Data protection can be complex with lots of jargon and legalese so, when it comes to the world of data protection regulations, who better than to remind you of some of the key requirements than a respected specialist in the field, DQ’s Head of Regulatory and Compliance Services, Sinead O’Connor.
In the run up to GDPR coming into force in May 2018, there was a lot of focus on data protection and time was spent mainly on putting a Privacy Notice in place or (most of the time unnecessarily) sending copious amounts of emails seeking consent to continue data processing.
Four years on, with a pandemic now having had a significant impact on working practices and perhaps on how and why data is collected, is it time to revisit the basics of your data protection framework to identify whether it has kept pace?
Whilst the Privacy Notice is the ‘shop window’ of how and why you process data, it is supposed to be built on and accurately reflect the actual data processing that happens within your business, club or charity as recorded in the record of processing activities (ROPA).
When was the last time you reviewed the ROPA? Does it include any new data processing that might have occurred as a result of the pandemic such as contact tracing information that you could have recorded for people entering your premises? Has it kept pace with new technologies that you might have adopted for obtaining or processing data?
If the very idea of a ROPA is new to you, it is worth noting that it is a legal requirement and a document that the Information Commissioner could request at any time. There is widespread guidance on what needs to be contained in the document, how to structure it and a good template is available from the Information Commissioner’s website www.inforights.im.
Good data housekeeping is an important way to minimise issues for the people about whom you process data. If you are a customer-facing business, you may think of this solely in the context of customers so please don’t forget about staff (current, former, job applicants, work experience etc.) and suppliers. Indeed, don’t forget about former customers and new business enquiries who never became customers. For all of those people, it’s important that:
- You only use their data for the purpose(s) that you have told them about in the Privacy Notice or any update to that;
- You only process the data that you need and you don’t collect or process data just because it might come in handy one day;
- You take steps to make sure that, when you need to update data, it is updated in every location that you hold it;
- You only keep their data for as long as you need it;
- You only share their data with other parties if you have told them about it in the Privacy Notice;
- Any data sharing is done in a safe and secure way and in accordance with the data protection legislation and regulations;
- You respond to any data protection related request in a timely and co-operative way; and
- You hold their data safely and securely, taking steps to prevent it from being lost or accessed by someone who shouldn’t be able to see it.
Good data housekeeping will be supported by everyone who deals with people’s data, knowing their specific responsibilities and getting the message from whoever leads your business, club or charity that properly protecting people’s data is vitally important. Data protection training and a data protection policy are good tools to help people know what their responsibilities are and they will come in handy if anything goes wrong and you need to demonstrate the steps you took to the Information Commissioner.
Businesses, clubs or charities which process people’s data should always be ready to show the Information Commissioner that all the building blocks are in place for a good data protection framework. Those building blocks form part of the accountability which sits on the shoulders of the people on the Board, the committee, the business owners or simply whoever is in charge. If that’s you and you haven’t thought much about data protection since 2018, perhaps it’s time to revisit the basics.
Download PDF of this article HERE
The information and/or opinions contained in this article is necessarily brief and general in nature and does not constitute legal or taxation advice. Appropriate legal or other professional advice should be sought for any specific matter. Any reliance on such information and/or opinions is therefore solely at the user’s own risk and DQ Advocates Limited (and its associates and subsidiaries) is not responsible for, and does not accept any responsibility or liability in connection with any action taken or reliance placed upon such content.