What are the benefits of doing it right?


• It will help your organisation to comply with its legal obligations under information rights law.
• It will save your organisation time, effort and money.
• Information is a key business asset. Handling it properly will help your organisation to achieve its business objectives.
• It builds up good relations and trust with the people you deal with.
• It is good customer service.

What are the risks of doing it wrong?


• Financial and reputation costs. A data breach can be expensive to put right and will reduce customers’ confidence in your organisation.
• You may receive a monetary penalty of up to €20 million or up to 4% Annual Global Turnover from the Information Commissioner’s Office (ICO).
The following suggestions will help your organisation to understand the benefits of complying with Information Rights law. It is important to note that Chess would expect all of our suppliers, customers and partners to be fully compliant with the relevant Privacy legislation.


Registering/Paying a fee to the ICO (Information Commissioners Office) is required by law if you hold/process any Personal Identifiable Information as a Business or Sole Trader. This is separate to registration as a business with Companies House. (There are exemptions.)


Personal Identifiable Information


Personal Identifiable Information is “any information that, alone or in combination with other information held by the Business or any its Subsidiaries, can be used to specifically identify a Person.” This includes name, address, phone numbers, identification numbers, email addresses, etc.

This could also include your business name:
e.g. “Flowers are Us Ltd” is not PII, however “Joe Blogs Flowers” is PII (as it identifies Joe Blogs).

You MAY be exempt from the fee if you only process information for the follow purposes:

• Staff administration (including payroll); You only hold the personal information of the people you need to for your staff administration
• Accounts or records (i.e. invoices and payments); You only hold the personal information of the people you need to for your own accounts and records. The information is restricted to what is necessary for your own accounts and records – for example name, address and credit card details. However, this does not include information processed by or obtained from credit reference agencies.
• Advertising, marketing and public relations (in connection with your own business activity); You only hold the personal information of the people you need to for your own advertising, marketing and public relations. You only advertise and market your own goods and services.


IF HOWEVER, YOU USE CCTV ON THE PREMISES FOR CRIME PREVENTION PURPOSES YOU WILL NEED TO PAY A FEE.

Irrespective if you need to pay a fee or you are exempt from paying a fee you still need to comply with the Data Protection Act 2018/General Data Protection Regulation.


If you hold such information:

 

1. Do you know what you use it for?


• Have you thought about what information comes into, through and out of your business?
• Does this information include personal data about your customers? This could include names and addresses of people you deliver goods to, contacts you use for telemarketing, and members’ enrolment details.
• Do you know why you collect and hold personal data?
• Have you made a record of the personal data you hold, what you do with it and why you hold it? The records you need to keep include the following:


○ The type of data you have, such as names and email addresses.
○ How you got the data, such as on paper forms or through your website.
○ Why you have the data.
○ How long you’ve had the data or will keep it.
○ If you share the data.
○ If the data is ‘special category data’ or sensitive data, such as medical information.

 

2. Do people know you have their personal data and understand how you use it?


• Do you tell people how you use their personal data?
• Do you tell people if you’re sharing their data?
• Do you tell people what you plan to do with their data either in paper form, such as using leaflets or posters, or online through a privacy notice or statement?
• If so, does this privacy notice or statement include all the below information:


○ The name of your business and the person responsible for data protection.
○ Why you hold the personal data (your lawful basis) and what you do with it.
○ Where you got the data from.
○ Who you share the data with and how you do this, including any sharing outside the UK.
○ How long you keep the data for.
○ How people can request access to, or correction or deletion of, their data.
○ How to complain to the ICO.
○ Whether you make automated decisions or do profiling based on the data you hold.


3. Do you only collect the personal data you need?


• Do you only collect the personal data you need to work with and use?
• Do you make sure people know the difference between information they need to provide and information that is optional?


