Data Protection Essential Questions

Data protection essentials, 23 questions do you know all the answers?

  1. Do you understand what data flows through your business and have recorded:
    • what personal data you hold;
    • where it came from;
    • who you share it with; and
    • what you do with it?

  1. Have you recorded at least one of the six legal reasons for processing the data?
    • If you use consent
      • it is good consent;
      • you record how it has been given; and
      • you record and manage ongoing consent.
    • If you are relying on legitimate interests
      • you have done the three-part test; and
      • you can demonstrate that you have fully considered and protected individual’s rights and interests.

  1. Are you are currently registered with the Information Commissioner’s Office?

  1. Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?

  1. Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?

  1. Do you make sure that the personal data you hold remains accurate and up to date?

  1. Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?

  1. Do you know what to do when someone asks you to restrict the processing of their personal data?

  1. Can someone move, copy or transfer their personal data from your system to another safely?

  1. Can you deal with an individual’s objection to the processing of their personal data?

  1. Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?

  1. Do you have a data protection policy, and demonstrate your compliance with it?

  1. Do you regularly review the effectiveness of your data handling and security controls?

  1. Do you provide data protection awareness training for all staff?

  1. If you engage third parties to process your businesses personal data on your behalf (e.g. email marketing companies, database providers, cloud-based service providers), do you have a written contract with them which meets the legal requirements and carry out suitable and sufficient diligence?

  1. Do you know the information risks you have and their business impact so that you can manage them in a structured way?

  1. Have you have implemented technical measures and policy to integrate data protection into your data processing?

  1. Do you understand when you must conduct a Data Protection Impact Assessment?

  1. Have you nominated a data protection lead, or a Data Protection Officer (DPO) if required or preferred (note this role can be outsourced)?
    • If you have a DPO have you notified the ICO?

  1. Do you champion a positive culture of data protection compliance in your business?

  1. Do you have an information security policy supported by suitable security measures?

  1. Do you record all personal data breaches no matter how trivial?
    • Can you manage and resolve them?
    • Do you know which must be reported to the ICO?
    • Do you know which must be reported to the data subject?

  1. Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?

If you don’t know an answer you had better find out fast!

Data Protection Essentials

Here are 23 questions that you really should know the answers to:

  1. Do you understand what data flows through your business and record:
    • what personal data you hold,
    • where it came from,
    • who you share it with and
    • what you do with it?
  1. Have you recorded at least one of the six legal reasons for processing the data?
    • If you use consent
      • it is good consent,
      • Do you record how it has been given; and
      • Do you record and manage ongoing consent?
    • If you are relying on legitimate interests
      • Have you done the three-part test, and
      • Can you demonstrate that you have fully considered and protected individual’s rights and interests?
  1. Are you are currently registered with the Information Commissioner’s Office?
  1. Do you provide privacy information to individuals, e.g. clients, customers, employees and suppliers?
  1. Can you deal with a Subject Access Request i.e. requests from people to access their personal data within one month?
  1. Do you make sure that the personal data you hold remains accurate and up to date?
  1. Do you securely dispose of personal data that is no longer required or where an individual has asked you to erase it?
  1. Do you know what to do when someone asks you to restrict the processing of their personal data?
  1. Can someone move, copy or transfer their personal data from your system to another safely?
  1. Can you deal with an individual’s objection to the processing of their personal data?
  1. Do you know if you carry out automated decision making and if so, do you have procedures in place to deal with the requirements?
  1. Do you have a data protection policy, and demonstrate your compliance with it?
  1. Do you regularly review the effectiveness of your data handling and security controls?
  1. Do you provide data protection awareness training for all staff?
  1. If you have third parties that process your personal data, do you have a written contract with them which meets the legal requirements?
  1. Do you know the information risks you have and their business impact so that you can manage them in a structured way?
  1. Have you have implemented technical measures and policy to integrate data protection into your data processing?
  1. Do you understand when you must conduct a Data Protection Impact Assessment?
  1. Have you nominated a data protection lead, or a Data Protection Officer if you are required or prefer to? Note this role can be outsourced)?
    • If you have a Data Protection Officer have you notified the Information Commissioner’s Office?
  1. Do you champion a positive culture of data protection compliance in your business?
  1. Do you have an information security policy supported by suitable security measures?
  1. Do you record all personal data breaches no matter how trivial?
    • Can you manage and resolve them?
    • Do you know which must be reported to the Information Commissioner’s Office
    • Do you know which must be reported to the data subject?
  1. Do you know what must be done if any personal data processed by others on your behalf is transferred outside the European Economic Area?

If you don’t know the answers you really had better find out – we can help – take a look at our data protection solutions.

Crab Insight June 2020

Red Tape Busters Volume 7, Issue 09, Restoration

Welcome to the June edition of Crab Insight

Love your business – we do! As companies across the UK prepare for the ‘new normal’ we’ve just made our word of the month ‘Restoration’.

How are you going to restore your services while also taking account of and adapting to what was for most very difficult times?

Remember we are here for you, to help you meet the challenges ahead.

Stay safe.

Claudia Crab’s June Focus

Claudia the Crimson Crab icon

Personal Data Processing

“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.”

Elizabeth Denham, Information Commissioner

The Information Commissioner is the UK regulator for data protection and can impose substantial penalties for infringements. Data subjects also have a right to claim compensation if a company has caused the damage by a breach of the rules.

When you collect data you need to be transparent about why you are collecting it and how you will use it. This should be set out in an easy to find (and read) privacy notice or policy.

Where you share data with anyone else you need to make it clear with whom you are sharing it and why.

There are specific requirements and guidance if you outsource your data handling to a third party data processor. You must carry out suitable diligence and have written agreements in place which cover defined points.

If you use CCTV, cloud computing, cookies or engage in direct marketing, to name but a few, there is also specific guidance which must be followed.

Our top tip is if you process personal data, make sure you pay the data protection fee and give the correct privacy information to people, don’t forget employees and suppliers as well as customers and clients.


F2 Business Huddle Online

Location: Your Workstation

The next online F2 Business Huddle is FREE

It’s on Friday 12 June 2020

12 noon to 2 pm

It is going to be the biggest F2 Business Huddle ever – so far

All the favourite features that you have come to know and love at the F2 Business Huddle – online


Reputation Advocates

When you need a reliable and dependable expert click on the crab

Accredited Crimson Crab Reputation Advocate Logo

Feedback

We love to receive feedback and it really helps us to improve our services for everyone.


Until next month look after your reputation!!

Ethical, legal, responsible trading wave
T:023 9263 7190 | E: enquiries@crimsoncrab.net | W: www.crimsoncrab.co.uk

Copyright (c) 2020 Crimson Crab Ltd, all rights reserved.

The Fundraising Preference Service

The Fundraising Regulator (FR) is inviting charities, sector professionals and members of the public to give their opinion on different elements of the development of the Fundraising Preference Service (FPS).

Anyone who registers online to take part in the consultation will receive a brief weekly email from the FR asking for feedback on different aspects of the FPS, ranging from function to appearance.

Fundraising Regulator's Guidance on Data Protection

The Fundraising Regulator has published guidance on processing personal data and consents relating to fundraising by charities to help them better understand their responsibilities in relation to donor consent, data protection and legitimate interests to be ready for the EU General Data Protection Regulation. The guidance can be found here.