Data Protection made easy

     
 

Home

About us

Training

Advice

Contact us

In the News

Data protection/ cookie info.

 

  
bullet

All businesses handle information about people – staff, customers, suppliers. Data protection is all about taking care of this information and it’s not difficult.  But it’s also very easy to get it wrong – and the results can range from bad publicity to legal action and fines.

 

Here are the Top 10 blunders and how to avoid them:

 
bullet Blunder 1:

Totally ignoring the issue.  This can lead to any of the scenarios below – plus additional costs in putting things right.

Solution: read on

 

bullet Blunder 2:

Not checking if you need a data protection notification. This outlines the personal information being used by your business (including sole traders) or organisation for different purposes e.g. staff records, accounts, marketing. 

Solution:

It only costs £35 per year and you can fill in the form on the Information Commissioner’s website (at www.ico.gov.uk follow the link 'For organisations'), print and post it off.   Some businesses don’t need to notify (but they still have to comply with other data protection requirements) – use the checklist online to find out.  If you don’t notify when you should, you can be fined.  But beware of bogus agencies who send you threatening letters and charge a lot more than £35 to do your notification.

 
bullet Blunder 3:

Not training your staff.  It’s everyone’s responsibility to look after information – and your staff can alert you to accidents waiting to happen.  Think of all those high street banks putting out customer details in bin bags – didn’t anyone notice and think it was a bad idea?

Solution:

Train your staff - not only in security procedures but also in making sure information is accurately recorded and handled appropriately.  Do it the right way and they will have valuable insights they can use to protect themselves against ID theft and other threats outside work as well as buying in to safeguarding the personal information they handle at work.

 
bullet Blunder 4:

Not explaining to customers how you are going to use their information – particularly if it isn’t obvious - such as making credit checks on them or recording their calls.  (But watch out for Blunder 5)...

Solution:

Make sure that it's clear to the customer who you are - so they know who is handling their information when they provide it.  Then work out the best way to deliver the information about how you will use the customer's details -  see the solution to Blunder 5. 

 

 
bullet Blunder 5:

Having a privacy policy on your website that is five pages long and as clear as mud. A waste of time for everyone. 

Solution:

Keep it short and clear.  You need to explain about cookies but most of the rest can be said in a few words where people actually fill in their details.  They are more likely to read it as well if it's right there on the online form.  And that's where marketing options definitely need to be - see below.

 
bullet Blunder 6:

Not being up front about marketing.  There are strict rules about direct marketing - especially by phone, fax and electronic channels such as email and SMS. 

Solution:

You need to explain things clearly so customers understand their choices and will be pleased instead of annoyed to receive your marketing in future.  You also need to check permissions very carefully when renting in a marketing list.  And when people ask you to remove their details from your marketing database because they don't want any more direct marketing - you need to explain that you must keep some details on a suppression list to make sure you don't market to them again! 

 

 
bullet Blunder 7:

Not having adequate security – how many times have you read about missing laptops with customer data on them?  But also think about security for your website, your premises and PCs and paper records.  And don’t forget your staff – they need to know the rules about things like passwords, checking identities of callers, what information they can give out and when.  You also need to ensure that staff are not misusing information – such as credit card details supplied by customers.

Solution:

Don't just concentrate on your online security.  Remember all the banks that were named and shamed for throwing out customer details without first shredding them - sometimes it's really simple things that can let you down.  A security policy is a very good idea - as long as everyone knows about it and regular checks are made to ensure it's being followed.

 
bullet Blunder 8:

Not recognising a ‘subject access request’.  A real mouthful but all it means is someone asking for a copy of any information you hold about them.  No one usually bothers unless they are annoyed with you.  This is a chance to turn around a complaint – or get into trouble for ignoring the request.

Solution:

Make sure your staff know how to recognise a request and what to do with it.  It needs to be made in writing and you are allowed to charge a £10 fee for handling it.  You should also have a way of confirming that the person is who they say they are. Requests can be made for emails, images, recordings as well as information in your databases and some paper files.  Check that your systems allow you to pull all this out.  And take care not to reveal information about other people - you will usually need their consent first.

 
bullet Blunder 9:

Not including data protection in the contract with a sub-contractor who is handling personal information when they do work for you.  For example, a fulfilment house. 

Solution:

This doesn’t have to be complicated or long – it just needs to ensure that the contractor only uses the information according to your instructions and also has adequate security in place.  This is not just a paper exercise - you are responsible if anything goes wrong – so make sure they get it right!  Go and check and, if necessary,  include financial penalties in the contract  for lack of care for personal information.

 
bullet Blunder 10:

Thinking it won’t happen to you.  It can and does but now you know what to do to make sure it doesn't!

Please note that this information has been thoroughly checked and is correct to the best of our knowledge.  However, it should not be used as a substitute for legal advice.

 

 

bullet  Security experts warn that when disposing of old computers, some organisations forget to wipe or remove the hard drive.  This means that data on that drive could still be accessed.  Just deleting files won't wipe them entirely - you need to use a special utility to do this.  As a temporary fix, you could remove the hard drive and store it away securely until it is properly cleaned or destroyed - but remember that data protection means you shouldn't keep personal data longer than necessary for the purpose for which you collected it.

 

  Copyright 2007, Sue Milnes