Top 5 FAQs about data protection procedures your business should have in place

1. What is the purpose of data protection procedures?

Data protection law in the UK sets very few specific rules to follow. Instead, the law requires businesses to consider whether the way they use personal data is in line with 7 principles. It is up to each business to decide how they achieve the principles. The 7 principles require businesses to have data protection procedures in place as follows:

1. Use personal data in a lawful, fair and transparent way: Businesses must make sure they know which of the six lawful bases for processing they are relying on (e.g. consent, legitimate interest) and how individuals can find out how their information is being used.

2. Only collect personal data for a specific, explicit and legitimate purpose (purpose limitation): Businesses must be clear about why they want to use the information and record their decision. They must have a good reason before beginning to collect information about people.

3. Collect the least amount of personal data needed to achieve the specific aim (data minimisation): Businesses must always identify the types of information that they plan to collect and decide whether it is necessary to have that information to achieve the aim. If it is not necessary, they should not collect the information at all.

4. Make sure personal data is accurate: Businesses must have data protection procedures which ensure that they record information correctly and that they can amend it if they later find out there was a mistake.

5. Only keep personal data for as long as it is needed (storage limitation): Businesses must only keep information whilst they need it to achieve their aim. Sometimes the law requires businesses to keep information for a specific amount of time. It is the business’s responsibility (as controller of personal data) to decide how long to keep information for and why, and the decisions should be recorded.

6. Keep personal data safe (by ensuring its security, integrity and confidentiality): Businesses must use appropriate technical (e.g. anti-virus, passwords) and organisational (e.g. staff training and working practices) to protect information.

7. Demonstrate that personal data is processed properly (accountability): Businesses must have compliance documents to record how they use personal data, who they share it with and how they made our decision. Businesses should maintain these documents and update them whenever they collect, use or access personal data in a new way or for a new reason.

2. What rights do individuals have regarding their personal data?

Under UK data protection laws, individuals have a number of rights. It is therefore really important that businesses have data protection procedures in place to manage requests from individuals to exercise those rights. Individuals' rights include:

1. Access: individuals must be told if their personal data is being used and they can ask for a copy of their personal data as well as information about how it is being used.

2. Correction: individuals can ask controllers to correct their personal data if it is inaccurate or incomplete. Businesses might need a process in place to verify the new information before making any changes.

3. Deletion: individuals can ask controllers to delete or remove their personal data if there is no good reason for continuing to hold it. If the controller thinks there is a good reason to keep the information that an individual has asked to be deleted (e.g. to comply with regulatory requirements), a procedure needs to be in place to let the individual know, with an explanation of the decision.

4. Restriction: individuals can ask controllers to restrict how they use personal data and temporarily limit the way it is being used.

5. Objection: individuals can object to the use of their personal data if they want it to be stopped being used. If the controller thinks there is a good reason for keeping on using the information, they must let the individual know and explain the decision.

6. Portability: individuals can ask controllers to send their personal data to another organisation.

7. Complaints: If an individual is unhappy with the way in which personal data is collected and used, they can complain to the ICO or another relevant supervisory body.

3. What is the procedure for responding to data breaches?

One of the most important data protection procedures that businesses should have in place is a procedure for managing and reporting a data breach. Part 3 of the Data Protection Act 2018 introduces a duty on all organisations to report certain types of personal data breaches to the ICO. Businesses must do this within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the business must also inform those individuals without undue delay.

Businesses should therefore ensure they have robust breach detection, investigation and internal reporting procedures in place - use Docue’s data breach policy to help put these procedures in place.

4. What is meant by data protection by design and by default?

The UK GDPR requires businesses to put in place appropriate technical and organisational measures to implement the data protection principles set out above effectively and safeguard individual rights. This is ‘data protection by design and by default’. It means businesses have to have data protection at the forefront of everything they do and integrate data protection into their processing activities and business practices, from the design stage right through the lifecycle. Proper data protection procedures being in place is key to achieving data protection by design and default.

5. How can my business document its data protection measures?

A well-drafted data protection policy can be key to ensuring that businesses not only have data protection in place, but also that they are followed by all employees and reflected in the business’s day-to-day activities.

Docue’s dynamic data protection policy template has been drafted by privacy lawyers to help businesses comply with UK data protection laws. The template is easily customisable to suit your requirements - all you have to do is answer a series of simple questions and you will have a tailored policy in no time.

Sign up now to use Docue’s data protection policy and other privacy templates.