Personal data plays a vital role in modern business. Whether it’s customer information, employee records, or supplier details, businesses rely on personal data to operate efficiently and build relationships. However, with the increased focus on privacy and data protection, small and medium-sized businesses (SMBs) must handle this data responsibly.
Compliance with data privacy laws is mandatory and failing to protect personal data can lead to severe consequences. Breaches of data protection laws such as the UK GDPR and the Data Protection Act 2018 could result in hefty fines and damage to your business’s reputation. Customers are also more likely to turn away from businesses that mishandle their information. Understanding what constitutes personal data and how to manage it correctly is not just a legal obligation—it’s a key factor in building trust and staying competitive.
Defining Personal Data
The Information Commissioner’s Office (ICO) says the definition of personal data is information by which a person can be identified, directly or indirectly. Types of personally identifiable information (PII) include the obvious things such as names, phone numbers, email addresses and physical addresses. However, personal data protections also include indirect information, where a few pieces of data could identify someone, such as a gamer tag or workplace. Other examples of personal data includes things like health information, genetic information, personal experiences and anything else that refers to someone’s life.
Information such as health data or bank details are held to a much higher sensitivity than others. These are known as special categories. In the event of a data hack, the ICO or other data protection body will consider the sensitivity of the data when deciding the company’s punishment.
Children’s data is considered a special category, and held to the highest standard if it must be collected at all. In fact, Amazon recently received a $25m fine in the US for violating the privacy rights of children via the Alexa assistant. Here in the UK, TikTok received a £12.7m fine for misusing children’s data.
Personal data doesn’t just apply to customer data. It applies to any personal data collected through email signup forms, comments, enquiries, recruitment processes and other interactions. It also includes past, present and future staff members, as well as anyone you interview. Essentially, any person who comes into contact with your business and hands over any data is protected under data privacy laws.
As a business, it is your responsibility to protect this data. You should treat your data like your most precious asset not just because there are hefty fines associated with data leaks but also because your reputation can be irreparably damaged if you don’t.
Why Personal Data Matters to Your Business
The easiest way to avoid the risk of personal data is just not to collect it. However, personal data is valuable to your business and can help you grow. Here are a few ways that personal data matters.
Customer Relationships
Personal data can help build relationships between your business and your customers. Email addresses and names can be stored in a Customer Relationship Manager (CRM), such as Zoho, Hubspot, or Salesforce. You can also keep track of orders, interactions, and other things to help improve the relationship. If these contacts have consented to be contacted, they can be emailed regularly to keep them engaged with your team.
Reputation
Some businesses are losing customers over the company selling personal data or tracking data illegally. Plus, 80% of consumers will lose loyalty to a business if their data is included in a data breach. Sadly, data privacy promises are still an important point of difference when spending money with businesses. However, the more you boast about your data privacy, the more of a target you will become.
Legal and Regulatory Requirements
Regulations like the General Data Protection Regulation (GDPR) and the UK Data Protection Act require businesses to handle personal data responsibly. The Companies Act 2006 also require financial data to be kept for up to six years for auditing purposes. There are also various laws around keeping employee records even after they have left. Non-compliance can lead to fines, legal issues, and operational disruptions, so maintaining and protecting this data is essential.
Improving Business Insights
Personal data helps businesses understand customer behaviour and improve services. Running data analysis on customer behaviour or buying patterns can help manage stock or maintain a high standard of operation. It can also lead to insights that might help your business lobby for change in the world. However, your customers will need to opt-in to their data being used like this through accepting terms and conditions and privacy policies.
Key Regulations Around Personal Data
For UK businesses, there are a lot of different regulations to abide by when it comes to personal data. This isn’t an exhaustive list of data privacy laws, but it does provide an idea of what to expect.
UK General Data Protection Regulation (UK GDPR)
For businesses in the UK, the main data protection regulation is the UK GDPR. This follows a similar structure to GDPR but is specifically for the data of UK residents. Failing to follow UK GDPR can result in fines of £17.5 million or 4% of annual worldwide turnover, whichever is higher.
Key Requirements:
- Lawful Basis for Processing: Businesses must have a clear, lawful reason for collecting and processing personal data.
- Data Minimisation and Accuracy: Collect only necessary data and keep it accurate and up-to-date.
- Transparency and Consent: Businesses must inform individuals how their data will be used, often requiring clear consent.
- Data Subject Rights: Individuals have the right to access, correct, delete, or transfer their data.
- Security and Breach Notification: Businesses must implement security measures to protect data and report certain breaches to the Information Commissioner’s Office (ICO) within 72 hours.
Data Protection Act 2018
The Data Protection Act 2018 works in conjunction with the UK GDPR to form the primary data protection framework in the UK. As with the UK GDPR, failure to comply with the Data Protection Act results in fines of £17.5 million or 4% of annual worldwide turnover, whichever is higher.
Key Requirements:
- Compliance with UK GDPR Principles: Reinforces the data protection principles of the UK GDPR.
- Processing Sensitive Data: Sets stricter controls on handling sensitive personal data, such as health or biometric data.
- Exemptions and Special Provisions: Provides specific rules for areas such as journalism, research, and law enforcement.
Privacy and Electronic Communications Regulations (PECR) 2003
The PECR works alongside the UK GDPR to regulate electronic communications, covering marketing and tracking via digital methods such as emails, cookies, and SMS.
Key Requirements:
- Consent for Marketing Communications: Businesses must obtain explicit consent before sending marketing messages to individuals via email, SMS, or automated calls, unless a pre-existing customer relationship exists.
- Cookie Consent: Websites must inform users of cookies and gain consent before setting most cookies.
- Telephone Marketing Rules: Sets rules for telemarketing, including compliance with the Telephone Preference Service (TPS) to respect individuals who have opted out.
