The simple answer…because it’s so important to modern life.
This blog aims to provide you with the fundamentals of the current UK legislation and best practice. Whether a sole trader, charity, limited company, or any form of social enterprise; if you’re “processing” personal data, sit up and pay attention to the evolving regulatory landscape that surrounds you.
In this digital age, data is now the most valuable commodity. Previously gold, oil and even spice, data is currently the most precious resource. Why? Because it’s intrinsic to modern business and everyday life. Just think identify theft, malware attacks, international organisations locked out of their own systems by ransomware. Consider surreptitious banner advertisements persuading you to make that online purchase, or (although extreme) algorithms that profile individuals based on their content choices in order to influence the direction in which they cast a political vote. Perhaps not so extreme…?
The wrongful use of data in these scenarios can impact private individuals to entire countries, causing anything from a minor inconvenience resulting from cancelling banks cards and resetting passwords; to destabilising a nation’s political landscape, the ramifications of which can be felt for years.
I know what you’re thinking: “I’m a small business, I don’t really have to worry about those things until I scale up! Securing a steady income and establishing my brand are the current priorities”.
Well, sorry (not sorry!) to share, but compliance to data protection is essential – regardless of the size of your organisation.
In fact, as a smaller business, you face greater exposure without access to resources or technical expertise that would support your privacy compliance.
The Legislation
In the UK, the principle acts of law that collectively form the UK data protection legislation are: the Data Protection Act 2018; the UK General Data Protection Regulation (remember when GDPR came into effect in May 2018? This is the UK-specific equivalent in accordance with our exiting the EU, ratified into UK law on 1st January 2021.) Finally, the Privacy and Electronic Communications Regulation 2003, which mostly relates to digital marketing (and why you need that check box for visitors to opt-in to your website subscriptions). Other legislation exists, but these are the primary ones a small business owner should have an awareness of.
Data Protection in the UK is regulated by the Information Commissioner’s Office (ICO), a publicly funded independent authority which monitors the compliance of all organisations to privacy legislation, ensuring the rights of individuals are upheld. Ordinarily, if you process personal data as part of your business activities (beyond that of your staff for payroll purposes), your business will be listed on the public register, and you’ll be paying an annual registration fee. Unsure..? Just look yourself up on the ICO’s website.
What is “Personal Data”?
Personal data is defined as:
“information that relates to an identified or identifiable natural person”.
This means any data that can be directly connected to a living individual; as well as any information, when combined with another piece of data, that could indirectly reveal the identity of an individual. Typical examples include; name; any unique identifier such as NHS number; phone numbers; email addresses; IP addresses from digital devices (think “cookies”); even vehicle number plates as these are usually registered to a single individual.
The following are excluded and therefore outside the scope of the legislation: information about companies and public authorities; deceased individuals (not considered as “natural persons”); or anonymised data, which is stripped of all personal identifiers.
The legislation makes additional provisions for is what is described as “Special Category” data. This personal information is considered to be more sensitive, as the mis-use could significantly impact upon the rights and freedoms of the individual, and therefore is afforded even greater protection. Examples include race and ethnic origin data; religious or philosophical beliefs; political opinions; data related to sexual preferences, sex life and/or sexual orientation; and several more.
What is “Processing”?
If you’re doing ANYTHING in the course of your business activities that involves the personal data of private individuals, consider yourself to be “processing”. The legislation is broad in its interpretation and includes; using, recording, storing, analysing, restructuring or deleting data.
Data protection has been introduced to safeguard individuals’ personal information. As a business owner you see both sides of the coin. Approach your use of customers’ data with the same respect you expect when you are the customer, or your families and children: keep it safe; be transparent in its use (by way of a Privacy Policy on your website); ask permission when using special category data; understand how long you will keep the data for and determine a method to delete it when appropriate; be aware of the rights of private individuals and always, always consider the impact of the way in which you use their personal information.
Non-compliance risks damaging your business’ reputation, customer retention and negatively impacting growth. Whereas implementing robust governance around your handling of personal data will establish the solid foundations from which to scale.
Which will you choose..?
