Under the Data Protection Act 2018 (DPA) you must:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- biometrics (where used for identification)
- sex life or orientation
Good information handling makes good business sense, and it provides a range of benefits. You’ll enhance your business’ reputation, increase customer and employee confidence, and by ensuring that personal information is accurate, relevant and safe, save both time and money.
Your business has established an appropriate Data Protection Policy?
A policy will help you to address data protection in a consistent manner. This can be a standalone policy statement or part of a general staff policy. The policy should clearly set out your business’s approach to data protection together with responsibilities for implementing the policy and monitoring compliance. The policy should be approved by management, published and communicated to all staff. The policy should also be reviewed and updated at planned intervals or when required to ensure it remains relevant.
Your business has nominated a data protection lead?
It is good practice to identify a person or department in your business with day-to-day responsibility for developing, implementing and monitoring the data protection policy. Allocating these responsibilities to a data protection lead will help you effectively manage and co-ordinate data protection, and make your business more accountable. The lead should be appropriately skilled and have the necessary authority and resources to fulfil their duties.
Your business provides data protection awareness training for all staff?
Any data security breaches are accidental and result from insider actions. You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required. Specialist training for staff with specific duties, such as marketing, information security and database management, should also be considered. The regular communication of key messages is equally important to help reinforce training and maintain awareness (for example, intranet articles, circulars, team briefings and posters).
If you are not sure where you stand in respect to DPA (Data Protection Act) or the GDPR (General Data Protection Regulation) call me now …
Bob Lewis-Basson 0780 244 1728, or email firstname.lastname@example.org