Why is Data Protection so Important to Small Businesses?

The simple answer…because it’s so important to modern life.

This blog aims to provide you with the fundamentals of the current UK legislation and best practice. Whether a sole trader, charity, limited company, or any form of social enterprise; if you’re “processing” personal data, sit up and pay attention to the evolving regulatory landscape that surrounds you.

In this digital age, data is now the most valuable commodity. Previously gold, oil and even spice, data is currently the most precious resource. Why? Because it’s intrinsic to modern business and everyday life. Just think identify theft, malware attacks, international organisations locked out of their own systems by ransomware. Consider surreptitious banner advertisements persuading you to make that online purchase, or (although extreme) algorithms that profile individuals based on their content choices in order to influence the direction in which they cast a political vote. Perhaps not so extreme…?

The wrongful use of data in these scenarios can impact private individuals to entire countries, causing anything from a minor inconvenience resulting from cancelling banks cards and resetting passwords; to destabilising a nation’s political landscape, the ramifications of which can be felt for years.

I know what you’re thinking: “I’m a small business, I don’t really have to worry about those things until I scale up! Securing a steady income and establishing my brand are the current priorities”.

Well, sorry (not sorry!) to share, but compliance to data protection is essential – regardless of the size of your organisation.

In fact, as a smaller business, you face greater exposure without access to resources or technical expertise that would support your privacy compliance.

The Legislation

In the UK, the principle acts of law that collectively form the UK data protection legislation are: the Data Protection Act 2018; the UK General Data Protection Regulation (remember when GDPR came into effect in May 2018? This is the UK-specific equivalent in accordance with our exiting the EU, ratified into UK law on 1st January 2021.)  Finally, the Privacy and Electronic Communications Regulation 2003, which mostly relates to digital marketing (and why you need that check box for visitors to opt-in to your website subscriptions). Other legislation exists, but these are the primary ones a small business owner should have an awareness of.

Data Protection in the UK is regulated by the Information Commissioner’s Office (ICO), a publicly funded independent authority which monitors the compliance of all organisations to privacy legislation, ensuring the rights of individuals are upheld. Ordinarily, if you process personal data as part of your business activities (beyond that of your staff for payroll purposes), your business will be listed on the public register, and you’ll be paying an annual registration fee. Unsure..?  Just look yourself up on the ICO’s website.

What is “Personal Data”?

Personal data is defined as:

“information that relates to an identified or identifiable natural person”.

This means any data that can be directly connected to a living individual; as well as any information, when combined with another piece of data, that could indirectly reveal the identity of an individual. Typical examples include; name; any unique identifier such as NHS number; phone numbers; email addresses; IP addresses from digital devices (think “cookies”); even vehicle number plates as these are usually registered to a single individual.

The following are excluded and therefore outside the scope of the legislation: information about companies and public authorities; deceased individuals (not considered as “natural persons”); or anonymised data, which is stripped of all personal identifiers.

The legislation makes additional provisions for is what is described as “Special Category” data. This personal information is considered to be more sensitive, as the mis-use could significantly impact upon the rights and freedoms of the individual,  and therefore is afforded even greater protection. Examples include race and ethnic origin data; religious or philosophical beliefs; political opinions; data related to sexual preferences, sex life and/or sexual orientation; and several more.

What is “Processing”?

If you’re doing ANYTHING in the course of your business activities that involves the personal data of private individuals, consider yourself to be “processing”. The legislation is broad in its interpretation and includes; using,  recording, storing, analysing, restructuring or deleting data.

Data protection has been introduced to safeguard individuals’ personal information. As a business owner you see both sides of the coin. Approach your use of customers’ data with the same respect you expect when you are the customer, or your families and children: keep it safe; be transparent in its use (by way of a Privacy Policy on your website); ask permission when using special category data; understand how long you will keep the data for and determine a method to delete it when appropriate; be aware of the rights of private individuals and always, always consider the impact of the way in which you use their personal information. 

Non-compliance risks damaging your business’ reputation, customer retention and negatively impacting growth. Whereas implementing robust governance around your handling of personal data will establish the solid foundations from which to scale.

Which will you choose..?

Data Protection – The Basics

As we’re all aware, the General Data Protection Regulation (GDPR) came into effect on 25th May 2018, together with the Data Protection Act (DPA) 2018.  

This was replaced by the UK GDPR on 1 January 2021, following the end of the Brexit transition period.  This, together with the updated DPA 2018, forms the legal framework for the UK’s data protection regime.

This legislation was updated after nearly 20 years to catch-up with advances in technology and also reflect the fact that the vast majority of us are regularly sharing a great deal of personal information online. We now have enhanced rights in terms of both accessing this information and understanding what is being done with it… whilst organisations have a greater obligation to ensure our information is protected.

When it comes down to compliance, both pieces of legislation must be read alongside one another to gain the full picture.  The GDPR contains the principles that must be adhered to by all organisations who process the personal data of citizens of the European Union, while the DPA2018 details how these principles are incorporated into UK legislation.  Additionally, the DPA fills in the gaps concerning areas that are outside the scope of the GDPR, such as data processing activities performed by law enforcement or intelligence services, and the role of our regulator – the Information Commissioner’s Office (ICO).

How does this impact my business?

Well, there are several factors to be considered, such as your core activities and the number of individuals you employ; but ultimately, if you have a website there likely already exists a legal requirement for compliance.   

…noticed the “Cookies banner” that pops up on most websites nowadays..?  Although only mentioned once in the GDPR, Recital 30 states:

Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […].

Cookies are essentially small data files stored on your device by websites for various purposes and lengths of time.  As a business owner, you are likely using cookies for analytical reasons to gain an understanding of traffic to your website and how users navigate around the web pages.  Additionally, they have practical uses such as remembering a user’s log-in details so that they don’t have to re-enter their password on each visit, present them with more relevant adverts and saving selected preferences to improve the general user-experience.

If you want to know which cookies are in use, just right-click the padlock icon that appears left of the website address in your browser.

Essentially, the remit of the GDPR and DPA2018 is “… Personally identifying or identified information of a natural person” i.e. any piece of data that discloses the identity  of a living person (deceased individuals do not fall within the remit of these laws). I.P addresses and the information collected by cookies are considered personally identifiable information, as these are unique to you and your device.

ALL websites who offer a subscription or ask a user to enter ANY personal information into a form are legally required to seek consent through acceptance (or refusal) via these cookie banners.  Additionally, your website should have a Cookie Policy separate to its existing Privacy Policy  – combining the two is no longer considered adequate.