Business Owners: Here’s What you Need to Know about Data Protection
3 min read
I think we’re all aware that data protection is serious business. We’ve seen in the media how breaches of data protection law can result in heavy fines and lasting reputational damage. That’s why it’s vital for business owners to get to grips with data protection regulations and to follow GDPR’s ‘privacy by design and default’ mandate.
GDPR and the Data Protection Act 2018
The General Data Protection Regulations (GDPR) came into force in May 2018 and replaced all other previous data protection legislation across the EU. For example, in the UK, the GDPR supplanted the Data Protection Act 1998.
The GDPR revolutionised data protection requirements by giving more rights to individuals (also known as ‘data subjects’), harmonising data protection directives across the EU, and accounting for the shift towards a digital data economy.
The Data Protection Act 2018 is the UK’s implementation of GDPR; it applies GDPR’s new standards and extends the legislation to cover certain national requirements, e.g. immigration and intelligence.
The government has confirmed that Brexit will not affect the UK’s adoption of GDPR since the Data Protection Act 2018 directly mirrors GDPR legislation.
Principles of GDPR
GDPR outlines seven data protection principles that businesses need to abide by. Sticking to these principles will help business owners and their employees process data in way that’s safe, secure, and lawful.
Complying with these principles means:
- Processing data in a manner which is lawful, fair, and transparent and which maintains the data subject’s rights (more on this below).
- Processing data onlyfor the purpose it was collected – if your purposes change over time, or you have a new purpose which you did not originally anticipate, you may need to seek new consent to process the data.
- Limiting the storage of data only to that which is strictly necessary and relevant. In the case that excessive data is (or has been) collected, the data should not be used and should be safely deleted.
- Maintaining data records which are accurate and up-to-date. Where any personal data is found to be inaccurate, reasonable steps must be taken to ensure the inaccurate data is deleted or rectified without delay.
- Storing personal data only for as long as is necessary. Under GDPR, organisations must not keep hold of personal data ‘just in case’.
- Processing and storing data with integrity. Every reasonable measure should be taken to maintain the security and confidentiality of data and to prevent unlawful processing, loss, destruction, or damage of data.
- Maintain a culture of accountability. Data controllers are responsible for and must be able to demonstrate compliance with, data protection laws.
Enhanced Data Subject Rights
As above, the first principle of GDPR focuses on transparency and fairness; a principle which relates to the enhanced rights of individuals granted by the legislation.
These rights include:
- The right to be informed about what data is being collected and what it will be used for.
- The right of access to any/all personal data stored about themselves.
- The right to rectify incomplete or inaccurate data.
- The right to erase data that is no longer required or where consent for use has been withdrawn.
- The right to object to the use of personal data unless organisations can demonstrate legitimate grounds to override the rights and freedoms of the data subject.
- The right to obtain and/or reuse personal data across different services.
- Rights related to automated decision making, e.g. to request a human decision over computerised profiling.
- The right to restrict or limit the way organisations may use personal data.
Final Word
As a business owner, one of the best ways to ensure ongoing compliance with data protection laws is to create an accountability culture. In doing so, you and your employees have true ownership over the data you process. Setting clear expectations and offering training to empower your employees means everyone assumes responsibility for data protection in a proactive and confident environment.
By Darren Hockley
Darren Hockley is MD of eLearning provider DeltaNet International. The company offers a wide range of compliance courses for businesses, including GDPR.