For example:
Ashley is a window cleaner. He collects his customers’ names and addresses, which he needs to be able to clean their windows.
Ashley would also like to collect his customers’ email addresses so he can email their bills instead of posting them through their front doors. As this is not necessary for him to carry out his services, he tells his customers that giving him this information is optional.

 

4. Do you only keep personal data for as long as it is needed?


• Have you decided and documented how long you will hold the personal data you collect?
• Do you refresh or destroy personal data after specified periods of time?
• Do you securely delete or destroy personal data as soon as you no longer need it?


For example:
Peter is a newsagent. He collects the name, address and phone number of his customers, as well as their weekly newspaper orders and details of their payments.
Peter creates a document that details what personal data he collects and how long he holds it (the retention period). At the end of the retention period, he securely destroys the data by shredding it.
He also annually checks the personal data he holds to make sure everything has been deleted at the end of its retention period.


5. Do you keep personal data accurate and up to date?


• Do you regularly check that the personal data you hold is accurate and up to date?


For example:
Kevin is the manager of a local football team. Every month he emails the team about upcoming matches. Kevin should regularly check with the team members that the email addresses are still accurate.
Eric owns a small recruitment agency. Every year he emails his clients to ensure all contact details are up-to-date and still accurate. How could you do this with your customers?


• Can you update information quickly if asked by an individual?


6. Do you keep personal data secure?


• Do you keep personal data secure in the office, for example by using lockable filing cabinets and locking or logging off computers when away from your desk?
• Do you take steps to keep personal data secure before you take it out and about or send it somewhere else? For example, do you only take with you the data you need or send it in advance by secure methods?
• Do you keep paper documents secure, say by using lockable storage and disposing of paper records securely?
• Do you keep electronic data secure, say by encrypting mobile devices, using passwords and backing up the data?
• Is your office / shop a safe and secure environment for your data? Are all doors and windows checked before leaving the premises on every occasions?
• If working from home, does the same security and “clear desk policy” apply?


7. Do you have a way for people to exercise their rights regarding the personal data you hold about them?


• Do you know about the rights individuals have under the law?
• In summary these are as follows:


○ The right to be informed – being told what data you hold about them and what you do with it.
○ The right of access – being able to request a copy of their data you hold within 30 days.
○ The right to rectification – being able to have inaccurate data corrected.
○ The right to erasure – being able to ask you to delete / destroy their data.
○ The right to restrict processing – being able to limit the amount or type of data used.
○ The right to data portability – requesting to move their data electronically to another business.
○ The right to object – being able to request you stop using their data.


• Do you have plans in place so you can deal with any requests?
• Do you know that a request can be made in writing or verbally, in person or on the phone?
• Are you able to delete someone’s information if they ask you to?

 

8. Do you and your staff (if you have any) know your data protection responsibilities?


• Have you trained all your staff who handle personal data on their data protection responsibilities?


For example:
Bob is a builder and employs two office staff. He has briefed them about keeping information safe and secure, explained to them what privacy information he has given his clients, and told them what to do if anything goes wrong or records go missing. He also displays a poster in the office, which he printed from the ICO’s Th!nk Privacy library, and does an office sweep every week to check that personal data is locked away securely.

• Do you know what to do if something goes wrong, including a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.


• Do you know which breaches to report to the ICO?

A breach can have a range of adverse effects on individuals, which include emotional distress and physical and material damage. You need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If a risk is likely, you must notify the ICO. This can be done via a link on the ICO website.


• Do you know which breaches you have to inform individuals of?

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, as soon as possible.


Data Privacy is now embedded in UK law and needs to be dealt with by businesses of all sizes.


Privacy is not something to be avoided and once you have your systems in place, no matter how simple, they should be easy to manage and maintain.


For further information regarding Privacy, Data Protection and GDPR please visit the ICO website: ico.org.uk


Sandra Lovell-Struthers
Head of Quality & Compliance/DPO at Chess
SandraLovellStruthers@ChessICT.co.uk