Small Business and Data Protection: How to Get It Right
As a business that provides goods and services, it is necessary to get information from customers, potential clients, suppliers and any employees. Any information that you collect is protected by law. This article will deal with the sometimes tricky area of data protection (in the United Kingdom). The main piece of legislation that deals with this area is the Data Protection Act.
So let us look at this in some detail. The Data Protection Act provides protection for the processing of any personal data that is being collected. Processing means the obtaining, storing, retrieving, disclosing and destroying data. The Act does not only apply to data held in computers but also in paper form. If your business uses computers then you will have to let the Information Commissioner know what type of data you are collecting and for what reason (so you had better have a good one! Collecting it so that you can get payment is good reason. Getting it so you can have a good database is not). Notifying the Commissioner costs £35 and renewable annually.
There are certain exemptions when it comes to notification of the collection of personal data. You will not not need to get the Information Commissioner involved if the data collected is for certain purposes. They include:
Personnel administration - hiring and firing (amongst other things)
Advertising and marketing for your company
You will still need to make sure that you comply with the Data Protection Act even though you may not need to inform the Information Commissioner. This Act lays down some common sense principles for businesses to follow. They state that any data collected must:
Be fairly processed (and done within the law)
Be adequate and relevant to the purpose for which it was collected
Be accurate and secure
Not be kept longer than it is needed for
Depending on what type of business you run , you will need different types of personal information. It is essential that you get the right kind of information. If you do not need their address, then leave it; if you need just their name and email, collect just that. If you collect irrelevant information and fail to store it correctly, then you will fall short of the law and face heavy penalties so please take care. If you plan to give the information to a third party for whatever reason, make sure inform the person that you are collecting it from. You have to specify what third parties will have access to it as well as giving them the option to opt out if they so wished.
It is very important that the information you have is correct and up to date. If the information is erroneous and someone informs you of it, then you have 28 days to correct it. Again, review the information you have on your files and delete whatever you do not need. You will find that your maintaining your systems becomes easier and you could save money and time by having a (safe) data clear-out. Make sure you store the information that you have securely. If you have lockable filing cabinets and drawers, use them. Safes are better still if you can afford them. What you have to make sure is that you have taken adequate steps to secure the data. If you need to get training in this area, then make sure that you do so. It is better to spend a few pounds (or dollars) on a course rather than thousands on an avoidable lawsuit because you lost someones address...think about it.
If anybody asks for a copy of their information, you are by law required to give it to them. You can charge up to £10 (about $16 dollars) for this. It must be sent to them in as short a time as possible and in a format that is easy to understand. Remember to include the reasons you had it on file as well as any third parties who may have had access to it. You are not allowed to use the information for marketing purposes if the person has asked you not to do it.
Make sure that you do not transfer the information to a country that have inadequate data protection laws. Research, research, and research again. Any information about race, ethnicity, politics, etc must be carefully secured and NOT released unless:
The person has given explicit consent
It is needed for any legal reasons (such as a court order)
It is needed for anti-discriminatory screening and monitoring
So there you have it, some important lessons when it comes to protecting your customers' information. A lot of it is common sense (like a lot of things) but remember the law is there for a reason and flouting it is not in your or your customer's best interests.
Take care and God bless readers....