For a bit of background, the General Data Protection Regulation came into force on 25th May 2018 with the intention of grouping all of the previous EU policies in one place. The UK created the Data Protection Act 2018 in order to continue the regulation (UK GDPR) post Brexit. The UK GDPR controls how personal information is processed by organisations and is regulated by the Information Commissioner's Office (ICO).
The 7 main principals of UK GDPR are:
Fairness and transparency – data must only be used fairly, lawfully and transparently.
Purpose Limitation – data must be used for specific, explicit purposes.
Data minimisation – data must only be used for what is necessary.
Accuracy – data must be kept accurate, up-to-date, and old information disposed of.
Storage limitation – data should not be kept for longer than is necessary.
Security and confidentiality – data must be handled in a way which ensures security, and protected against unlawful or unauthorised processing, access, loss, destruction or damage.
Accountability – the holder of data will be responsible for compliance with the principals, and be required to evidence this compliance.
The ICO has a huge amount of information and guidance on the matter. The most useful information is for ‘beginners’ which can be summarised as follows:
📄 Make a list – list all the types of information you’ve collected, or plan to collect, in general terms ‘phone numbers’, ‘email addresses’ etc. This will allow you to assess what you should be doing to protect that information.
🧐 Ask ‘why’ - consider the lawful reason why you have someone’s data. Ask if you really need that information, or why you would use it in a specific way before taking the action.
👮♂️ Think security – check you have the appropriate security in place, there are different levels of sensitivity and so different levels of security. Using a CRM is a great way to keep data secure, but who has access to that system? Also, consider if leaving a note with a phone number on a post-it note is really the best way of asking a colleague to call someone back?!
🤲 Be transparent – tell people why you’re holding their data, who you will need to share their data with and how long you intend to hold it for. For instance, do you need to hold data on file following the completion of a deposit release? Possibly. However, if 6 years has passed? Very unlikely! And it’s very likely you’re going to have to pass it onto your referencing company.
📜Clarity - you must have a privacy notice available to consumers before you collect information.
💾 Subject access requests – by law, anyone can request for a copy of the data you hold if it’s related to them, be this on a system or otherwise. You must take action and there is a helpful guide for that within the ICO link above.
💧 Data leaks – if the worse happens and you have a data leak, you have 72 hours to inform the ICO from when you discovered the leak. Try to find out what happened, take immediate steps to avoid it happening again, assess the risk to the individuals and so determine what you should disclose to them. If you determine there is a ‘high risk’, you are bound by law to notify the individual, you may well want to accompany this with advice on protecting themselves or information on what you’re going to do about the leak.
Once again, this is a broad subject and impossible to provide complete information in a short space of time. You will already have a Data Protection Officer and we trust they already know this information and a lot more.