"Any sufficiently advanced technology is indistinguishable from magic". This is one of Arthur C Clark's most widely cited quotes and indeed, technology is developing at such a fast pace you may be mystified and struggling to keep up. Or you may be keen to try out and incorporate new technologies into your business to help grow and modernise and even save time by using artificial intelligence (AI) for some automated tasks.
Do you know what information you collect and why?
It's a good idea to review whether you still need the same amount of personal data you are collecting - consider what you are doing with that information and why.
How are you collecting personal data?
Do you still have a lawful basis for processing personal data?
Think about your reasons for having the personal data. If you are using consent as your lawful basis, then this must be freely given. You can't have a pre-ticked box and expect customers to "un-tick" this to indicate they do not consent to your using their personal data. It must be a positive choice that the customer understands. Consent isn't always the most appropriate lawful basis as consent can be withdrawn - It's best to consider the other lawful bases, for example, if you employ staff then you will have a legal obligation to process data, for example, providing information to HMRC. Or if someone has an accident on your premises you would have a legal obligation to share their personal data with the Health & Safety Executive. You may have a contract in place that allows you to share and process personal data, for example, an external company providing payroll services. In carrying out your business the other lawful basis you may consider for processing personal data is that you have a legitimate interest in doing so. This would relate to your commercial interests in carrying out your business but the processing should be proportionate and balanced against the interests of the data subjects. There should be minimal impact on their privacy.
Once you have collected it, are you storing it securely?
Do you have appropriate IT systems in place and are staff trained to be careful with personal data? Simple things like locking computer screens and tidying away papers when staff are away from their desks should be part of your culture. Consider using multi-factor authentication on devices so that if they get lost or stolen, they are more difficult to access. Consider when you last carried out staff training. With the increase in cyber-attacks staff need to know how to spot phishing emails and know not to click on unverified links and should be brought up to date.
Have you taken on any new third-party suppliers in the last 5 years?
You need to ensure you have appropriate contracts in place with your suppliers to set out each party's roles and responsibilities when it comes to personal data. Make sure you keep accurate records of their processing activities and the security measures they are implementing. Your contract should allow you to carry out regular audits and testing with your suppliers so you can trust they are complying with their side on the contract.
Have you been using any other new technologies?
A cautious approach should be taken regarding AI. Open AI such as ChatGPT means that any information you put into it is now part of the publicly accessible internet. If you are using AI then you may need to amend you current IT policy or have a standalone AI policy with clear guidelines to ensure employees understand the benefits and pitfalls (including disciplinary action) that would result from inappropriate use.
Do you know how to handle a data breach - what if an email goes to the wrong person or an employee accidently loses personal data on public transport?
You need to ensure staff are trained in reporting this internally and that a trained member of staff can take responsibility for containing a breach and recovering the data. In some cases, if there's a potential risk to the people affected, you may need to notify the Information Commissioner's Office. You also need to consider the cost of a breach, not just financially but also reputational risk. Make sure you keep records of any data breaches and ensure lessons are learned from any such incidents.
How long are you keeping personal data?
This should be regularly reviewed. In cases where you have a legal obligation to store personal data then there is often a legislative retention period attached to this. Otherwise, the business must determine its own retention periods and decide when to destroy personal data. You need to carry out regular reviews to ensure this is done and you should set up alerts on your IT systems. When it does come time to destroy personal data make sure paper is securely shredded and, when deleting electronically stored data, it is also removed from backups or recycle bins. Remember, the more data you retain, the greater impact a data breach may have on you.
Do customers know how to exercise their rights?
Finally, are you being transparent with customers?
Data protection shouldn't be seen as a barrier to doing business and it should not limit what's possible for growing your business. The key issue for businesses is trust and transparency - when customers or clients provide you with their personal data, they want to know why you need it and are trusting you to be careful with it.
If you have any specific concerns arising from this article and/or would value a chat about data protection issues generally as they affect your business please do get in touch with me here at Morton Fraser LLP. The Data Protection Team will be pleased to offer our expertise and guidance about any data protection law matters, concerns and/or planning.
The content of this webpage is for information only and is not intended to be construed as legal advice and should not be treated as a substitute for specific advice. Morton Fraser LLP accepts no responsibility for the content of any third party website to which this webpage refers. Morton Fraser LLP is authorised and regulated by the Financial Conduct Authority.