Children’s Code (Age Appropriate Design Code)
The Children’s Code, created by the ICO, outlines additional data protection requirements for online services likely to be accessed by children under 18. Breaking this code can also see fines of £17.5 million or 4% of annual worldwide turnover, whichever is higher.
Key Requirements:
- High Privacy Settings by Default: User privacy settings must default to high for children.
- Transparency: Information about data use must be clear and understandable to children.
- Limiting Data Collection and Profiling: Only collect data needed for service use, with strict limits on data profiling of children.
International Laws
If you are trading internationally, there are a whole range of data privacy laws to keep in mind. The most famous and stringent is the EU’s General Data Protection Regulation (GDPR), which covers EU citizens. In the US market, data protection varies by state, such as the California Consumer Privacy Act (CCPA). Some regulations are US-wide, including the Children’s Online Privacy Protection Rule (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA). You must check the data laws in the country you are launching your business in to avoid putting your business at risk of large fines and sanctions.
Best Practices for Managing Personal Data
When managing personal data, there are many best practices to abide by.
Think Privacy By Design
Privacy by Design is a proactive approach to data protection. It ensures privacy is considered and built into systems, processes, and products from the very start. This helps to avoid addressing privacy concerns after data has been collected or a system has been implemented, Privacy by Design embeds privacy measures into the development process itself. When building businesses and platforms, consider the privacy risks attached to each part and run tests to ensure security from the start.
Understand What Data You Are Collecting and Why.
If you are a business with customers, personal data is stored somewhere. You might collect data through lead capture forms, or your customer service team might upload customer data onto a CRM. It might be stored locally on computers and mobile phones, in the cloud, or on various software.
Make a list of all the personal data collection methods to see where data enters your system. You should also check to see if your data collection isn’t causing duplication of records, as this can make maintaining your data privacy commitments almost impossible.
Create another list of all personal data you collect, such as the names, numbers, etc. We recommend creating a spreadsheet with Types of Data in column A, and the software/devices you use across the top row. Then, mark out what software stores what data. You should ask your staff what software they store data in. Look at how many software packages you use to store data, and see if there are any ways to streamline your data storage. If multiple departments use different CRMs, could you find one everyone agrees on?
Finally, mark out a column at the end for “Why?”. Write a reason for each point of data. If you can’t think of a good reason for storing that data, consider deleting that data.
Check Processes for Data Requests
Subject Access Requests (SAR) and data deletion requests are important parts of most data laws around the world. Essentially, people have the right to data transparency, meaning they can see what information is kept about them. They also have the right to be forgotten, in other words, for their data to be deleted entirely from your company’s systems. Create workflows for each step that needs to occur when one of these requests comes in. You will need to scour the list of places where you store data and check every single one of them to delete or download that person’s data. (which is why streamlining your data inputs and storage is important).
Store Data Securely
As mentioned, failure to protect data can result in hefty fines and broken reputations, leading to ongoing sales losses. Use strong encryption for sensitive information and store physical records in locked, access-controlled locations. Regularly update your cybersecurity measures, including firewalls and antivirus software, to protect against unauthorised access or breaches.
Verify that they comply with data protection standards if you use third-party providers for cloud storage or payment processing services. You can do this by contacting the vendor directly or searching on their website. Many vendors have contracts called Data Processing Agreements, which outline the vendor’s responsibility as a data processor and your responsibility as a data controller.
Ensure you conduct regular audits or request certifications to confirm they meet security and privacy requirements. Laws can evolve, and software companies can change practices, so continue to monitor them to ensure your vendors are performing to your standards.
Train Your Team
Personal information protection isn’t just an IT issue—it’s a business-wide responsibility. By providing regular training, you ensure that all employees understand the importance of data security and their role in protecting personal information. Training should cover topics such as identifying phishing attempts, managing passwords, and handling data breaches, as well as understanding the importance of data privacy and GDPR. All employees should know how to recognise a potential data breach and the importance of reporting it immediately. Provide a clear process for reporting incidents, including who to contact and what information to provide. Early reporting helps your organisation contain the breach and take swift action to minimise its impact. Cyber Essentials is a great starting point.
Implement and Review Access Control
Access control is essential to protecting personal data. It ensures that sensitive information is only available to authorised individuals who need it to perform their roles. Most software companies will offer access control measures across their platform, so you can select a few super admins, who should be a trusted team member, such as a member of senior management. Other staff should be given enough access to do their job, but not complete freedom to access all data. If a hacker tries to access an account, then it’s less likely that they will access everything. Additionally, some data breaches come from accidents or malicious insiders rather than an external party. Access control stops rogue staff members from stealing information or accidentally leaking data.
For remote employees, ensure access to sensitive data is controlled through secure connections, such as Virtual Private Networks (VPNs). Additionally, third-party vendors or contractors should have limited access based on their specific services.
Use temporary or project-specific accounts with clearly defined expiration dates, ensuring access is automatically revoked once it’s no longer required.
Access control doesn’t just stop at software, consider adding access control to staff within the office. Lock down server rooms and store printed personal information, such as financial information, in locked cupboards or filing cabinets. Only give access to those who work on those areas of the business.
Finally, ensure there is an offboarding process for employees who are exiting the business or changing roles. Shut down access to any accounts and services they no longer need, and review physical access. Ensure all staff are aware that the access has changed.
Conclusion
Personal data is a valuable resource, but it comes with significant responsibilities. Adhering to offline and online data privacy best practices can help businesses reduce the risk of heavy fines, lost customers and disruption to operations. By adopting best practices such as secure storage, access control, and regular training, your business can handle personal data confidently and responsibly. Take the time to review your current processes and address any gaps. If you’re unsure where to start, seek professional advice to ensure your data practices meet regulatory standards and support your business’s growth.