With the risk of enormous fines if you get it wrong, data protection law demands respect and it needs to be carefully complied with by all organisations, whether big or small and whether in the business or voluntary sectors.
The first thing to do is to register with the ICO (Information Commissioner’s Office). Any organisation will be handling personal data of some sort or another (and these days rarely will none of it be on any computer or other electronic device), because of the wider definition of personal data that applies under the GDPR (the EU’s General Data Protection Regulation). So effectively all organisations need to register with the ICO. There are no general exemptions for charities or small organisations.
A small annual fee is worth paying in order to comply. Once you have registered, you are at least showing an intention to respect the law on handling data, and any fine for breach of data protection laws should therefore be smaller.
How can we help you with data protection?
Once you have registered with the ICO, then you need to look at the practical issues for your business of data protection compliance. These include:
- having a privacy policy in place which is up-to-date and complies with the GDPR
- training your staff on awareness and how to comply
- putting internal procedures in place that comply, for example a data protection policy in your HR handbook
- putting data protection terms in your contracts, including your terms and conditions of trade (or cross-referencing your privacy policy)
- if you ever sell your business or buy another business, then you will need to check on the right to transfer personal data to the buyer . This includes data relating to your customers and employees. (NB this does not apply on a share sale of a company.)
- ensuring any third parties that handle or host your organisation’s personal data are contracted to comply with the GDPR in doing so
The work of our Data Protection team
We advise all sorts of businesses and charities on compliance with data protection laws, including:
- Supplying numerous businesses with GDPR-compliant privacy policies
- Assisting on ICO registration queries
- Advising on data protection rules as they apply to marketing
- Amending existing contracts to include GDPR-compliance clauses