Top 10 tips to comply with Data Protection law

Everything you do in relation to processing personal data needs to work towards your compliance with the Data Protection Principles:

Lawfulness, fairness, and transparency

Purpose limitation

Data minimisation

Accuracy

Storage limitation

Integrity and confidentiality (security)

Accountability

1. CARRY OUT A DATA AUDIT

It is best practice to carry out a Data Audit. This helps you identify what data you process, about whom and what you do with it. That in turn helps you establish your lawful legal grounds for processing that data. The information gathered as part of the audit will also help you decide whether you legally have to appoint a Data Protection Officer. The information also feeds into the Privacy Statement.

2. CHECK YOU ARE REGISTERED AND IF NOT WHETHER YOU NEED TO BE

If you are not sure whether you are registered, the ICO has a public register that you can search at https://ico.org.uk/ESDWebPages/search/.

If you are not registered then the ICO has a quick questionnaire you can complete which will confirm whether or not you need to be registered https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/

You have to pay a registration fee each year to the ICO.

3. HAVE A PRIVACY STATEMENT/NOTICE

If you are a Data Controller then you have to provide your data subjects with certain information. This is information about you, whom you process data, what you do with it, what your lawful basis is for processing the data, who you share it with, how long you keep the data and the data subject’s statutory rights and how to exercise them.

4. CHECK WHETHER YOU NEED A DATA PROTECTION OFFICER

If you are a public authority or body, or if you carry out certain types of processing activities, your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking) or your core activities consist of large scale processing of special categories of data, or data relating to criminal convictions and offences, you have a legal obligation to appoint a Data Protection Officer.

5. MAKE SURE YOU HAVE ADEQUATE TECHNICAL AND SECURITY MEASURES TO PROTECT DATA

These may be practical steps such as having policies regarding who has access to the data, whether certain data is kept under lock and key or is password protected. It may be more technical steps linked to your IT systems such as sandboxes/firewalls/anti-virus software. You may need or want to have more sophisticated measures in place such as double authentication.

6. TERMS AND CONDITIONS WITH DATA PROCESSORS

If you are a data controller then a data processor acts on behalf of you and only on your instructions. You should ensure that your terms and conditions with data processors include contractual obligations on the data processor to provide you with information and comply with your instructions and importantly be responsible for their breaches.

7. DATA PROTECTION IMPACT ASSESSMENTS

Where you introduce a new processing method of data or change an existing processing method of data, where there is a high risk to the data subject, you are required to carry out a Data Protection Impact Assessment. This is an assessment of how processing will comply with the Data Protection Principles and risks to the data subject will be minimised during the processing.

8. DEALING WITH DATA SUBJECT ACCESS REQUESTS

A data subject has the right to know (subject to some very narrow exceptions) what data you are processing about them. A request for this information is known as a data subject access request. If you receive one you have one month to provide the information (unless the request is significantly onerous). You also are not able to charge unless the request is excessive. You should carry out some preliminary checks to make sure the person making the request has the right to the information – they are the data subject.

9. DEALING WITH THE ICO

Not every breach has to be reported to the ICO. However, in certain circumstances you may be under a legal obligation to report a breach of the Data Protection Principles to the ICO. You have 72 hours in which to do this.

If a breach occurred and you are unsure whether it is reportable to the ICO they have a self-assessment questionnaire on their website at https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/

10. PUTTING THINGS RIGHT WHEN THEY GO WRONG

If there is a breach then it is important to carry out an assessment to determine why the breach occurred and take remedial action to prevent it happening again.

Get in touch today

Here at Thursfields we can help you implement these top tips. If you need further advice or assistance in putting together a Privacy Statement/Notice, dealing with data subject access requests, how to go about a data audit or you need in place terms with your data processors which protect you, do not hesitate to contact our Commercial Team on 0345 20 73 72 8 or info@thursfields.co.uk.