The basics: Data Protection - What UK startups need to know
Online businesses often handle a significant amount of personal data. There is a significant amount of legislation around handling personal data and as a Director of your business you are responsible for handling this data correctly.
This article is not legal advice. Here I simply highlight some key issues that you need to be aware of.
The law
The UK Data Protection Act controls how personal data is used by organisations.
Personal data (or ‘personal information’) is information that can be used to identify a specific person. It's "any detail about a living individual that can be used on its own, or with other data, to identify them".
Someone's name for example is not enough to identify them as many people share the same name. However a name, if stored with that person's address and date of birth creates a data set that can identify an individual.
For further definitions, see;
[https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/](Key definitions of the Data Protection Act) (ICO website)
Individuals have rights under law as to what personal data can be held on them and the ICO (Information Commissioners Office) is the UK's independent body set up to uphold information rights.
Everyone responsible for using data has to follow the following ‘data protection principles’....
You must make sure that information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
accurate - kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the UK without adequate protection
What you need to do
At a very basic level, there are 3 main things you need to do
- Have a privacy policy
- Register with the ICO
- Protect personal data
1. Privacy policy
If you collect information about people they need to know who
you are and what you’re going to do with their information. To do this, you need a clear privacy policy on your website. Show this on every page (e.g. in the footer) and be sure to link to it clearly whenever you are collecting personal information (e.g in a shopping cart).
2. Register with the ICO
Most startups will process personal data in a way that requires them to register with the ICO as a data controller. Failure to register is a criminal offence.
Links;
Self assessment to see if you need to register with the ICO
Register with the ICO (costs £35)
3. Protect personal data
This is the most important point of all. Protecting personal data is your responsibility and this extends to data that is held physically as well as digitally.
Some examples;
- your employee contracts contain personal data. They need to be stored securely. If printed, they need to be in a locked cupboard. If digitally, they must have restricted access
- likewise, candidate CVs contain personal data. They must not be left lying around on desks and should be disposed of after use
- do not share personal information you've collected with a third party without the explicit consent of the individual
- ensure contracts with 3rd parties state their obligations with regards to handling personal data
- think carefully about how you manage passwords and access to your core systems. Never share passwords that can access personal information
- clear hard drives from laptops when disposing of them