Now is a good time to take stock and consider what impact new technologies will have on how you collect, store and process the personal data that you hold. It's been 5 years since the Data Protection Act 2018 came into force (when everyone quickly wrote their privacy policy) and it's likely your own systems have changed, and your technical and organisational measures haven't been updated or tested. It's time to take a step back and review and update that good old privacy policy so you can be completely transparent with your customers and users of your website. Data protection compliance isn't a one-time thing and should be regularly reviewed.
Do you know what information you collect and why?
It's a good idea to review whether you still need the same amount of personal data you are collecting - consider what you are doing with that information and why.
How are you collecting personal data?
This isn't necessarily limited to data collected from the data subject themselves but will also include data collected through cookies on your website or even from third parties. For example, you may get business referrals from your contacts. Does your current privacy policy let customers know this? If you are unsure about cookies then ask your website developer to understand what cookies you have and what data they collect.
Do you still have a lawful basis for processing personal data?
Think about your reasons for having the personal data. If you are using consent as your lawful basis, then this must be freely given. You can't have a pre-ticked box and expect customers to "un-tick" this to indicate they do not consent to your using their personal data. It must be a positive choice that the customer understands. Consent isn't always the most appropriate lawful basis as consent can be withdrawn - It's best to consider the other lawful bases, for example, if you employ staff then you will have a legal obligation to process data, for example, providing information to HMRC. Or if someone has an accident on your premises you would have a legal obligation to share their personal data with the Health & Safety Executive. You may have a contract in place that allows you to share and process personal data, for example, an external company providing payroll services. In carrying out your business the other lawful basis you may consider for processing personal data is that you have a legitimate interest in doing so. This would relate to your commercial interests in carrying out your business but the processing should be proportionate and balanced against the interests of the data subjects. There should be minimal impact on their privacy.
Once you have collected it, are you storing it securely?
Do you have appropriate IT systems in place and are staff trained to be careful with personal data? Simple things like locking computer screens and tidying away papers when staff are away from their desks should be part of your culture. Consider using multi-factor authentication on devices so that if they get lost or stolen, they are more difficult to access. Consider when you last carried out staff training. With the increase in cyber-attacks staff need to know how to spot phishing emails and know not to click on unverified links and should be brought up to date.
Have you taken on any new third-party suppliers in the last 5 years?
You need to ensure you have appropriate contracts in place with your suppliers to set out each party's roles and responsibilities when it comes to personal data. Make sure you keep accurate records of their processing activities and the security measures they are implementing. Your contract should allow you to carry out regular audits and testing with your suppliers so you can trust they are complying with their side on the contract.
Have you been using any other new technologies?
A cautious approach should be taken regarding AI. Open AI such as ChatGPT means that any information you put into it is now part of the publicly accessible internet. If you are using AI then you may need to amend you current IT policy or have a standalone AI policy with clear guidelines to ensure employees understand the benefits and pitfalls (including disciplinary action) that would result from inappropriate use.
Do you know how to handle a data breach - what if an email goes to the wrong person or an employee accidently loses personal data on public transport?
You need to ensure staff are trained in reporting this internally and that a trained member of staff can take responsibility for containing a breach and recovering the data. In some cases, if there's a potential risk to the people affected, you may need to notify the Information Commissioner's Office. You also need to consider the cost of a breach, not just financially but also reputational risk. Make sure you keep records of any data breaches and ensure lessons are learned from any such incidents.
How long are you keeping personal data?
This should be regularly reviewed. In cases where you have a legal obligation to store personal data then there is often a legislative retention period attached to this. Otherwise, the business must determine its own retention periods and decide when to destroy personal data. You need to carry out regular reviews to ensure this is done and you should set up alerts on your IT systems. When it does come time to destroy personal data make sure paper is securely shredded and, when deleting electronically stored data, it is also removed from backups or recycle bins. Remember, the more data you retain, the greater impact a data breach may have on you.
Do customers know how to exercise their rights?
Make sure the contact details in your privacy policy are up to date. Do you know what to do if someone exercises their rights? This is why it's important to know what data you hold and where it is held so you can respond promptly to any requests. If you put your processes in place now then, when you receive a request from a data subject, you can deal with it swiftly.
Finally, are you being transparent with customers?
They have the right to be informed about what you are doing with their personal data and why. This will usually be done by publishing your privacy policy on your website but if a customer can't access the internet, you should issue a paper version of your privacy policy to them.
Data protection shouldn't be seen as a barrier to doing business and it should not limit what's possible for growing your business. The key issue for businesses is trust and transparency - when customers or clients provide you with their personal data, they want to know why you need it and are trusting you to be careful with it.
If you have any specific concerns arising from this article and/or would value a chat about data protection issues generally as they affect your business please do get in touch with me here at Morton Fraser LLP. The Data Protection Team will be pleased to offer our expertise and guidance about any data protection law matters, concerns and/or planning.
