DATA PROTECTION COMPLIANCE NEED NOT BE AS COMPLEX AS IT CAN SOMETIMES SEEM
EMBEDDING THE FOLLOWING SIMPLE PRACTICES INTO YOUR BUSINESS, CAN HELP YOU ASSURE DATA PROTECTION COMPLIANCE
1. Register the fact that you control confidential and sensitive data with the Information Commissioners Office (the UK’s independent data protection regulator).
2. Engage with your customer base and try to understand as much as you can about what their expectations are in terms of how you use their data. One simple way you can do this is to ask questions about privacy in customer satisfaction surveys.
3. Ensure that you let the people whose data you process know exactly what you do with their data, including any future plans you may have.
4. Be clear about the risks as well as the rewards, and always notify people about changes which may impact their privacy.
5. Communicate as widely, clearly and as accessibly (e.g. where applicable think about suitable formats for hearing and visually impaired people, and languages that suit your customer base). Simple communication ideas include ‘how we use your information’ leaflets, a website page, social media campaigns and text messaging.
6. Provide data protection training to your staff and issue clear, contextualised guidance.
7. Publish simple do’s and don’ts posters, leaflets etc and ensure they are left in prominent places in your office/(s) – particularly around high risk areas like next to Multi-Functional Devices, filling cabinets and waste paper baskets.
8. Collect only what you need. This will help ensure that you do not break the Data Protection Act 1998 by excessively processing data. It can also help you to keep your storage, data management and data security costs down.
9. Embed clear policies and processes to ensure that all personal data are kept accurate, up-to-date and accessible (on a strict need to know basis). Data quality is a two way street, so be sure to remind customers/end-users about the importance of ensuring that they furnish you with up to date information, in order to help you to ensure that you deliver quality products and/or services.
10. Allow the people whose data you process to access their personal data (subject to the data protection act exemptions – the most common of which are to ensure that no third party data, or anything which may cause harm or distress is disclosed). You must also respect peoples right to have errors corrected, and in some circumstances to have their data deleted altogether (e.g. if data have been unlawfully obtained or are not kept secure).
11. Develop a clear retention schedule which stipulates how long particular categories of data should be kept for, and the steps which are to be taken in order to ensure data are confidentially destroyed. In any event data should not be kept for longer than necessary. What is necessary, will depend upon the nature and purpose of the data you process. The most important things is for you to be able to reasonably justify why data are being retained. The retention schedule will serve as evidence that you have at least given due consideration to the law. Â
12. Keep all confidential and sensitive data secure at rest and in transit. There are many effective information and cyber security solutions which are readily available on the market. Failing to put at least one of them in place, is likely to be considered by the UK Information Commissioners Office (ICO) as reckless, and would more than likely result in a monetary penalty in the event of a breach. The cost of implementing adequate organisational and technological security controls, by far outweighs the risk potential.
13. Restrict off-shore data processing (processing outside of the European Economic Area) to countries or territories which have adequate protections in place to safeguard the rights and freedoms of the people whose data you control and/or process. A classic example of this is the EU/US Privacy Shield.
14. Conduct routine audits and spot checks designed to assess whether the people, processes and systems within your organisation comply with your data protection policies. Fill any gaps you identify with pragmatic organisational and/or technological controls.
15. Utilise Privacy Impact Assessments and Data Protection Impact Assessments to assess whether changes and implementations adequately mitigate all reasonably foreseeable privacy and data protection risks.
16. Embrace Privacy by design and Privacy by default by ensuring that all new systems and processes are designed with privacy and data protection embedded by default. This will help you to ensure that data are intuitively used lawfully, and kept secure at rest and in transit. You can achieve this by ensuring that your standard project and risk management processes are aligned with data privacy, quality, and information & cyber security best practices.
17. Map all flows of confidential and sensitive data (into, within, and out of your organisation). Publish the final Data Flow Maps (DFMs) as part of your communications strategy. DFMs will let you customers and stakeholders know exactly how you manage confidential and sensitive data.
18. Use PIAs, DPIAs and DFMs to help you to identify all reasonably foreseeable privacy and data protection risks.
19. Mitigate the risks in proportion to the threat they pose. The ICO frequently penalises organisations that fail to put in place readily available controls. You are therefore, expected to expend as much resource as can be reasonably expected to proportionately mitigate data protection and privacy risks. What is reasonable, is unique to the data and nature of processing, in each case. If resources are restrained, you can adopt a risk based approach by focusing on your most critical and sensitive data, and addressing the risks that are most likely to have a significant impact.
20. Monitor & Audit compliance in order to measure effectiveness. If you identify gaps, find the most pragmatic and effective way to fill them.
21. Document everything – in particular the rationale behind any decision to not implement a readily available control. In the event of a data breach – the ICO may form the view that there was a risk that you either knew about, or ought to know about, but did nothing to reasonably mitigate the risk, and will more than likely penalise you. There are lots of pragmatic organisational controls that you can implement, and privacy enhancing technologies available on the market. Do you research, seek expert advice, and use the right blend to suit your data and your business.
HOW DOES THE ICO VIEW DATA PROTECTION COMPLIANCE?
The ICO takes the view that if there are data protection risks that you either knew about or ought to have known about, but did nothing to reasonably mitigate the risks – you are negligent.
In the event of a data breach it is more than likely that the ICO will impose monetary penalties where organisations are found to be reckless and negligent. The ICO has levied millions of pounds worth of monetary penalties – the highest of which being £325,000 for a single breach. The cost of implementing adequate organisational and technological security controls, by far outweighs the risk potential. Don’t delay, if you have not done so already, ensure that you have done all what you reasonably can to mitigate your data protection risks.