The ICO (Information Commissioner’s Office) is the UK’s independent body dedicated to upholding information rights in the public interest and data privacy for individuals. It enforces the Data Protection Act and the GDPR as well as other important pieces of legislation such as the Freedom of Information Act and the Privacy and Electronic Communications Regulations.
One of the main roles of the ICO is to ensure that organisations comply with these laws, under these laws organisations must meet standards for data protection and confidentiality. The ICO has a duty to investigate complaints from members of the public and can impose hefty fines on businesses that are seen to be flouting data protection rules.
The Data Protection (Charges and Information) Regulations 2018 requires every organisation that processes personal information to pay a fee to the Information Commissioner’s Office (ICO), unless they are exempt. Failure to do so will result in a fixed penalty.
There are more than 900,000 fee payers. The ICO register and publish:
the name and address of the controller;
the data protection registration number;
the level of fee paid;
the date the fee was paid and when it is due to expire;
any other trading names of the organisation; and
the contact details for the DPO if they have been told of one. The DPO name will also be published if they have consented to this.
You can search the register by clicking here
Source: ico.org.uk
Whether you’re just starting out or you’ve been in business for a while, here are 14 things all small businesses need to know about data protection.
1
They want to know what you plan to do with their personal data. They also want a say in what happens to it.
Be proactive and tell your customers what you’re doing with their data and why. The ICO have made it easy for you to make your own privacy notice.
2
Without data, you’d probably struggle to fulfil a contract or complete an order, so it makes sense to put security measures in place to protect it.
3
Most businesses now rely on computers and remote working. Trying to do things more or less the same way you’ve always done them probably isn’t what’s best for your data, your customers or your profits.
Make it a habit to check how you’re doing with your data protection compliance on a regular basis. The ICO want to help you comply.
4
If you’re supplying goods or services to larger organisations, procurement contracts can insist on suppliers having data protection policies in place, which could give you a competitive edge. Similarly, organisations with ethics and corporate social responsibility policies look for suppliers who meet these standards.
Having your data in order also reduces the risk of personal information getting lost, stolen or used in ways your customers wouldn’t expect.
5
Data protection compliance is an investment, one which helps you to avoid the cost and time of dealing with issues, such as formal complaints and breaches of personal data, that can come up when a business doesn’t take effective steps to comply.
Good data protection practices could also lead to bonus efficiencies for your business. For example, the law calls for ‘storage limitation’, which means not keeping data for longer than you need it. When you do it right, you’ll have less data to go through, making it quicker and easier for you to find what you need and cheaper to protect what’s really important.
6
The security of your computers and other IT systems is something every small business needs to get sorted – and you should test it regularly.
The law says you should keep personal data safe, using measures you think are appropriate. The risks you face will be unique to your business and how you run it, but keeping data safe often includes making sure you’ve got up-to-date anti-virus software, being careful not to leave your laptop unattended, using strong passwords and training your staff so that your security links are strong all along the chain.
7
The ICO’s fines and penalties may grab the headlines, but the ICO know that helping you to comply is the most effective way of reducing mistakes and misuse of people’s data.
There’s no big secret to not getting fined. The basics of data protection law are largely common sense. For example, everything you do with someone’s data must be legal, fair and clear to them. If something doesn’t feel right, then it’s worth double-checking it. The ICO’s tools and checklists can help.
8
There’s more to data protection than storing and handling it in a safe way. People also have rights over their data.
For example, the right of access is where someone can ask you for a copy of their data through a subject access request (SAR). It’s a good idea to have a plan for how to deal with a request for information because this is quite common.
There are also situations where people can object to your use of their personal data, especially if you’re using it for marketing. People also have the right to challenge the accuracy of information you hold about them and can ask you to delete it. These rights don’t always apply, but you still need to take requests seriously and respond within a month.
9
Some personal data breaches – usually the more serious ones – need to be reported to the ICO within 72 hours of you becoming aware of them. So you’ll need to act fast if this happens. You could save yourself a lot of stress by familiarising yourself with the ICO’s simple guide on how to respond to a personal data breach. We hope you won’t need it, but it’s better to be prepared.
If you find out that personal data has been accidentally or deliberately lost, destroyed, changed or seen by someone who wasn’t supposed to have access to it, but you don’t think anyone will be adversely affected, it’s unlikely you’ll need to report it to the ICO. The ICO’s simple guide on understanding risk in personal data breaches helps you to know the difference.
10
There are limits on what you can do with people’s personal data. You need a ‘lawful basis’, chosen from a list, which reflects the reasons you think it’s within the law for you to be doing what you’re doing.
