All data or information that relates to an identifiable individual that your business stores or handles needs to be properly protected. From financial information and payment details to contact information for your staff, personal data usage in the UK is protected by law.
We explain why data protection is not just a legal necessity, but crucial to protecting and maintaining your business.
What data needs to be protected?
Key pieces of information that are commonly stored by businesses, be that employee records, customer details, loyalty schemes, transactions, or data collection, need to be protected. This is to prevent that data from being misused by third parties for fraud, such as phishing scams and identity theft.
Common data that your business might store, include:
- Names
- Addresses
- Emails
- Telephone numbers
- Bank and credit card details
- Health information
This data contains sensitive information that could relate to your: current staff and their partners or next of kin; shareholders, business partners and clients; customers and other members of the public.
Protecting all this information, in accordance with the Data Protection Act, requires businesses to adhere to specific principles.
Does your business or organisation receive personal data from the EU/EEA?
You may receive a personal data transfer from an EEA partner. If so, there are steps you need to take now to comply with new data security rules.
Data Protection Act
The Data Protection Act contains a set of principles that organisations, government,s and businesses have to adhere to in order to keep someone’s data accurate, safe, secure and lawful.
These principles ensure data is:
- Only used in specifically stated ways
- Not stored for longer than necessary
- Used only in relevant ways
- Kept safe and secure
- Used only within the confines of the law
- Not transferred out of the European Economic Area
- Stored following people’s data protection rights
This comes into practice in business particularly when you recruit staff, amend staff records, market your products or services, or use CCTV.
The Children's Code
The Age Appropriate Design Code, or Children’s Code, is a data protection code of practice introduced on 2 September 2021 for online services likely to be accessed by children, such as apps, online games and social media sites.
It translates the GDPR requirements into design standards for online services to help you understand what is expected of your business. You’ll need to consider things like how much personal data you need, if you should be sharing the data and how it might impact a child’s privacy.
The ICO offers complete guidance and support to help you to achieve compliance.
Security
The principles set out in The Data Protection Act help businesses ensure the details of their staff, clients and customers are properly protected.
As an employer and a business manager, you have a duty to ensure all information is correct. You should also confirm it is correct with the party in question (staff, when you create their employee record, or with customers if they sign up to a loyalty scheme, for example).
Following proper data protection procedures is also crucial to help prevent cybercrimes by ensuring details, specifically banking, addresses and contact information are protected to prevent fraud. For instance, your clients' or customers’ bank accounts being hacked into.
Non-compliance
The Data Protection Act is a key law within the UK. Failure to comply can have serious consequences. Violating data protection law can see you and your business prosecuted, resulting in harsh punishments. These can include fines of anything up to £500,000 or action being taken that could result in a prison sentence.
Ensuring you adhere to data protection policies is crucial as the effects of non-compliance can be devastating for you and your business.