If you own a small business, you’ve likely heard the term ‘data protection’, but you might not know what it means. Regardless of your business model, data protection is key to keeping you, your customers and any employees you may have safe. It’s important to get your head around what is expected of you as a business owner from a legal and an ethical standpoint.
Keep reading to learn more about how to protect your small business and its clientele from cybercrime and other threats to data security.
The Data Protection Act of 2018 is a form of legislation in the UK that implements the General Data Protection Regulation (GDPR). It oversees the collection, storage and use of personal data by businesses and organisations. There are stricter rules surrounding what is classed as sensitive data. These types of personal data merit specific protection. Various characteristics are protected as sensitive data, including but not limited to:
● Sexual orientation
● Religious beliefs
According to the Data Protection Act, everyone involved in the processing of personal or sensitive data must abide by a series of data protection principles. These help to protect the organisation against theft of data and phishing scams, amongst other threats to data security.
Any data breach can potentially lead to further criminal activity such as identity theft, fraud or endangering members of the public. For example, if your business website has a system where customers can save payment details and delivery addresses, this information could be used to steal their money, should it fall into the wrong hands. Fraud of this kind could be carried out in the first instance by hackers, or could be done after hackers sell personal information to criminals. This would represent a serious breach of data protection, and your business could be held liable for any damages incurred if certain protocols have not been followed and/or safeguards have not been put in place.
GDPR is the European Union’s data protection legislation, with which the UK’s Data Protection Act complies. In order for your business to comply with GDPR regulations, you need to make sure you’re following all the data protection principles laid out by the government to keep all personal data safe.
Both GDPR and the Data Protection Act apply to small businesses, which means you could be held liable for any data breaches affecting your business. Small businesses are particularly vulnerable to the effects of data breaches because they often don’t have a large enough financial cushion to fall back on. The financial consequences of suffering a data breach can be significant, with loss of reputation an important consideration. However, if your business has cyber insurance in place, the financial support provided can help you keep trading.
So, how can you and your business work to safely process personal data?
Firstly, it’s important to protect the data you already store. This means implementing data protection policies within your business and training any staff or contractors on what they need to do to keep data safe. One worthwhile policy you could consider is regular data back-ups, which can allow you to restore an up-to-date version of your business’ data in the event of it being deleted, lost or stolen.
An often overlooked aspect of data protection is cybersecurity training for anyone involved with the company. Simple things like using stronger passwords, not clicking on suspicious links in emails and keeping away from harmful websites can make a big difference in protecting data against breaches. Protecting sensitive data while travelling is important, too, as hackers may be able to breach data security by reading passwords over your shoulder, for example.
Additionally, you should check any software being used by your business, as outdated or unofficial software may be more susceptible to data breaches or hacks. This includes communications software, word processors, password storage software and anything else your business uses. This also helps to avoid operational downtime caused by glitches that were fixed in updates.
Next, you need to ensure that any new data coming into your business is safe. This could include encrypting personal data so that if a data breach were to occur, the thief wouldn’t be able to access the data. Encryption keys allow only certain authorised individuals to access the data, protecting it in the same way that a locked front door protects a house.
It may seem counterintuitive, but securely storing data can sometimes also mean destroying it. When collecting data for business purposes, you should only keep hold of it for as long as you need it. After this, you should delete the data and make sure it can’t be accessed from back-ups or files retrieved from the computer’s recycling bin.
As a business owner, it is your responsibility to make sure that your business is collecting and using data in a law-abiding manner in order to keep your customers and anyone involved in the business safe. You must ensure that you have a lawful basis for processing data. This means not collecting any data you don’t require for your business to operate. It must be limited to what is necessary, so avoid collecting any more than is actually needed.
For any data you collect, you must be transparent about how you’ll process it, what you need it for and how long you’ll keep it. Members of the public also have the right to know what data you have on them at any time. They may also request that you update or delete their data. In certain circumstances, they may be able to object to how you’re processing that data as well.
For more information on lawfully collecting data, visit the ICO website here.