Serving over 1.5m visitors each year

Search
FREE Business Banking FOREVER!
With Santander you can enjoy free day-to-day business banking, forever! Find out more by calling us now on 0800 085 3099 or click here.

Top 10 data protection pitfalls for SMEs – and how to avoid them

print  e-mail 

All businesses handle information about people – staff, customers, suppliers. Data protection is all about taking care of this information and it’s not difficult. But it’s also very easy to get it wrong – and the results can range from bad publicity to legal action and fines.

Here are the top 10 blunders and how to avoid them:

Blunder 1: Totally ignoring the issue.

This can lead to any of the scenarios below – plus additional costs in putting things right.

Blunder 2: Not checking if you need a data protection notification.

This outlines the personal information being used by your business (including sole traders) or organisation for different purposes e.g. staff records, accounts, marketing. It only costs £35 per year and you can fill in the form on the Information Commissioner’s website (at www.ico.gov.uk follow the link 'For organisations'), print and post it off. Some businesses don’t need to notify (but they still have to comply with other data protection requirements) – use the checklist online to find out. If you don’t notify when you should, you can be fined. But beware of bogus agencies that send you threatening letters and charge a lot more than £35 to do your notification.

Blunder 3: Not training your staff.

It’s everyone’s responsibility to look after information – and your staff can alert you to accidents waiting to happen. Think of all those high street banks putting out customer details in bin bags – didn’t anyone notice and think it was a bad idea? Do it the right way and everyone will have valuable insights they can use to protect themselves against ID theft and other threats outside work as well as buying in to safeguarding the personal information they handle at work.

Blunder 4: Not explaining to customers how you are going to use their information

This is particularly necessary if it isn’t obvious - such as making credit checks on them or recording their calls. Make sure that it's clear to the customer who you are - so they know who is handling their information when they provide it. Then work out the best way to deliver the information about how you will use the customer's details. But watch out for the next one –

Blunder 5: Having a privacy policy on your website that is five pages long and as clear as mud.

This is a waste of time for everyone. You need to explain about cookies but most of the rest can be said in a few words where people actually fill in their details. They are more likely to read it as well if it's right there on the online form. And that's where marketing options definitely need to be - see below.

Blunder 6: Not being up front about marketing.

There are strict rules about marketing - especially by phone, fax and electronic channels such as email and SMS. You need to explain things clearly so customers understand their choices and will be pleased instead of annoyed to receive your marketing in future. You also need to check permissions very carefully when renting in a marketing list. And when people ask you to remove their details from your marketing database because they don't want any more direct marketing - you need to explain that you must keep some details on a suppression list to make sure you don't market to them again!

Blunder 7: Not having adequate security.

How many times have you read about missing laptops with customer data on them? But also think about security for your website, your premises and PCs and paper records. And don’t forget your staff – they need to know the rules about things like not sharing passwords, checking identities of callers, what information they can give out and when. You also need ways of monitoring to ensure that staff are not misusing information – such as credit card details supplied by customers.

Blunder 8: Not recognising a ‘subject access request’.

A real mouthful but all it means is someone asking for a copy of information you hold about them –this may be for a specific piece of information or everything. No one usually bothers unless they are annoyed with you. This is a chance to turn around a complaint – or get into trouble for ignoring the request. Make sure your staff know how to recognize a request and what to do with it. It needs to be made in writing and you are allowed to charge a £10 fee for processing it (but you may decide just to handle it in the normal course of business). You should also have a way of confirming that the person is who they say they are. Requests can be made for emails, images, recordings as well as information in your databases and some paper files. Check that your systems allow you to pull all this out. And take care not to reveal information about other people - you will usually need their consent first. The Information Commissioner has recently issued an advice note on this topic for SMEs.

Blunder 9: Not including data protection in the contract with a sub-contractor who is handling personal information when they do work for you.

This could be, for example, a fulfilment house. It doesn’t have to be complicated or long – it just needs to ensure that the contractor only uses the information according to your instructions and also has adequate security to prevent data protection breaches. This is not just a paper exercise - you are responsible if anything goes wrong – so make sure they get it right! Go and check and, if necessary, include financial penalties in the contract for lack of care for personal information.

Blunder 10: Thinking it won’t happen to you.

