InsightsInsight - Data Protection and GDPR - POSTED: July 29 2015
Protecting data and your business
Most businesses have to process and use personal information on a daily basis – this can be for the purposes of collating information (for existing clients or marketing tools for prospective clients) or even accessing employee records. When doing this, any business must ensure that it complies with the obligations set out under the Data Protection Act (the ‘DPA’).
- Share this article
- Print this article
Why does it matter?
Good management of this data is critical – no matter what the size of the business.
Businesses are required under the DPA to clearly state what they are going to do with personal data – this includes what information is being collected, how it will be used and who it will be shared with. It is normally the easiest route for a business to have a ‘Privacy Notice’ that ensures compliance with the obligations under the DPA. This can then be given to clients and also displayed easily – such as on a website.
Loss of personal data will result in reputational damage, but it can also really hit a business hard in the pocket. Information security breaches can result in large fines (potentially up to £500,000) and the business could face compensation claims directly from individuals.
Businesses should have a data protection policy and procedure to ensure both personal data and the business is protected.
If you have adequate data protection policies and procedures in place – these can often be used as mitigation if something does ever go wrong. A lack of policies and procedures within a business are often pointed to when fines are issued for breaches of the DPA. If policies and procedures are in place and a ‘Data Protection Officer’ is named to oversee them and act as the point of contact – then it can at least be argued any breach was accidental.
What rights do individuals have to ask for information?
The DPA sets out that individuals have the right to access personal data held by any organisation by making a subject access request (a ‘SAR’).
If you receive a SAR – you must act quickly. Unless one of the exemptions to disclose information applies, then the information requested must be supplied within a strict timeframe. All different types of information can be requested and may need to be handed over – so, for example, you need to ensure staff realise this and that no embarrassing, unprofessional or rude emails are floating around
This content is correct at time of publication
Can we help?
Take a look at our Data Protection and GDPR page for useful information, resources, guidance, details of our team and how we may be able to help you
Get in touch
Please fill out the below form or alternatively you can call us on 01622 690691