Data protection applies to businesses of all sizes, so long as they handle personal data about their customers or employees. Under the Companies act 2006, directors may personally be responsible for breaches in data protection, for example, if a director is aware or agreeing to a particular data protection failure, this could trigger personal liability. So, it’s important to make sure that as a director you know about data protection.
What is data protection?
Data protection applies to virtually every business that handles customer and employee data, which includes a customer’s name, addresses, card details, phone number and more.
Data protection is embodied in the Data Protection Act 2018, which replaced the Data Protection Act 1998 and includes GDPR legislation. The Data Protection Act 2018 gives citizens and residents more control of their personal data and also simplifies regulation to help businesses protect their customers and employees personal data and is enforced by the ICO.
If your business operates in the EU as well as the UK, you might need to abide by both UK and EU data protection (GDPR)
Failing to follow data protection rules in the UK or the EU can result in a fine of up to £17.5 million or 4% of your annual global turnover, whichever is more. However not all infringements lead to fines, you could be issued with a warning, receive a temporary/permanent ban on data processing or even have to suspend data transfers to third countries.
How to comply with data protection
If your company deals with personal data, there are 7 principles set out in the Data Protection Act 2018 that you will need to consistently follow:
- Personal data must be processed lawfully, fairly, and in a transparent manner
You need to provide people with the name of your business and the details of how their information will be used.
- Personal data must be processed for specified, explicit and legitimate purposes
You need to clearly state why you’re collecting personal data and how you intended to use it. If you intend to use the data for another purpose, other than what you stated when you collected it, you will have to get consent again.
- Personal data must be adequate, relevant, and not excessive
You need to collect the minimum amount of data and only that which is relevant to the specific purpose.
- Personal data must be accurate and up to date
The data that you hold must be accurate and up to date. You might need a way of quickly updating the data or allowing people to do it themselves.
- Personal data shouldn’t be kept any longer than necessary
You need to make sure that you don’t keep data any longer than needed and be prepared to justify why you need to keep data for an amount of time. Only holding data for as long as needed also reduces the risk of your data being out of date, helping with principle 4.
- Personal data must be processed securely
You need to make sure that there are correct procedures and processes in place to make sure that the data you collect is secure.
- The controller is responsible for data protection
The controller is responsible for what happens with personal data, and they must be able to demonstrate how they are protecting people’s data and privacy.
What is a controller?
The company will be the data controller – as the legal entity. However, the data controller must have someone appointed/ responsible for the data protection elements. So, the directors are responsible for the company’s data protection duties – however, can appoint someone to be the data protection officer with the ICO.
What is a processor
A processor acts on behalf of the controller and under their authority. They must process personal data within the guidelines of the controller’s instructions.
What is the ICO?
The ICO stands for the Information Commissioner’s Office an independent authority whose responsibility is to ‘uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.’
As a data controller, you may have to pay a data protection fee to the ICO. It is your responsibility to notify the ICO, but there are some exemptions.
Now you know the key information about being a director and your responsibilities t0o data protection. To find out more information about your business and data protection you can visit the ICO website that has a wide range of resources at your disposal that can help with data protection.
If you’re ready to become a director of your very own limited company, click here to take the first step and check if your business name is available to register.