Keeping your data secure

After a series of catastrophic errors by big businesses and the government, data protection issues have been thrown into sharp relief. As criminals become more savvy to how they can use data and the public becomes more alert to the threats identity theft and careless handling of data pose, it's become increasingly important for businesses to ensure their approach to data protection is as scrupulous as possible.

The Data Protection Act

• The Data Protection Act came into force in 1998 and provides businesses and public bodies with a series of regulations governing how they handle people's personal information. If you store any personal data on customers or employees, the Data Protection Act applies to you.
• The information the Data Protection Act covers can be described as any information about living, identified or identifiable individuals. It includes names, addresses, email addresses, dates of birth, bank details and opinions expressed about an individual.
• The Data Protection Act is split into eight principles, which require that you:

1. Process data fairly and according to the law
2. Process data for a limited, lawful purpose
3. Only hold enough information for your purpose - nothing excessive or extraneous
4. Ensure the data you hold is accurate, relevant and up-to-date
5. Don't hold the data for any longer than necessary
6. Process the data in line with individuals' rights (below)
7. Ensure the data is kept physically secure
8. Don't transfer the data outside the European Economic Area unless it is adequately protected.

• You need to be aware of the rights the Data Protection Act grants individuals. These include:

1. The right of subject access, which allows individuals to see the data you hold on them
2. The right to prevent direct marketing, which means individuals can opt out of being targeted with direct marketing, either online or by phone or mail. Once an individual has put their request in writing, you have up to 28 days to stop.
3. The right to have personal information corrected
4. The right to prevent automated decisions, which prevents you from making decisions on an individual using an automated process or algorithm. For example, it would be against the law to employ someone based purely on the results of a psychometric test.

• In some cases, you may be required to notify the Information Commissioner's Office (ICO) that you are holding data. The ICO allows people to find out what information organisations are holding on them and what the information is being used for. If you use individuals' information for any purpose other than staff administration (payroll, etc), marketing or PR for your own business (rather than selling the information to a third party), or accounts and records, you will be required to notify the ICO. If you're at all uncertain, it's best to contact the ICO using the contact details below.

Keeping your data secure

• Losing data will put your business at risk, so make sure you follow best practice at all times. If you have any doubts over how you are handling your data, contact the information commissioner's office or visit its website.
• Carry out a risk assessment to identify physical risks to your data. Could it be affected by power cuts, theft or fire? Make a plan which details how you will take action if your data is affected by any of these threats.
• Make a list of who has access to sensitive data and who is responsible for inputting it, so you can identify who you need to train and who is at fault if something does happen to your data. Make sure these people are aware of the Data Protection Act and know how to handle data correctly.
• It might seem obvious, but run regular virus scans to minimise the risks computer viruses pose. A recent report indicated more than three quarters if business computers are affected by viruses - and if your computer is hit by a bad one, the result could be catastrophic.
• Implement an IT security policy to make clear to your staff exactly how they should be handling data. This should include rules on how to handle customer and business information, limitations on the amount of access your employees have to data, and an acceptable use policy for the internet and email.
• As well as the increased threat of getting a virus, misuse of the internet could have a damaging effect on your business in other ways - including exposing your business to an increased risk of legal action, a loss of productivity, and damage to your reputation if one of your employees sends a badly-worded email. Be vigilant on this point and remind your employees personal emails are representing the company as well as the individual.
• Create a data backup routine to make sure your business isn't affected if something happens to your servers. This should take place at least once a week, but ideally every day.

Checklist

• The Data Protection Act sets out eight principles for the safe and legal handling of data
• You might be required to notify the information commissioner (ICO) to comply with the Act
• Carry out a risk assessment to identify physical risks to your data
• Make a list of employees who have access to sensitive data
• Run regular virus scans to keep your IT systems protected
• Implement an IT security policy
• Create a data backup routine

FAQ

How do I know with the Data Protection Act applies to me?
The Act applies to every organisation which holds data and uses it commercially - whether that's for mailouts or just a database of contacts.

How do I notify the ICO?
To notify the ICO, go to their website and download the notification from. You need to send it to The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. You can also request a form over the phone by calling 01625 545740. There is a charge of £35 for notification.

What do I do if the police want to use our data?
There is an exemption under the Data Protection Act which means the police can use your data if it's going to help them prevent or detect a crime or prosecute someone - but they need to demonstrate that it will harm their case if you don't release it.

Resources

• Website of the Information Commissioner's Office
• ICO Notification Line 01625 545 740
• ICO Data Protection Helpline 08456 30 60 60

Smarta Business Builder

To help you on your business journey, we've created Smarta Business Builder, the complete online tools package for growing your business. Website Builder, Business Plans, Accounting Software, Legal Documents and Email - all in one place - from just £20 per month with no contract! Try it out today.