As a small or medium-sized enterprise (SME), you have legal obligations when it comes to protecting personal data under the Data Protection Act 2018. This act incorporated the General Data Protection Regulation (GDPR) into UK law.
Here are some key things your business needs to do:
Know what personal data you hold and why you need it. This includes customer details, employee records, supplier information, etc. You should only keep data for as long as needed.
Be clear on the lawful basis for processing personal data. Options include consent, contract necessity, legal obligation or legitimate business interests.
+ Protect personal data with appropriate security measures like encryption, access controls and staff training.
+ Document your data processing activities and keep records. You may need to appoint a data protection officer.
+ Issue privacy notices to individuals when collecting their personal data.
+ Get consent for marketing activities like email campaigns. Allow individuals to easily opt out or unsubscribe.
+ Have procedures in place to handle things like subject access requests and data breaches.
+ Do due diligence checks on any third party data processors you use. Have contracts in place.
+ Consider data protection from the initial design stage of any new technology or business project.
+ Pay the data protection fee to the Information Commissioner's Office (ICO).
+ Regularly review and update your data protection policies, notices and records.
+ Demonstrate your compliance.
By understanding and meeting your obligations, you can give your customers, employees and stakeholders confidence that their data is handled securely and ethically. This is not only a legal requirement, but also good business practice.