Avoiding data protection breaches
Are you confident your organisation is avoiding data protection breaches? Does your organisation know what data it holds, who it is about and where it is stored?
All organisations hold data. Where an organisation processes personal data, the Data Protection Act 1998 (“Act”) places certain obligations on it, known as the Eight Data Protection Principles, to ensure that any processing of personal data for which it is responsible complies with the Act.
Organisations should know what information they hold, who it is about and where it is stored.
It’s a good idea to appoint a data protection compliance officer to supervise the activities of the organisation in relation to personal data. That person is then responsible for developing, implementing and maintaining effective compliance policies covering the processing of personal data, data security, retention and destruction of personal data, and guidance on dealing with data subject access requests.
Practical tips for businesses
- Carry out a data audit to understand what personal data the organisation holds, what it’s used for and whether this is in accordance with the purpose it was originally collected. The audit will also check that data is accurate and up to date, whether it’s still needed, and whether extra permissions are required, e.g. to transfer personal data outside of the EEA or to process it for a new purpose.
- Implement and maintain a data protection policy to set out how the organisation collects, stores and processes personal data about its staff, customers, suppliers and other third parties.
- Deliver data protection training – ensure employees are aware of the obligations placed on the organisation by the Act and their individual responsibilities. A data protection policy is useful here.
- Review and assess your data security arrangements regularly. Is access to personal information limited to only those who need to know it? Is the information being held securely, whether on paper or a computer? Is the website secure? Where is the data stored?
- Check how third parties process data: is any personal data being processed (e.g. stored, hosted or otherwise held) by third parties on behalf of the organisation? If so, is there a written contract regulating activities and requiring the data processor to take the same security measures you would take if you were processing the data yourself?
- Ensure the organisation has notified the Information Commissioner and such notification is up to date, unless it is exempt from doing so.
Risks of getting it wrong
A data protection breach can be costly to your organisation. Currently, an organisation may be subject to enforcement action, monetary penalties of up to £500,000 per breach, be prosecuted and face compensation claims from individuals. Imminent new Data Protection Regulations are expected to tie monetary penalties to a percentage of an organisation’s turnover – potentially making the current £500,000 top end penalty even higher once the regulations come into force.
One of the worst issues that an organisation can face if it gets data protection wrong is damage to reputation and reducing the public’s confidence in your organisation and the way it deals with data – this is generally more costly than the monetary penalties!
Getting it right
Know your data and have the right policies and procedures in place to ensure your business complies with its legal obligations under the Act. Good practice in this area will help build confidence and trust in your customers and third parties. Your organisation’s data is a business asset, which can help it meet its business goals and objectives so it makes sense to look after it carefully.
For more information on data management and to start a conversation on how we can help you, contact Debbie Venn, Associate, Commercial.
Published: 11 Mar 2015