Data Protection Act 2018
Data Protection Act 2018 (GPPR)
As a business operating within the UK, you are regulated by the DPA 2018 (GDPR) The act states:
Everyone responsible for using personal data has to follow strict rules called “data protection principles.” They must make sure the information is:
used fairly, lawfully and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant and limited to only what is necessary
accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
What does this mean for my business?
It means that if you are collecting ‘Personal Data’ of customers, employees, or volunteers then you need to take the 6 Principles stated above into account. Regarding your IT Systems, principle 6 is the major influence.
The Security of that Personal Data has got to be one of your highest priorities as a business. The fines for not providing adequate security of customer personal data and be 4% of the Business Global Annual Turnover. In some cases, this goes into the many millions of £’s.
Do not stress too much, there are things you can do to help you protect that data. There is a security framework called Cyber Essentials which helps businesses go about making changes to improve their security profile.
Follow this link to learn more about Cyber Essentials
Information Security Policy Documents
As the business owner, you should also write an Information Security Policy which should be made available to your customers and staff. This will show that you are committed to doing the right thing by them and will give them confidence you know what you are doing with their personal data. The EU GDPR Mandatory required documentation is a large list of documents which will help your business comply. Our GDPR Section is under construction.