Skip to main content
We’re here with practical IT information for your business. Access comprehensive IT resources and more.

Search

How to choose the right computer equipment for your business to increase your productivity and efficiency without it costing the earth.

Business software helps you complete a range of tasks. Choose the right software, provide support and train your staff with our introduction.

It is highly likely that you depend on the internet for some aspects of your business. Find out how you can use the internet more effectively.

Good communication with customers, partners and suppliers is vital for business success. This summary explores business communication methods.

How would you cope if your IT system failed or was breached? We cover the main IT security issues and how to protect against them.

Good IT management can help you choose, use and implement IT. Our overview helps you manage IT in a way that maximises the return on your investment.

IT support is vital if you rely on your IT system. But how can you set up an effective safety net in case things go wrong? We explore the options.

Getting the right IT is just the first step. Appropriate training, policies and working practices can help you maximise return on your IT investment.

Data protection: your obligations

The EU General Data Protection Regulation (GDPR) lays down strict rules about collecting, storing and using personal information about customers and staff. Failure to follow the rules could mean a fine of up to 4% of your annual global turnover or €20m, whichever is greater. Here, we look at your obligations

Personal data refers to any information you have about your customers and staff - from address details to opinions about your products and services. In essence, it is any data from which an individual can be identified and, under the GDPR, includes a wider array of information than before, including online identifiers like IP addresses and even some pseudonymised data. Whatever you use personal data for, you must comply with the GDPR, which attempts to protect the privacy of individuals while enabling businesses and other organisations to operate effectively.

"It's important to ensure that an individual's privacy is protected as soon as their information is received," says Peter Driscoll, ex chair of the National Association of Data Protection Officers. "And you must only use the information for the purposes you said you would use it for. If you tell someone their information will be used to pay their account, you should not use it for market research."

Basic data protection requirements

Any data you gather must be accurate, kept up to date and deleted (or otherwise disposed of) when you no longer need it. If it is sensitive information (called 'special category data' in the GDPR) that relates to ethnic origin, trade union membership, personal beliefs, biometric ID information, genetics, health and so on, you must comply with stricter requirements to use it.

The requirement to notify the Information Commissioner's Office (ICO) of your processing no longer applies under the GDPR, but many organisations using personal data will still be required to pay a fee to the ICO.

"The collection and use of personal information has to be 'fair'," explains ICO spokesman Phil Jones. The GDPR requires that personal data is:

  • Processed lawfully, fairly and in a transparent manner;
  • Collected for specified, explicit and legitimate purposes and not further used in any way that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary for the purpose(s) it is used;
  • Accurate and kept up-to-date;
  • Retained for no longer than necessary in light of the purpose(s) for which it was originally collected; and
  • Used in a secure manner, protected against accidental loss, destruction or damage, and against unauthorised or unlawful processing.

The GDPR requires some organisations to appoint a data protection officer (DPO). Even if your organisation is not legally required to appoint one, a DPO can be very helpful in ensuring that you comply correctly with your obligations.

DPOs can be appointed internally, or the work can be contracted out. The job of a DPO is to monitor your organisation's compliance with the GDPR, ensuring that everyone is informed of the relevant obligations under the law and, in particular, advising on the use of personal data, for example, in new projects.

DPOs must be independent and their other duties (if any) should not conflict with their post as DPO. DPOs report only to the highest management level within an organisation.

Data security

Any personal information you store on computers or in paper files must only be accessible by people with permission to see it. You cannot pass it to other organisations unless you have permission or a just cause, such as giving staff details to a payroll bureau. The transfer of personal data to others for any kind of processing must also be governed by a contract.

"I would recommend you seek advice from an expert," advises Driscoll. "But there are some things you can do yourself, such as set up passwords for each computer user in your firm, and password-protect files that contain sensitive information."

Paper files are also covered by the GDPR and should be kept under lock and key or stored securely off site. You should also make sure your staff know they must not discuss information about customers with people who are not allowed to access it.

In addition to having policies and procedures in place, it may be worth considering training and other methods of raising awareness of data protection for relevant staff. If you have a DPO, this should be one of their responsibilities.

Staff and customers' data rights

Individuals have a number of rights under the GDPR. They must be informed about your use of their data - what you do with it, how long it will be retained, who it will be shared with, and soon. Other key rights include the right to have incorrect data corrected and rights to object to or restrict your processing of personal data (eg to prevent direct marketing).

Customers and other individuals have the right to see any information you hold about them. Most requests must be handled free-of-charge (particularly onerous or repetitive ones may be charged for in some cases, but only to cover the actual costs incurred) and you are required to respond within one month in most cases.

Staff, too, are allowed to view their personal files, including documents relating to disciplinary matters. You are not allowed to pass information about an employee to anyone unless you have their consent. If either customers or staff feel you are in breach of the GDPR, they can complain to the ICO.

Stay up-to-date with business advice and news

Sign up to this lively and colourful newsletter for new and more established small businesses.

Contact us

Make an enquiry