data from your system to another safely?
Can you deal with an individual’s objection to the processing of their personal data?
Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?
Do you have a data protection policy, and demonstrate your compliance with it?
Do you regularly review the effectiveness of your data handling and security controls?
Do you provide data protection awareness training for all staff?
If you engage third parties to process your businesses personal data on your behalf (e.g. email marketing companies, database providers, cloud-based service providers), do you have a written contract with them which meets the legal requirements and carry out suitable and sufficient diligence?
Do you know the information risks you have and their business impact so that you can manage them in a structured way?
Have you have implemented technical measures and policy to integrate data protection into your data processing?
Do you understand when you must conduct a Data Protection Impact Assessment?
Have you nominated a data protection lead, or a Data Protection Officer (DPO) if required or preferred (note this role can be outsourced)?
If you have a DPO have you notified the ICO?
Do you champion a positive culture of data protection compliance in your business?
Do you have an information security policy supported by suitable security measures?
Do you record all personal data breaches no matter how trivial?
Can you manage and resolve them?
Do you know which must be reported to the ICO?
Do you know which must be reported to the data subject?
Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?
If you don’t know an answer you had better find out fast!
Love your business – we do! As companies across the UK prepare for the ‘new normal’ we’ve just made our word of the month ‘Restoration’.
How are you going to restore your services while also taking account of and adapting to what was for most very difficult times?
Remember we are here for you, to help you meet the challenges ahead.
Claudia Crab’s June Focus
Personal Data Processing
“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.”
Elizabeth Denham, Information Commissioner
The Information Commissioner is the UK regulator for data protection and can impose substantial penalties for infringements. Data subjects also have a right to claim compensation if a company has caused the damage by a breach of the rules.
When you collect data you need to be transparent about why you are collecting it and how you will use it. This should be set out in an easy to find (and read) privacy notice or policy.
Where you share data with anyone else you need to make it clear with whom you are sharing it and why.
There are specific requirements and guidance if you outsource your data handling to a third party data processor. You must carry out suitable diligence and have written agreements in place which cover defined points.
If you use CCTV, cloud computing, cookies or engage in direct marketing, to name but a few, there is also specific guidance which must be followed.
Our top tip is if you process personal data, make sure you pay the data protection fee and give the correct privacy information to people, don’t forget employees and suppliers as well as customers and clients.
The Fundraising Regulator (FR) is inviting charities, sector professionals and members of the public to give their opinion on different elements of the development of the Fundraising Preference Service (FPS).
Anyone who registers online to take part in the consultation will receive a brief weekly email from the FR asking for feedback on different aspects of the FPS, ranging from function to appearance.
The Fundraising Regulator has published guidance on processing personal data and consents relating to fundraising by charities to help them better understand their responsibilities in relation to donor consent, data protection and legitimate interests to be ready for the EU General Data Protection Regulation. The guidance can be found here.