Dealing with data can be a nightmare for small businesses and even government bodies can get it wrong, as the attached article clearly shows. Our small business clients regularly tell us that they consider data protection to be a difficult topic and too often as a result, it gets overlooked or worse, ignored.
Pretty much everyone in business these days handles data. And for most of us, that data comes with legal obligations attached to how we request, record, store, share and use it. And the law on data is unavoidable.
So do you know your legal obligations when dealing with the personal data of your customers, suppliers or employees?
Here’s a helpful summary of 6 steps to handling data efficiently and lawfully:
- Collecting it: only collect personal information that you need for a specific clearly communicated purpose and get consent to collect it (if you’re up-front and transparent about your objectives, this has the added benefit of improving your business reputation by increasing confidence and trust in you); relevant examples of collecting data include: CCTV recordings, obtaining personal information over the phone or via email and using cookies on your website;
- Using it: only use it for your stated purpose, unless you subsequently get express consent to expand your usage of it to other stated applications;
- Storing it: keep it secure by encrypting data that you store, erasing or destroying data when it’s no longer needed, using strong passwords and shredding printouts that contain sensitive data. (These practices protect both you and your customers; if you leak personal information, even inadvertently, it can expose you to some pretty serious legal consequences);
- Keep it current: ensure the data you collect and retain is relevant and up to date (sending communications using out of date records could annoy a disinterested or unconsenting customer and may get you into hot water, or it may fail to reach an interested customer and is a wasted effort and cost);
- Be proportionate and responsible: only hold as much personal information as you genuinely need for your business purposes, and hold it for only as long as you genuinely need it (most customers object to the idea that their personal data may be held on databases or on other formats where there is no benefit to them of it being there; complaints are frequent where they discover that this is happening without their knowledge and /or consent and such complaints can be damaging to both your business relations and reputation, as well as legally expose you to fines and other consequences in very serious instances);
- Be transparent and permit access to information owners: allow the client, employee or supplier of the information to see it promptly on request. They are legally entitled to see it and you are legally obliged to allow them to do so.
Getting consent to collect data is generally pretty straightforward. You can make it clear to your customers when they browse your web-site that you’re collecting information on them. You can and should include alerts and explanations within your written or online promotional materials, clearly indicating that you collect data and that by continuing with an activity, the customer (data provider) is deemed to consent to your collection of that data.
If you have any data protection issues and need fast and efficient advice, get in touch with us by clicking here.
You're on our blog and updates site, which is hosted by elXtr. elXtr is a leading digital hub powered by the award-winning lawyers at LHS Solicitors LLP, bringing you real law, made easy. Find out more about elXtr here. Law for the online generation starts here.
Hampshire County Council has been hit with a £100,000 fine by the Information Commissioner’s Office (ICO) after documents containing personal details of over 100 people were found in a disused building. Social care files, along with 45 bags of confidential waste, were found at Town End House, in Havant. They contained highly sensitive information about adults and children in vulnerable circumstances.