Only someone living on a desert island without a TV or radio could avoid being aware at present of “Data Protection”.
The effect that a data breach has had both on Facebook’s share price and their reputation is immense. However, the “General Data Protection Regulations” (“GDPR”) which becomes law in May will affect any business, however large or small, which holds personal data.
Personal data is basically any data that enables a data subject to be identified. This is considerably wider than may at first appear. For instance, a file which identifies a subject as “the fellow in Warrington who is an accountant and speaks with a Brummie accent” would be covered by the regulations even though the individual is not named.
The Information Commissioner’s Office (ICO) has produced a guide which they describe as “living” as they “are working to expand it in key areas”. Currently, the guide runs to a mere 120 pages!
Article 5 of the GDPR requires that personal data should be:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to the data necessary for those purposes
- Accurate and kept up-to-date
- Kept no longer than necessary for those purposes
- Processed in a manner that ensures security of the data
It is necessary, therefore, to identify why you need a specific piece of personal data, what personal data is necessary, inform the subject of the data of the above, keep it relevant, ensure that it is used for no other purpose and is stored securely, and destroy it as soon as the need for the data ceases. A very simple example is that, normally, you would breach the regulations by sending an email to a group of recipients using the “cc” field rather than the “bcc” field as you would be passing someone’s personal data to other people without their knowledge and agreement.
Not only must you comply with these regulations but Article 5(2) requires that you must be able to demonstrate compliance.
Clearly a detailed analysis of this topic, and what is required to comply, is impossible in an article of this length (120 pages remember!). Also, the detailed requirements will vary between businesses. We have recently discovered a web based application which we feel will ensure compliance. If you may be interested please contact us for details.
WatkinsonBlack have considerable experience in all areas of taxation and business services, including the provision of a very cost-effective payroll bureau service. If you want to arrange a no-obligation initial meeting on any business matter then please contact us. Please note that these ideas are intended to inform rather than advise and you should always obtain professional advice before taking any action.