There’s no lawful basis that’s better or more lawful than the others. You have to choose which is most appropriate for what you’re doing and stick to it. It’s your call to make but the ICO’s interactive tool may help you decide.
11
Some types of data are exempt from data protection laws. For example, data protection doesn’t apply to information relating to people who have died.
Nor does it apply to data that isn’t personal, such as information about limited companies. It’s unlikely that bank account statements and invoices about a limited company include any personal data. Even if they mention directors or employees, the information in these documents is about the company, not about those individuals.
12
Your staff need to understand their role in making sure your business complies with data protection laws. To do this, you’ll need to train them regularly and make sure this training is relevant for their role.
Remember that you hold data on your staff too. Staff have the same information rights as customers. Make sure they can access your privacy notice from the first time you collect their details – this is usually during your recruitment process. And you need to know how to deal with a request for information in case a staff member asks for a copy of their information.
13
It’s part of UK law for companies – including small businesses – to pay a data protection fee to the ICO. This funds the ICO’s work.
Check if you need to pay the data protection fee. There’s a fine to pay if you don’t pay when you should.
You could be exempt if you’re only processing personal data for your core business purposes, but you should check this. This exemption covers things like staff administration, accounts and advertising your own business. But if your small business uses CCTV for crime prevention purposes, chances are you’ll need to register with the ICO and pay the data protection fee.
If you’re not exempt, the annual fee starts at £40 for those with up to 10 staff and a turnover of less than £632k.
14
Data protection isn’t something that can be done overnight. It’s an ongoing journey.
If you put in the time, it’s possible for every small business to have great practices in place. If you get stuck, the ICO are here to help.
With the GDPR, Europe was signalling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
The New UK GDPR is effectively a copy of the EU GDPR with a few minor amendments, it also gives the UK the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the Data Protection Act 2018. In Summary for UK GDPR Data the key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
GDPR data protection is focussed on Personal data and ensuring an individual’s privacy and rights are protected when information about them has been collected or processed. To help businesses understand this UK GDPR has seven key principles: –
Lawfulness, fairness and transparency.
Purpose limitation.
Data minimisation.
Accuracy.
Storage limitation.
Integrity and confidentiality (security).
Accountability.
Further information can be found on the ICO’s website at: The principles | ICO
Here at Solutions we carry out a regular GDPR Audit to ensure our controls, policies and procedures meet the requirements of GDPR and DPA 2018, and also identify any areas for improvement. These GDPR audits also align with our requirements under our ISO 27001 and IASME Governance certification. There are no questions that our Management system for ISO 27001 and IASME Governance have assisted with GDPR and DPA compliance, as not only do we have our own regular internal audits we also have annual external audits, meaning these areas of our business are checked frequently. Regular checks are important as Businesses and the data it holds can change daily.
If you don’t have the skills in house to do your own audits or don’t have certifications requiring external audits, you can request a GDPR audit from the ICO for free. Further details can be found at: – Audits | ICO
As a business you can also utilise GDPR consultancy services, where someone experienced in these regulations will provide assistance to firstly identify your risks and also put the correct controls, policies and procedures in place. If you don’t have the skillsets in house, this can often be the most cost-effective way of putting a good system in place, and ensuring that system actually complies.
All businesses have to comply with different laws and regulations – and this is one of them, done properly this should make your business more efficient and carry less risk. So it’s a case of needing to invest the time.
A significant data loss could be detrimental to your business, even a minor breach could have a significant impact, please read the following link on the ICO’s website.
ICO Enforcement: Enforcement action | ICO
If you would like further information or any advice please contact one of our security team using the contact form below, or call 0121 289 4477.
AI tools are changing the game for coding, making it easier than ever to build websites, apps, and software without needing to be a tech wizard. For example, tons of website builder companies like Webflow and Wix now let people use AI to create digital products...
Sometimes cybersecurity slip-ups come from the places you'd least expect — like the very tools meant to keep you safe. Recently, over 1,700 sensitive documents accidentally ended up in the public domain, all thanks to a chain reaction involving Microsoft Defender...
Although organisation are quick to notice vulnerabilities in their systems, it still can take up to 363 days to fix approximately 50% of software security flaws.
Although organisation are quick to notice vulnerabilities in their systems, it still can take up to 363 days to fix approximately 50% of software security flaws.
Passwords have started to get weaker as a form of security. There are more attacks and breaches than ever, making it even more important to use a good password. We covered good password measures in a previous blog post here. However, millions of people still use...