It can and does but now you know what to do to make sure it doesn’t!


About the Author

Sue Milnes runs Simply DP, a consultancy providing training and advice to demystify data protection. She has practical experience of applying data protection both in the private and public sectors.

Please note that this information has been thoroughly checked and is correct to the best of our knowledge. However, it should not be used as a substitute for legal advice. The content of this article is of a general nature and no liability is accepted in connection with it or if any reliance is placed on it.

Posted June 12, 2007
Click Here
Latest articles in Legal Guides
 
Why are written contracts importance to businesses?
In this article, Andew Taylor explains why written contracts are both necessary and important to small businesses. [January 11, 2010]
 
The importance of intellectual property
What is involved in protecting your intellectual assets - including patents, copyright, brand names, trade marks, design rights, domain names and online content. [December 7, 2009]
 
Staying legal – how to ensure your web business is compliant with UK regulations
You often hear business people complaining about red tape, and unfortunately they are right. Like every area of business these days, ecommerce has its own rules, regulations and laws. In fact, selling online tends to be worse because of the international dimension. [November 4, 2009]
 
Small businesses should ask more questions when appointing solicitors
Small companies could be shelling out millions in unnecessary legal fees simply because they don't ask the right questions when they appoint solicitors. [August 18, 2009]
 
Furnished Holiday Lettings Scheme - An opportunity for overseas property owners
The repeal of the so-called “furnished holiday lettings” or FHL rules, and a very important change in the interim will allow owners of qualifying overseas property to benefit from tax advantages. But there's only a short window of opportunity to take advantage of the rule change. [July 24, 2009]
 
Seven leasehold property pitfalls for commercial tenants
Companies can often be faced with a nasty shock and a big bill when moving out of leasehold premises. In this article, we explore some common and costly mistakes often made by ill-informed commercial tenants. [July 8, 2009]
 
Guide to business libel in the Internet age
Over the years, what qualifies as libel has developed from the written word to include such things as radio broadcasts, and perhaps most importantly, the internet. How employee emails and personal blogs can be a cause for concern to employers. [May 27, 2009]
 
What is a confidentiality agreement or 'NDA'?
Non-disclosure agreements, or NDAs, are used to outline how two or more parties will share confidential information, without knowledge of such information going any further. [April 17, 2009]
 
What records are employers required to keep by law?
The three main areas where small businesses over-comply are - taking on new staff, the National Minimum Wage and the Working Time Regulations. But what records are employers required to keep by law? [October 24, 2008]
 
Guide to Copyright Law - What is protected?
Copyright law is one of the key areas of intellectual property protection. In the United Kingdom, protection applies automatically once the work is created. In this expert legal guide, we step through each different types of work that are protected, and explain the extent of the monopoly granted. [September 3, 2008]
 
Why it is important to have a Partnership Agreement
Graeme Jump from Mace & Jones looks at why it is important to have a partnership agreement when setting up a business with colleagues, following a recent case. [August 21, 2008]
 
Make sure your solicitor is qualified to take on your case
During a time of financial uncertainty the number of complaints made against solicitors has risen by nearly a third this year. One author suggests that a major contributing factor to the rise in complaints is that in most cases, the wrong solicitor was selected at the outset. [August 12, 2008]
 
Choosing a solicitor for your business
When running your business, there may be times when you’ll need to obtain legal advice. How to choose a solicitor for your small business [July 15, 2008]
 
Passing the family business to the next generation - Legal Guide
Of all the many things that can disrupt or wreck a business, a change in ownership must be near the top of the list. We look at the common ways of transferring ownership to the next generation, and the pitfalls you might encounter along the way. [June 4, 2008]
 
How the Data Protection Act can affect your business
What the Data Protection Act is and what it means for your business and direct marketing campaigns. If you hold any form of personal or marketing information about customers, prospects or staff – even just their name and address – then you should register. [February 19, 2008]
 




Our Partners
Key Services
Legal Guides
Click Here

© Bytestart Limited 2005-2009 - All Rights Reserved | Terms of Use | Site List | Website Feeds | Rss Feed RSS Feed

Business Insurance, Business Bank Accounts, Public Liability Insurance, Professional Indemnity, Startups, Limited Company, Sole Trader