Any organisation that processes personal data is under a legal obligation to store it securely, to only hold it for legitimate reasons and to be transparent about how it is handled. Here are five basics every business needs to know.
It’s essential to understand how data is handled in your organisation. You should have a complete picture of the flow of data, including how it is collected and where from, why the data is needed, how long it is kept and which third parties it is sent to.
To help you track data processing, there are helpful templates on the Information Commissioner Office’s website – find them at data https://ico.org.uk/for-organisations/
Every time you collect, store or share personal data, you must have a legitimate reason for doing so. There are six legal basis – these are:
Some data, known as Special Category Data, requires specific protection because of its sensitivity. This includes information about race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for identification), health, sex life or orientation.
Businesses must rely on additional legal basis to protect this data – among these are the explicit consent of the subject, or health or social care reasons.
All personal data should be adequately protected, and you must ensure your business has security measures appropriate to the sensitivity of the personal data that you hold. The more sensitive the data, the more secure it must be.
Systems to protect data may include secure off-site backup, strong passwords and multi-factor authentication, training for staff on identifying phishing and cyber attacks, secure wi-fi and internet connections and the limiting of access to data only to those who need it.
You must inform people about why their data is collected, and how it is processed and stored.
This will tell people why their data is gathered and stored in the first place, to which third parties it is transferred and how long it is kept for. Basically, it should summarise the information in points 1 and 2 above.
You should also have an internal privacy notice to inform your staff what you do with their personal data as their employer.
Any individual whose data is held by an organisation (a Data Subject) has the right to find out what personal information that organisation (a Data Controller) holds on them. This request is known as a Data Subject Access Request (DSAR).
This right allows them:
It is important that you familiarise yourself with DSARs, how to spot them and your legal obligations if you receive one. For example, you must respond within one month of receiving a DSAR. In certain circumstances it is possible to extend the period for up to an additional two months, but the initial response explaining the necessity for the extension must still be sent within the first month.
Find out more about DSARS in our article Responding to DSARs here
Would you like to know more?