Data protection is now a more onerous regime for small businesses, and this will only increase when the EU General Data Protection Regulation is implemented.
The Information Commissioner’s Office (ICO), which regulates the Data Protection Act 1998 (DPA), can impose penalties of up to £500,000. A glance at the ICO website will tell you how seriously they view failures to comply, so it’s crucial that small businesses understand their obligations under the DPA when dealing with any personal data, whether it relates to customers, clients or employees.
But for start-ups and small businesses, who can’t afford the luxury of a dedicated data protection officer it’s hard to know where to start. We asked Clare Edwards, of Hill Dickinson, to distil some of the complexities of the Data Protection Act, and to offer some practical tips for start-ups and small businesses when dealing with personal data;
What application does the Data Protection Act have?
The first question that any small business should consider is whether it processes (which includes most actions undertaken with data including obtaining, disclosing, storing, analysing and destroying) any information that is caught by the DPA.
If your business processes data electronically, intends to process it electronically, or uses ‘relevant filing systems’ – from which personal data about a specific individual can be found relatively easily – the processing will likely be caught by the DPA.
The definition of ‘personal data’ is wide and includes not only information that relates to a living individual who can be directly identified from that information, but also to opinions and information that ‘indirectly’ identifies a living individual when considered with other data held.
Obvious examples of personal data that a small business might process include salaries and holiday requests for employees, payment details for customers and client dates of birth and addresses.
Extra care needs to be taken where sensitive personal data (which includes details about race, political opinion, religious belief, trade union affiliation, physical or mental health, sexual life and the alleged commission of any offence) is concerned. The conditions for processing such data are more stringent than in relation to general personal data.
As a minimum, businesses processing sensitive personal data need to be aware of this higher threshold and should seek advice if they are unsure whether their processing of this type of data is fair and lawful.
What are the obligations under the DPA?
The DPA applies to any organisation that processes personal data and sensitive personal data. There is no minimum number of data subjects before the requirements of the DPA are triggered, or a minimum turnover for a business before it is subject to the obligations under the regime. The onus is on each business to understand the extent of its obligations under the DPA.
As data controllers under the DPA, start-ups and small businesses need to follow eight data protection principles (Principles) when processing personal data.
The Principles not only include ensuring that personal data is fairly and lawfully processed (Principle 1), and that it is adequate, relevant and not excessive (Principle 3), but also that appropriate steps are taken against ‘unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’ (Principle 7).
There is no expiry date on obligations under the DPA and it will apply throughout the customer, client or employee relationship, as well as after termination of the relationship if personal data continues to be processed.
Small businesses need to be aware that any initial enquiries into a website may constitute processing of personal data, as well as processing a one-time purchase.
What practical considerations should your business have?
Subject access requests (SARs)
Individuals have a right to request a copy, in permanent form, of personal data that organisations hold about them at any time. This is not limited to employees. Make sure that your business knows how to handle subject access requests (SARs) and how to comply with the 40 day time limit to respond.
A SAR under the DPA is not limited to personnel or wages information, but might also include data that is commercially sensitive. Knowing what falls within the scope of a request is key and you should seek further advice if you are unsure about how to deal with a request received.
Data protection review
Small businesses should consider undertaking a review of what personal data they process. An assessment can then take place as to whether the personal data collected is irrelevant or excessive, and measures taken to stop collecting such data.
If sensitive personal data is processed then advice should be sought as to the specific conditions that need to be fulfilled in order for such processing to be lawful.
Policy and training
A clear and consistently applied data protection policy is key no matter the size of organisation, as well as training to ensure that your business’s employees are aware of their obligations under the DPA.
The consequences of a data breach are far-reaching, with the potential for individuals themselves being criminally liable if they knowingly or recklessly disclose personal data unlawfully. Even basic compliance training will kick-start data protection awareness and stand your business in good stead to avoid data breaches.
Aside from this, serious breach of data protection rules can be a disciplinary matter, and a Code of Conduct which covers the DPA is advisable.
In the event of a security breach under the DPA emanating from an employee or someone else that has had access to your data as a processor – such as a payroll provider, IT technician or shredding company – you must be able to show that you have taken measures to safeguard personal data.
It is especially important to ensure that destruction or deletion of personal data is done securely. You are required to have written contracts in place with data processors and this will be crucial to apportion liability in the event of breach.
Recruitment and selection
When recruiting, only collect information that is reasonably required. By way of example, motoring offence details will only be required from applicants that are applying for roles where driving is a particular requirement of that role. This information should be kept for no longer than is necessary. Data about unsuccessful applicants should be kept for no longer than six months unless business needs dictate otherwise.
You should also include a statement on job adverts that states the purposes for which personal data will be processed when recruiting.
When references are collected, ensure that the sources are credible and that only questions that are relevant to the role are asked, not as a means of general intelligence gathering.
The ICO has the power to impose monetary penalty notices of up to £500,000 for breaches of the DPA, as well as powers to prosecute and issue undertakings and enforcement notices.
In the context of the forthcoming EU General Data Protection Regulation (which will mean more stringent data protection obligations, increased fines and a wider definition of ‘personal data’), a heightened awareness of data protection by data subjects and several high profile ICO decisions, small businesses need to have a better understanding of their obligations under the DPA when handling personal data.
Now, is therefore a good time for small businesses to tighten up their data protection procedures, so that when the EU Regulation comes into effect, they are already taking a proactive approach to compliance.
This article has been written for ByteStart by Clare Edwards of Hill Dickinson, an award-winning commercial law firm.